Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Software Supply Chain Security та компоненти з відомими вразливостями

Video: https://youtu.be/hYcGFs1H6kU

  • Sé el primero en comentar

  • Sé el primero en recomendar esto

Software Supply Chain Security та компоненти з відомими вразливостями

  1. 1. Software Supply Chain Security A9: Using Components with Known Vulnerabilities
  2. 2. Agenda • OWASP Top 10. 2017. A9. Using Components with Known Vulnerabilities • Example 1. NodeJS + decompress npm package • Example 2. Ruby on Rails + rubyzip gem • Recommendations and tools • Q&A
  3. 3. Is the Application Vulnerable? • You do not know the versions of all components you use • Software is vulnerable, unsupported, or out of date • You do not scan for vulnerabilities regularly • You do not subscribe to security bulletins • You do not fix or upgrade the underlying platform, frameworks, and dependencies in a risk-based, timely fashion • Developers do not test the compatibility of updated, upgraded, or patched libraries • you do not secure the components’ configurations (OWASP Top-10 A6:2017-Security Misconfiguration)
  4. 4. Example 1. NodeJS + decompress npm package
  5. 5. Example 1. NodeJS + decompress npm package
  6. 6. Example 1. NodeJS + decompress npm package
  7. 7. Example 1. NodeJS + decompress npm package
  8. 8. Example 2. Ruby on Rails + rubyzip gem
  9. 9. Example 2. Ruby on Rails + rubyzip gem
  10. 10. Example 2. Ruby on Rails + rubyzip gem
  11. 11. SAMM 2.0
  12. 12. OWASP Application Security Verification Standard
  13. 13. Tools • npm audit • Retire.js • Vulners agent/nmap/nessus/etc. • OWASP Dependency-Check • OWASP Dependency-Track
  14. 14. OWASP Dependency-Check • https://owasp.org/www-project-dependency-check/ • Version 5.3.2 • Command Line • Ant Task • Maven Plugin • Gradle Plugin • Jenkins/SBT/Leiningen Plugin
  15. 15. OWASP Dependency-Track • 3.8.0 • Intelligent Supply Chain Component Analysis platform • Open Source • Dashboard • API and Integration
  16. 16. OWASP Dependency-Track
  17. 17. Links https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/ https://owasp.org/www-project-dependency-check/ https://owasp.org/www-project-dependency-track/ https://owasp.org/www-project-application-security-verification- standard/ https://owasp.org/www-project-samm/
  18. 18. Q&A

×