managing security in external software dependencies
TRANSCRIPT
Managing Security in External Software
DependenciesBy Tharindu Edirisinghe
http://www.meetup.com/wso2srilanka/events/233915649/
tharindue.blogspot.com @thariyarox https://lk.linkedin.com/in/ediri [email protected]
What is a 3rd Party Library ?
A reusable software component developed to be either freely distributed or sold by an entity other than the original vendor of the development platform.The third-party software component market thrives because many programmers believe that component-oriented development improves the efficiency and the quality of developing custom applications. Common third-party software includes macros, bots, and software/scripts to be run as add-ons for popular developing software.Source : https://en.wikipedia.org/wiki/Third-party_software_component
Using 3rd Party Components in Software Development
C# project dependencies in Microsoft Visual Studio
Java project dependencies in IntelliJ Idea
Direct 3rd Party Dependencies
The external software components (developed by some other organization/s) that your project depends on.
Direct 3rd Party Dependencies with Known Vulnerabilities
The external software components (developed by some other organization/s) with known vulnerabilities that your project depends on.
Transitive 3rd Party Dependencies
The software components that your external dependencies depend on.
Transitive 3rd Party Dependencies with Known Vulnerabilities
The software components with known vulnerabilities that your external dependencies depend on.
Common Vulnerabilities and Exposures (CVE)
What is CVE ?CVE is a list of information security vulnerabilities and exposures that aims to provide common names for publicly known cyber security issues. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this "common enumeration."
Who owns CVE ?CVE is sponsored by US-CERT (United States Computer Emergency Readiness Team) the office of Cybersecurity and Communications at the U.S. Department of Homeland Security.Source : https://cve.mitre.org/about/faqs.html
CVE Example
ID : CVE-2015-5262
Overview :http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.
Severity: MediumCVSS Score: 4.3Source : https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262
Common Vulnerability Scoring System (CVSS) CVSS provides a way to capture the principal characteristics of a vulnerability, and produce a numerical score reflecting its severity, as well as a textual representation of that score. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.
Source : https://www.first.org/cvss/specification-document
National Vulnerability Database (NVD)
NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics.
Source : https://nvd.nist.gov/
Using 3rd Party Dependencies Securely - The Big Picture
NVD
3rd Party Dependencies
In-house Development
All the 3rd party dependencies (including 3rd party transitive dependencies) should be checked in NVD for identifying vulnerabilities.
CVE-2015-5262CVE-2014-3577CVE-2012-6153
Veracode : Software Composition Analysis (SCA)
Source : https://www.veracode.com/products/software-composition-analysis
OWASP Dependency Check
Dependency-Check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. Currently Java, .NET, Ruby, Node.js, and Python projects are supported; additionally, limited support for C/C++ projects is available for projects using CMake or autoconf. This tool can be part of a solution to the OWASP Top 10 2013 A9 - Using Components with Known Vulnerabilities.Source : https://www.owasp.org/index.php/OWASP_Dependency_Check
OWASP Dependency Check - Useful Resources
Official Websitehttps://www.owasp.org/index.php/OWASP_Dependency_Check
Vulnerability Detection http://dontpanic.42.nl/2014/06/checking-framework-vulnerabilities.html
Command Line Tool (CLI)https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html http://tharindue.blogspot.com/2016/10/owasp-dependency-check-cli-analyzing.html
Suppressing False Positives https://jeremylong.github.io/DependencyCheck/general/suppression.html
Continuous Vulnerability Detection with Jenkins Integration https://medium.com/@PrakhashS/checking-vulnerabilities-in-3rd-party-dependencies-using-owasp-dependency-check-plugin-in-jenkins-bedfe8de6ba8#.cvgwcptjm
OWASP Dependency Check - Demo
- Using Maven plugin for Java based projects
- Using Command Line (CLI) tool for identifying vulnerable dependencies
- Analyzing generated reports
- Suppressing vulnerabilities for avoiding false positives
- Dependency Check integration with Jenkins
More Info : http://tharindue.blogspot.com/2016/10/owasp-dependency-check-cli-analyzing.html
Continuous Vulnerability Management in a Corporate Environment
Request for using 3rd Party Dependency
Engineering
Engineering Management
NVD
Vulnerability Analysis Report
Approval
Development Team QA TeamBuilder Process
Vulnerability Analysis Report
Getting Rid of Vulnerable Dependencies
NVD
3rd Party Dependencies
In-house Development
- Upgrade direct 3rd party dependencies to a higher version
- For transitive dependencies, check if the directly dependent component has a higher version that
depends on a safer version of the transitive dependency.
- Contact the developers of the component and get the issue fixed.
CVE-2015-5262CVE-2014-3577CVE-2012-6153
Summary
- Identify the external dependencies of your projects
- Identify the vulnerabilities in the dependency software components.
- Analyze the impact
- Remove false positives
- Prioritize the vulnerabilities based on the severity
- Get rid of vulnerabilities (upgrade versions, use alternatives)
- Provide patches to your products
