[OWASP Poland Day] A study of Electron security
Le téléchargement de votre SlideShare est en cours.
×
Consultez-les par la suite
Suggestions
Plus De Contenu Connexe
Diaporamas pour vous (20)
Les utilisateurs ont également aimé (20)
Similaire à Stranger Danger: Securing Third Party Components (Tech2020) (20)
Plus par Guy Podjarny (17)
Plus récents (20)
Stranger Danger: Securing Third Party Components (Tech2020)
- 1. snyk.io Stranger Danger Guy Podjarny, Snyk @guypod
- 2. snyk.io Open Source Is Awesome Share Your Work Reuse What Others Built Focus on Creating Your Own New Thing
- 3. snyk.io Open Source Usage Has Exploded
- 4. snyk.io 78% of Enterprises use Open Source
- 5. snyk.io Is Security a Concern When Adopting OSS? Number 1 concern: 13% Number 2 concern: 29% Number 3 concern: 21% (Total: 63%) Source: Wipro
- 6. snyk.io Open Source != Closely Inspected
- 7. snyk.io Open Source != Secure Open Source != Insecure Either!
- 8. snyk.io Heartbleed
- 9. snyk.io Shellshock
- 10. snyk.io Logjam
- 11. snyk.io Open Source is Less Tested For Security OS Project Owners not aware/budgeted for security OS consumers not engaged/aware of code
- 12. snyk.io Attackers Are Targeting Open Source One vulnerability, many victims
- 13. snyk.io How Do We Consume OSS?
- 14. snyk.io 2000: Select Open Source Providers Apache, Linux, IBM, OpenSSL…
- 15. snyk.io 2015: Open Source Marketplaces Everybody is a provider
- 16. snyk.io Ubuntu apt: ~54,000 packages (trusty/LTS 14)
- 17. snyk.io Docker Hub: ~150,000 repos ~150M pulls (to-date)
- 18. snyk.io Node.js npm: ~250,000 packages ~10M downloads/day
- 19. snyk.io Your App
- 20. snyk.io Your Code Your App
- 21. snyk.io Each Dependency Is A Security Risk
- 22. snyk.io Do You Know Which Dependencies You Have?
- 23. snyk.io Do you know, for EVERY SINGLE DEPENDENCY if its developers have any Security Expertise?
- 24. snyk.io Do you know, for EVERY SINGLE DEPENDENCY if it went through any Security Testing?
- 25. snyk.io Do you know, for EVERY SINGLE DEPENDENCY if it has Known Vulnerabilities?
- 26. snyk.io ~30% of Docker Hub images carry Known Vulnerabilities High Priority known vulnerabilites, to be exact Source: BanyanOps Analysis
- 27. snyk.io ~14% of npm Packages Carry Known Vulnerabilities ~80% of Snyk users found vulns in their apps Source: Snyk data, Mar 2016
- 28. snyk.io ~59% of Reported Vulnerabilities in Maven Packages Remain Unfixed Mean Time to Repair: 390 days MTTR for CVSS 10: 265 days Source: Josh Corman & Dan Geer
- 29. snyk.io Do You Have Known Vulnerabilities In Your Code? Do you even know?
- 30. snyk.io What Can You Do?
- 31. snyk.io Not Use Third Parties
- 32. snyk.io Third Party Binaries Third Party Code
- 33. snyk.io 1. Track & Update Your Dep’s
- 34. snyk.io Aptitude-based (Ubuntu, Debian, etc): dpkg -l RPM-based (Fedora, RHEL, etc): rpm -qa pkg*-based (OpenBSD, FreeBSD, etc): pkg_info Portage-based (Gentoo, etc): equery list or eix -I pacman-based (Arch Linux, etc): pacman -Q Cygwin: cygcheck --check-setup --dump-only * Slackware: slapt-get --installed http://unix.stackexchange.com/questions/20979/how-do-i-list-all-installed-programs Tracking Outdated Binaries
- 35. snyk.io Node/Ruby npm/bundle outdated Track Outdated Code (command line) Python pip list --outdated Java Maven Dep's Plugin
- 36. snyk.io Track Outdated Code (SaaS) GreenKeeper (Node.js) Gemnasium (Ruby) Requires.io (Python) Libraries.io (all)
- 37. snyk.io 1. Know What You’re Using 2. Drop What You Don’t Need
- 38. snyk.io Find Unused Binaries (sort by last use date) Ubuntu UnusedPkg Fedora rpmusage
- 39. snyk.io Find Unused Code (show unreferenced packages) Node.js depcheck Ruby gem stale Java Maven Dep's Plugin
- 40. snyk.io 1. Know What You’re Using 2. Drop What You Don’t Need 3. Find & Fix Current Vulns
- 41. snyk.io Find Known Vulnerabilities in Binaries (by checking security updates) Ubuntu usn Auto Sec Updates Fedora yum security Auto Sec Updates
- 42. snyk.io Find Known Vulnerabilities in Code (Looking in vuln DB, upgrade to fix) Client Side JS RetireJS Ruby rubysec Java OWASP Dep's Check
- 43. snyk.io Find & Fix Known Vulnerabilities in npm dep’s
- 44. snyk.io To Fix, Upgrade Could be hard for indirect dependencies
- 45. snyk.io Can’t Upgrade? You can: - Drop The Dependency - Apply a security patch - Prevent Exploits via WAF rules
- 46. snyk.io Test for Known Vulnerabilities in Build (CI)& Deploys (CD)
- 47. snyk.io 1. Know What You’re Using 2. Drop What You Don’t Need 3. Find & Fix Current Vulns 4. Monitor For New Vulns
- 48. snyk.io Newly Disclosed Vulnerabilities Are Found On Old Code
- 49. snyk.io Register to Security Alerts Platform Specific Ubuntu Node.js OpenSSL (your vendor sec list) Broad Lists US-CERT NVD OSVDB
- 50. snyk.io Snyk Monitor
- 51. snyk.io 1. Know What You’re Using 2. Drop What You Don’t Need 3. Find & Fix Current Vulns 4. Monitor For New Vulns 5. Stay Alert
- 52. snyk.io The Risk Doesn’t End with Known Vulnerabilities
- 53. snyk.io Your Code Your App
- 54. snyk.io npm has 65,000+ publishers
- 55. snyk.io Do you know, for EVERY SINGLE CONTRIBUTOR if they’ve been… Compromised?
- 56. snyk.io Developers are targeted as a Distribution Channel Ex: iOS Malware via Xcode Ghost
- 57. snyk.io Do you know, for EVERY SINGLE CONTRIBUTOR if they are… MALICIOUS?
- 58. snyk.io Open Source Maintenance is… complicated.
- 59. snyk.io If one component was evil, Would you know?
- 60. snyk.io Isolate each system
- 61. snyk.io use low-privilege users
- 62. snyk.io Monitor Outbound Communication
- 63. snyk.io Don’t Trust Your Own App To the extent you can…
- 64. snyk.io Stay Alert
- 65. snyk.io 1. Know What You’re Using 2. Drop What You Don’t Need 3. Find & Fix Current Vulns 4. Monitor For New Vulns 5. Stay Alert
- 66. snyk.io Open Source Is Awesome
- 67. snyk.io Open Source Is Awesome Please Enjoy Responsibly Questions? Guy Podjarny, Snyk @guypod
