4. What the talk is about
The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide
not-for-profit charitable organization focused on improving the security of
software. Our mission is to make software security visible, so that
individuals and organizations worldwide can make informed decisions about
true software security risk
5. What is security?
Let’s not go there…
there are endless answers to this question - and they all depend on context
However...
6. The OWASP top 10
The OWASP Top Ten is a powerful awareness document for web application security. The OWASP
Top Ten represents a broad consensus about what the most critical web application security
flaws are. Project members include a variety of security experts from around the world who have
shared their expertise to produce this list.
#9:
The OWASP Top 10 2013 contains a new entry: A9 - Using Components with Known Vulnerabilities
7. Making an application
ls -lh myapp.tar.gz
… 79M
mylibs are about 1,2Mb
minus generated content: our own hand-written code is << 1Mb
e.g. majority of running codebase is 3rd party.
Open or closed-source
8.
9.
10. To the rescue: Dependency Check
The core engine contains a series of analyzers that inspect the project
dependencies, collect pieces of information about the dependencies (referred
to as evidence within the tool). The evidence is then used to identify the
Common Platform Enumeration (CPE) for the given dependency. If a CPE is
identified, a listing of associated Common Vulnerability and Exposure
(CVE) entries are listed in a report.
11. Language support
Currently Java, .NET, Ruby, Node.js, and Python projects are supported;
additionally, limited support for C/C++ projects is available for projects using
CMake or autoconf
16. Pro / Con
Vulnerability awareness
Dependency awareness - why are dependencies
there? Do I really need them?
Create panic
Will have false positives - make people blind