Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Software Supply Chain Security
A9: Using Components with
Known Vulnerabilities
Agenda
• OWASP Top 10. 2017. A9. Using Components with Known
Vulnerabilities
• Example 1. NodeJS + decompress npm package
...
Is the Application Vulnerable?
• You do not know the versions of all components you use
• Software is vulnerable, unsuppor...
Example 1. NodeJS + decompress npm package
Example 1. NodeJS + decompress npm package
Example 1. NodeJS + decompress npm package
Example 1. NodeJS + decompress npm package
Example 2. Ruby on Rails + rubyzip gem
Example 2. Ruby on Rails + rubyzip gem
Example 2. Ruby on Rails + rubyzip gem
SAMM 2.0
OWASP Application Security Verification Standard
Tools
• npm audit
• Retire.js
• Vulners agent/nmap/nessus/etc.
• OWASP Dependency-Check
• OWASP Dependency-Track
OWASP Dependency-Check
• https://owasp.org/www-project-dependency-check/
• Version 5.3.2
• Command Line
• Ant Task
• Maven...
OWASP Dependency-Track
• 3.8.0
• Intelligent Supply Chain Component Analysis platform
• Open Source
• Dashboard
• API and ...
OWASP Dependency-Track
Links
https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/
https://owasp.org/www-project-dependency-check/
https://ow...
Q&A
Software Supply Chain Security та компоненти з відомими вразливостями
Software Supply Chain Security та компоненти з відомими вразливостями
Software Supply Chain Security та компоненти з відомими вразливостями
Prochain SlideShare
Chargement dans…5
×

Software Supply Chain Security та компоненти з відомими вразливостями

Video: https://youtu.be/hYcGFs1H6kU

  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Software Supply Chain Security та компоненти з відомими вразливостями

  1. 1. Software Supply Chain Security A9: Using Components with Known Vulnerabilities
  2. 2. Agenda • OWASP Top 10. 2017. A9. Using Components with Known Vulnerabilities • Example 1. NodeJS + decompress npm package • Example 2. Ruby on Rails + rubyzip gem • Recommendations and tools • Q&A
  3. 3. Is the Application Vulnerable? • You do not know the versions of all components you use • Software is vulnerable, unsupported, or out of date • You do not scan for vulnerabilities regularly • You do not subscribe to security bulletins • You do not fix or upgrade the underlying platform, frameworks, and dependencies in a risk-based, timely fashion • Developers do not test the compatibility of updated, upgraded, or patched libraries • you do not secure the components’ configurations (OWASP Top-10 A6:2017-Security Misconfiguration)
  4. 4. Example 1. NodeJS + decompress npm package
  5. 5. Example 1. NodeJS + decompress npm package
  6. 6. Example 1. NodeJS + decompress npm package
  7. 7. Example 1. NodeJS + decompress npm package
  8. 8. Example 2. Ruby on Rails + rubyzip gem
  9. 9. Example 2. Ruby on Rails + rubyzip gem
  10. 10. Example 2. Ruby on Rails + rubyzip gem
  11. 11. SAMM 2.0
  12. 12. OWASP Application Security Verification Standard
  13. 13. Tools • npm audit • Retire.js • Vulners agent/nmap/nessus/etc. • OWASP Dependency-Check • OWASP Dependency-Track
  14. 14. OWASP Dependency-Check • https://owasp.org/www-project-dependency-check/ • Version 5.3.2 • Command Line • Ant Task • Maven Plugin • Gradle Plugin • Jenkins/SBT/Leiningen Plugin
  15. 15. OWASP Dependency-Track • 3.8.0 • Intelligent Supply Chain Component Analysis platform • Open Source • Dashboard • API and Integration
  16. 16. OWASP Dependency-Track
  17. 17. Links https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/ https://owasp.org/www-project-dependency-check/ https://owasp.org/www-project-dependency-track/ https://owasp.org/www-project-application-security-verification- standard/ https://owasp.org/www-project-samm/
  18. 18. Q&A

×