TypeScript for Alfresco and CMIS - Alfresco DevCon 2012 San Jose
Se está descargando tu SlideShare.
×
Eche un vistazo a continuación
Más Contenido Relacionado
Presentaciones para usted (20)
Similares a Are you using an opensource library? There's a good chance you are vulnerable... by Bruno Bossola (20)
Más de Codemotion (20)
Más reciente (20)
Are you using an opensource library? There's a good chance you are vulnerable... by Bruno Bossola
- 1. Are you using an open source library? Bruno Bossola ROME - APRIL 13/14 2018
- 2. `@bbossola About me ● Developer 1988+ ● XP coach 2000+ ● Co-founder Jug Torino
- 3. `@bbossola Agenda ● Three cases of exploits ● Why do we use opensource libraries? ● What is a vulnerability? ● Sample exploit of CVE-2017-7525 ● Preventive measures ● Common delusions ● Conclusions ● QA
- 4. `@bbossola 11/2016 - San Francisco MTA CVE-2015-4852
- 5. `@bbossola 03/2017 - Canada Revenue Ag CVE-2017-5638
- 6. `@bbossola 05/2017 - Equifax CVE-2017-5638 (yes, again!)
- 7. `@bbossola Why open source libraries??? ● you want to deliver code fast ● you do not rewrite code that's already available – logging – serialisation for JSON / XML – communication via common protocols – web frameworks – client frameworks ● you need state-of-the-art algorithms – encryption library like Bouncycastle – recommendations library like librec ● Eighty percent of the code in today’s applications come from libraries and frameworks
- 8. `@bbossola How are libraries used? Direct dependencies +- org.springframework.boot:spring-boot-starter-web:jar:1.4.7.RELEASE | +- org.springframework.boot:spring-boot-starter:jar:1.4.7.RELEASE | | +- org.springframework:spring-core:jar:4.3.9.RELEASE | | - org.yaml:snakeyaml:jar:1.17:runtime | +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.8 | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.8 | | - com.fasterxml.jackson.core:jackson-core:jar:2.8.8 - ch.qos.logback:logback-classic:jar:1.1.11 +- ch.qos.logback:logback-core:jar:1.1.11 - org.slf4j:slf4j-api:jar:1.7.25
- 9. `@bbossola How are libraries used? Transitive dependencies +- org.springframework.boot:spring-boot-starter-web:jar:1.4.7.RELEASE | +- org.springframework.boot:spring-boot-starter:jar:1.4.7.RELEASE | | +- org.springframework:spring-core:jar:4.3.9.RELEASE | | - org.yaml:snakeyaml:jar:1.17:runtime | +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.8 | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.8.8 | | - com.fasterxml.jackson.core:jackson-core:jar:2.8.8 - ch.qos.logback:logback-classic:jar:1.1.11 +- ch.qos.logback:logback-core:jar:1.1.11 - org.slf4j:slf4j-api:jar:1.7.25
- 10. `@bbossola CVE-2017-17485 A simplified view :) Sample project 1.0 spring-boot 1.4.7 spring-core 4.3.9 snakeyaml 1.17 logback 1.1.11 slf4j 1.7.25 jackson 2.8.8 CVE-2017-5929 CVE-2018-5968 CVE-2017-15095 CVE-2017-7525 Images courtesy of 1001freedownloads.com
- 11. `@bbossola What is a vulnerability? A weakness in a library that will allow an attacker to compromise the underlying system. You may incorporate a vulnerability even if you are using an old version of a library, maybe because you did not upgrade to a major release. Examples: ● vert.x 3.5.1 (latest on 10/04/2018) ● struts 2.5.16 (latest on 10/04/2018) ● spring boot 1.5.9 (released on 09/2017)
- 12. `@bbossola Demo Exploiting CVE-2017-7525: how to remotely execute java code – Starring ● Jackson-Databind ● Your server – Supporting actors ● JSON deserialisation ● Xalan
- 13. `@bbossola Preventive measures ● Integrate a library scan in your CI/CD ● Different options available – big commercial powerhouses ● blackducksoftware – small commercial targeted solutions ● bithound.io (nodejs) ● hakiri.io (ruby) ● meterian.io (java) – opensource options ● dependency-check ● github SHAMELESS PLUG! Images courtesy of freepik.com WARNING!!! SHAMELESS PLUG HERE!
- 14. `@bbossola Preventive measures What a detection system would have said?
- 15. `@bbossola Common delusions Images courtesy of freepik.com “Hello, I am the tech savvy engineering leader!"
- 16. `@bbossola Common delusions - 1 Images courtesy of freepik.com “My code is not using that function, I am perfectly safe"
- 17. `@bbossola Common delusions - 2 Images courtesy of freepik.com “I am shielded by my input validation, I am perfectly safe”
- 18. `@bbossola Common delusions - 3 Images courtesy of freepik.com “I am running a periodic penetration test, I am safe”
- 19. `@bbossola Conclusions ● Every project uses open source libraries ● Exploits for common vulnerabilities in open source libraries are out there ● They are easily exploitable (c'mon, I did one in two hours!!!) ● The only solution that can work is putting in place a prevention mechanism ● DO IT NOW!
- 20. `@bbossola Q&A Public datatabases: https://cve.mitre.org/ https://nvd.nist.gov/ The code used today: https://github.com/bbossola/vulnerability-java-samples OWASP dependency-check: https://www.owasp.org/index.php/OWASP_Dependency_Check Meterian: https://www.meterian.io
