In recent months we have seen several critical security threat because of third party libraries used in software products and services, Heartbleed, POODLE is a great example of it but things are not limited here since we have large threat landscape because of huge consumption of external third party components in cloud application development. Security threat will not stop ever since new attack vectors will keep coming in these open/external sources components but what is important here is how we handle risks due to these third party libraries.
5. About me
Defensive Security Professional having 10+ years of experience
Specialize in Secure SDLC implementation
Building security strategy for the organization
Threat Modeling/Secure Code Review/Penetration
Testing/Security Test Automation
Secure Coding Trainer, Security QA Testing Trainer, Speaker
SAFECode & Null Singapore
6. At least 75% of organizations rely on open source
as the foundation of their applications.
The (Maven) Central Repository — the largest
source of open source components for developers
— handled thirteen billion download requests in a
year.
Is open source important?
Reference -Sonatype
9. More than 80 per cent of a typical software application is comprised of open
source components and frameworks.
Collectively, Global 500 organizations downloaded more than 2.8 million
insecure components in one year
There were more than 46 million downloads of insecure versions of the 31
most popular open source security libraries and web frameworks.
Quantitative Analysis
Reference- Sonatype
11. 44% of enterprises have no policies governing open source component use
in their app development .
77% of those that have adopted open source component policies have
never banned a single component
79% do not need to prove they are using components free of security
vulnerabilities.
63% fail to monitor for changes in vulnerability data for open source
software components
Survey Results
Reference- Sonatype
12. Open source components may have :
Execution of arbitrary code
XSS
Injection
Denial of Service
Insecure Cryptographic function……..
Why we should take this seriously ?
15. Java Deserialization vulnerability
“combining the readObject() methods of various classes which are
available on the classpath of the vulnerable application an attacker
can execute functions (including calling Runtime.exec() to execute
local OS commands).”
http://foxglovesecurity.com/2015/11/06/what-do-weblogic-
websphere-jboss-jenkins-opennms-and-your-application-have-in-
common-this-vulnerability/
Recent Vulnerabilities
18. Don’t know about the vulnerable components
Don’t know how to check before use
No mechanism to update the current status
Lack of preventive mechanism
Challenges for the developers
22. Centralize component repository
Integrate with the build process
Update vulnerability database
Generate Automated alert for any critical issues
Continuous Testing
23. Secure-SDLC – Enforcement point
DEVELOPMENT BUILD AND
DEPLOY
STAGINGREQUIREMENTS
External
Repositories
Security Policy
DESIGN
Repository
SCM Tools
Security Test
Automation
Threat
Modeling
SCA Tools/IDE
Plugins
VS/PT/IASTComponents
Monitoring
Production
Monitoring
firewall National Vulnerability
Database
24. Continuous Testing- In a Nutshell
Build
Environment
Fix
Vulnerabilities
Integrate
With Build
Upload to
Server
Execute
Scan
Generate
report
SA
Developers
Reporting
Server
Audit and
Re-upload
Login