This is the slides of the presentation done in "WSO2 Jaffna: Integrating Security Into Software Development Life Cycle" event. http://www.meetup.com/wso2srilanka/events/233915649/
Managing Security in External Software Dependencies
1. Managing Security in External
Software Dependencies
By Tharindu Edirisinghe
http://www.meetup.com/wso2srilanka/events/233915649/
tharindue.blogspot.com @thariyarox https://lk.linkedin.com/in/ediri ediri@live.com
2. What is a 3rd Party Library ?
A reusable software component developed to be either freely distributed or sold by
an entity other than the original vendor of the development platform.
The third-party software component market thrives because many programmers
believe that component-oriented development improves the efficiency and the
quality of developing custom applications. Common third-party software includes
macros, bots, and software/scripts to be run as add-ons for popular developing
software.
Source : https://en.wikipedia.org/wiki/Third-party_software_component
3. Using 3rd Party Components in Software Development
C# project dependencies in
Microsoft Visual Studio
Java project dependencies in IntelliJ Idea
4. Direct 3rd Party Dependencies
The external software components (developed by some other organization/s) that
your project depends on.
5. Direct 3rd Party Dependencies with Known Vulnerabilities
The external software components (developed by some other organization/s) with
known vulnerabilities that your project depends on.
6. Transitive 3rd Party Dependencies
The software components that your external dependencies depend on.
7. Transitive 3rd Party Dependencies with Known Vulnerabilities
The software components with known vulnerabilities that your external
dependencies depend on.
8. Common Vulnerabilities and Exposures (CVE)
What is CVE ?
CVE is a list of information security vulnerabilities and exposures that aims to
provide common names for publicly known cyber security issues. The goal of CVE
is to make it easier to share data across separate vulnerability capabilities (tools,
repositories, and services) with this "common enumeration."
Who owns CVE ?
CVE is sponsored by US-CERT (United States Computer Emergency Readiness
Team) the office of Cybersecurity and Communications at the U.S. Department of
Homeland Security.
Source : https://cve.mitre.org/about/faqs.html
9. CVE Example
ID : CVE-2015-5262
Overview :
http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents
HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during
an SSL handshake, which allows remote attackers to cause a denial of service
(HTTPS call hang) via unspecified vectors.
Severity: Medium
CVSS Score: 4.3
Source : https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262
10. Common Vulnerability Scoring System (CVSS)
CVSS provides a way to capture the principal characteristics of a vulnerability, and
produce a numerical score reflecting its severity, as well as a textual
representation of that score. The numerical score can then be translated into a
qualitative representation (such as low, medium, high, and critical) to help
organizations properly assess and prioritize their vulnerability management
processes.
Source : https://www.first.org/cvss/specification-document
11. National Vulnerability Database (NVD)
NVD is the U.S. government repository of standards based vulnerability
management data represented using the Security Content Automation Protocol
(SCAP). This data enables automation of vulnerability management, security
measurement, and compliance. NVD includes databases of security checklists,
security related software flaws, misconfigurations, product names, and impact
metrics.
Source : https://nvd.nist.gov/
12. Using 3rd Party Dependencies Securely - The Big Picture
NVD
3rd Party Dependencies
In-house Development
All the 3rd party dependencies (including 3rd party transitive dependencies)
should be checked in NVD for identifying vulnerabilities.
CVE-2015-5262
CVE-2014-3577
CVE-2012-6153
15. OWASP Dependency Check
Dependency-Check is a utility that identifies project dependencies and checks if
there are any known, publicly disclosed, vulnerabilities. Currently Java, .NET,
Ruby, Node.js, and Python projects are supported; additionally, limited support for
C/C++ projects is available for projects using CMake or autoconf. This tool can be
part of a solution to the OWASP Top 10 2013 A9 - Using Components with Known
Vulnerabilities.
Source : https://www.owasp.org/index.php/OWASP_Dependency_Check
17. OWASP Dependency Check - Demo
- Using Maven plugin for Java based projects
- Using Command Line (CLI) tool for identifying vulnerable dependencies
- Analyzing generated reports
- Suppressing vulnerabilities for avoiding false positives
- Dependency Check integration with Jenkins
More Info : http://tharindue.blogspot.com/2016/10/owasp-dependency-check-cli-analyzing.html
18. Continuous Vulnerability Management in a Corporate Environment
Request for using
3rd Party
Dependency
Engineering
Engineering Management
NVD
Vulnerability
Analysis Report
Approval
Development Team QA Team
Builder
Process
Vulnerability
Analysis Report
19. Getting Rid of Vulnerable Dependencies
NVD
3rd Party Dependencies
In-house Development
- Upgrade direct 3rd party dependencies to a higher version
- For transitive dependencies, check if the directly dependent component has a higher version that
depends on a safer version of the transitive dependency.
- Contact the developers of the component and get the issue fixed.
CVE-2015-5262
CVE-2014-3577
CVE-2012-6153
20. Summary
- Identify the external dependencies of your projects
- Identify the vulnerabilities in the dependency software components.
- Analyze the impact
- Remove false positives
- Prioritize the vulnerabilities based on the severity
- Get rid of vulnerabilities (upgrade versions, use alternatives)
- Provide patches to your products