SlideShare une entreprise Scribd logo

Securing open sources libraries in open source code package

Patrick Leclerc
Patrick Leclerc

OWASP Québec 19 novembre 2019: "Securing open sources libraries in open source code package" (Coveo) Learn how to find and fix vulnerabilities in open source libraries, where to integrate testing to prevent adding new vulnerable libraries to your code and how to respond to newly disclosed vulnerabilities in libraries you already use. Par: Jean-Alexandre Beaumont Louis-Philippe Déry Coveo

Technologie
1  sur  59
Télécharger pour lire hors ligne
Louis-Philippe Local Security Crawler Jean-Alexandre Resident Chaos Monkey Common Vulnerabilities & Exposures Addressing Open Source Vulnerabilities
AGENDA 1 2 3 Understanding Acronyms Land & Conquer Tips & Tricks For Remediations Knowledge Application : Case Stories ▶ CVE’s ▶ CWE’s ▶ CVSS ▶ Updating ▶ Patching ▶ Removing ▶ Ignoring Issues ▶ Easy Cases ▶ Harder Cases ▶ A Glimmer Of Hope
Acceptance Reality of the loss, of productivity settles in, and you start working Denial Bargaining What if... temporary escape you plead removing the requirement Overwhelming emotion, defense mechanism that buffers shock Anger Grief replaced with pain, you search for blame, feel intense guilt, and lash out CVE Anger Management Journey™ Cognitive framework
Updating Recommendations, changing library numbers and automagically fixing CVE’s Ignoring Patching using context, ie. a forked repo with a fixe Siloed decision and questionable decisions Removing Dropping features to fix it... CVE Relevance Mitigation Journey™ Mitigation framework
What are known vulnerabilities ?
Weaponizing Information Identifying : ▶ Architecture ▶ Web presence ▶ Infrastructure Fingerprinting
Exploit Tooling ▶ Script kiddies ▶ Low/No interaction required Automated Attacks
Common Vulnerability And Exposure Known Vulnerability Database World CVE ● US Gov Sponsored ● Maintained by MITRE ● Specific Incremental Numbering
Common Vulnerability And Exposure Known Vulnerability Database World CVE CWE ● US Gov Sponsored ● Maintained by MITRE ● Specific Incremental Numbering ● Taxonomy of CVE Common Weakness Enumeration ● Categorises security by weaknesses ● Lower numbers 15k-ish
CWE-119 : Improper Restriction of Operations within the Bounds of a Memory Buffer Summary Weakness Prevalence Consequences Code execution Remediation Cost Ease of Detection Attack Frequency Attacker Awareness Prevention and Mitigations Architecture and Design Operation Implementation
Common Vulnerability And Exposure Known Vulnerability Database World What about me Common Platform Enumeration, don’t I also qualify ? Well.. yes but no one cares about you for now… Common Vulnerability Scoring System CVE CWE CVSS ● US Gov Sponsored ● Maintained by MITRE ● Specific Incremental Numbering ● Taxonomy of CVE ● Categorises security by weaknesses ● Lower numbers 15k-ish Common Weakness Enumeration ● Third iteration CVSSv3 ● Simple scoring methodology ● Divided into severity powered by
CVE’s… Everywhere…
Common Vulnerability Scoring System (CVSS) Base Score Immutable Base Score Temporal Score Time-sensitive Information Environmental Score Contextual information powered by
Base Score MITRE Managed - Immutable - Big picture of the CVE - How bad is it, doc?
Temporal Score Time-sensitive - Exploit code maturity - Can try I it out?! - Trustworthiness - Remediation availability
Environmental Score Contextual Information Environmental context for the vulnerable system Confidentiality : information leaked Integrity : information tampered Availability : loss of availability
RELEVANT CVE Mitigation SCOPE CONTEXT
CVE Relevance Mitigation Journey Upgrading Indirect Dependency Upgrade Conflicts 1 Fixing Vulnerable Package
Upgrading Vulnerable Packages … I just updated one tiny package now everything is broken… Upgrading ● Indirect Dependency Upgrade ● Conflicts ● Major Upgrades
Not a valid response “We’re so out of date we’re not affected”
Patching Vulnerable Packages Patching Snyk/Simple patching Monkey Patching 2
Patching Vulnerable Packages Upgrading Patching ● Indirect Dependency Upgrade ● Major Upgrades ● Conflicts ● Simple patches ● Snyk patches ● Monkey patching
Removing Vulnerable Packages Removing Drop/Disable Refactor Code 3
Removing Vulnerable Packages Upgrading RemovalPatching ● Drop the feature ● Refactor the code ● Disable the feature ● Indirect Dependency Upgrade ● Major Upgrades ● Conflicts ● Simple patches ● Snyk patches ● Monkey patching
Ignoring Vulnerable Packages Upgrading RemovalPatching ● Drop the feature ● Refactor the code ● Disable the feature ● Indirect Dependency Upgrade ● Major Upgrades ● Conflicts ● Simple patches ● Snyk patches ● Monkey patching Ignoring Issue ● Mute until fix ● Properly tag ● False positive
A million CVE’s A million fixes
Invest in making fixes easy
Time to get your hands dirty
● Java Application Backend ○ Website internet facing ● Login functionality ○ Offers security training for employee App ContextCase #1
Case # 1 - JAVA-COMGOOGLEGUAVA-32236 https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-32236 Technical Data Vulnerable package : com.google.guava [11.0, 24.1.1) CVE : CVE-2018-10237 CWE : CWE-119 CVSS : 5.9 CVSS Code : CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Vulnerability Type : Deserialization of Untrusted Data (DoS) Disclosed : 25 Apr, 2018 Published : 02 May, 2018 Vulnerable package : com.google.guava [11.0, 24.1.1) CVE : CVE-2018-10237 CWE : CWE-119 CVSS Score : 5.9 (Medium) CVSS Code : CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Vulnerability Type : Deserialization of Untrusted Data (DoS) Disclosed : 25 Apr, 2018 Published : 02 May, 2018
Understanding the issue Case # 1 - JAVA-COMGOOGLEGUAVA-32236 Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable. Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable. Affects deserialization of AtomicDoubleArray and CompoundOrdering classes Relies on attacker-provided data Eager memory allocation leads to resource consumption and crash
Case # 1 - JAVA-COMGOOGLEGUAVA-32236 Are we affected? We don’t deserialize any user provided data in our code One thing to keep in mind Code change
Case # 1 - JAVA-COMGOOGLEGUAVA-32236 Our Options Upgrade ● We cannot Patching ● Hard to do ● Not future-proof Removing Where do we use Guava? ● Only for some isNullOrEmpty on strings? ● Lets get rid of Guava and fix everything Ignoring ● We would rather not
Questions on this case ?
● Small animation rendering application in Linux ● User can playback animations App ContextCase #2
Case # 2 - Direct3D Buffer Overflow https://nvd.nist.gov/vuln/detail/CVE-2017-7845 Technical Data Vulnerable package : ● Direct3D [, 11.1) CVE : CVE-2017-7845 CVSS : 8.8 (High) CVSS Code : CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Vulnerability Type : Buffer Overflow Published Date : Nov 06, 2018 Vulnerable package : ● Direct3D [, 11.1) CVE : CVE-2017-7845 CVSS : 8.8 (High) CVSS Code : CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Vulnerability Type : Buffer Overflow Published Date : Nov 06, 2018
Understanding the issue Case # 2 - Direct3D Buffer Overflow Buffer overflow are very serious issues Affect a graphic library that is mostly used on Windows (and in emulator like Wine) A buffer overflow occurs when drawing and validating elements using Direct 3D 9 with the ANGLE graphics library, used for WebGL content. This is due to an incorrect value being passed within the library during checks and results in a potentially exploitable crash. Note: This attack only affects Windows operating systems. Other operating systems are unaffected. A buffer overflow occurs when drawing and validating elements using Direct 3D 9 with the ANGLE graphics library, used for WebGL content. This is due to an incorrect value being passed within the library during checks and results in a potentially exploitable crash. Note: This attack only affects Windows operating systems. Other operating systems are unaffected. A buffer overflow occurs when drawing and validating elements using Direct 3D 9 with the ANGLE graphics library, used for WebGL content. This is due to an incorrect value being passed within the library during checks and results in a potentially exploitable crash. Note: This attack only affects Windows operating systems. Other operating systems are unaffected. This CVE : Only affects Windows operating systems.
Case # 2 - Direct3D Buffer Overflow Are we affected? Using Direct3D in Wine on Linux ....
Easy, right ?
● Serverless : Lambda granting employee access ○ Built on Python 3.6 App ContextCase #3
Case # 3 - PYTHON-PYYAML-42159 https://snyk.io/vuln/SNYK-PYTHON-PYYAML-42159 Technical Data Vulnerable package : pyYaml [,4.1) CVE : CVE-2017-18342 CWE : CWE-94 CVSS : 9.8 CVSS Code : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability Type : Arbitrary Code Execution Disclosed : 26 Aug, 2017 Published : 28 Jun, 2018 Fix : 13 Mar, 2019* Vulnerable package : pyYaml [,4.1) CVE : CVE-2017-18342 CWE : CWE-94 CVSS : 9.8 CVSS Code : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability Type : Arbitrary Code Execution Disclosed : 26 Aug, 2017 Published : 28 Jun, 2018 Fix : 13 Mar, 2019*
Understanding the issue Case # 3 - PYTHON-PYYAML-42159 ● yaml.load() is a dangerous function by design ● The CVE states that load() should be safe by default ● Project maintainer disagreed with the community on fix ● Method safe_load() exists and is safe for untrusted data ● For trusted data (loading your config for example) there is no issue Affected versions of this package are vulnerable to Arbitrary Code Execution due to using the insecure yaml.load() function.Affected versions of this package are vulnerable to Arbitrary Code Execution due to using the insecure yaml.load() function.
Case # 3 - PYTHON-PYYAML-42159 Are we affected? We use pyYAML to load our configuration It is trusted data.
Fixed in 4.1? Case # 3 - PYTHON-PYYAML-42159 Snyk claims that it is fixed in v4.1 Let’s update! …… wait. Version 4.1 was pulled from Pypi How can I fix it, if no fix are available?
Case # 3 - PYTHON-PYYAML-42159 Our Options Upgrade If only… ● No patch available Patching Great option ● Change load() to safe_load() ● Beware : usual caveat ● Not future proof Removing Might require work ● Change library ● Do without? Ignoring Valid option : ● No untrusted data ● Beware : usual caveat
Questions on this case ?
● Authenticated service providing read only configuration for production ○ Python 3.7 App ContextCase #4
Case # 4 - PYTHON-REQUESTS-72435 https://snyk.io/vuln/SNYK-PYTHON-REQUESTS-72435 Technical Data Vulnerable package : request [,2.20) CVE : CVE-2018-18074 CWE : CWE-200 CVSS : 9.8 CVSS Code : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability Type : Information Exposure Disclosed : 09 Oct, 2018 Published : 10 Oct, 2018 Vulnerable package : request [,2.20) CVE : CVE-2018-18074 CWE : CWE-200 CVSS : 9.8 (High) CVSS Code : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability Type : Information Exposure Disclosed : 09 Oct, 2018 Published : 10 Oct, 2018
Understanding the issue Case # 4 - PYTHON-REQUESTS-72435 ● Redirecting from HTTPS -> HTTP ● Send the Authorization header ○ Basic Auth == base64 credentials ● Request consider only host, not port/scheme The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. Authorization: Basic Y292ZW9fdXNlcjpFbGV2YXRlMjAxOSE=Authorization: Basic coveo_user:0WA$P_QC!
Are we affected? Case # 4 - PYTHON-REQUESTS-72435 ● We do use request ● We do downgrade to HTTP on authenticated pages (!!) ● How fast must we fix it?
CVSS v3 - Temporal score Case # 4 - PYTHON-REQUESTS-72435 ● (E) Exploit Code Maturity : High ○ None is needed, just have to listen to the traffic ● (RL) Remediation Level : Official Fix ○ Just bump to v2.20 ● (RC) Report Confidence : Confirmed ○ The code is open source ○ Easy to verify ○ Have an official CVE (vetted)
CVSS v3 - Environmental Score Case # 4 - PYTHON-REQUESTS-72435 ● (CR) Confidentiality Requirement : Medium ○ This system doesn’t contain highly confidential data but does contain some sensitive information ● (IR) Integrity Requirement : High ○ The asset integrity must not be compromised as it is a critical system. ● (AR) Availability Requirement : High ○ Critical system for the production, must stay up (ex: System is under SLA from clients) ● (MAV) Modified Attack Vector : Adjacent Network ○ The system is not directly accessible on the internet, but must be routed internally.
CVSS v3 - Environmental Score Case # 4 - PYTHON-REQUESTS-72435 ● (MAC) Modified Attack Complexity : Not Defined ○ Nothing changes the complexity of the attack. ● (MPR) Modified Privileges Required : High ○ In order to intercept the HTTP communication, an attacker must be listening from inside the VPC network or share a local network with the victim (be on site) ● (MUI) Modified User Interaction : None ○ No engagement from the user is required ● (MS) Modified Scope : Unchanged ○ Compromising this asset don’t give access to another one.
CVSS v3 - Environmental Score Case # 4 - PYTHON-REQUESTS-72435 ● (MA) Modified Confidentiality : Low ○ Getting unauthorized access doesn’t grant access to sensitive information in this system but does give insight of the infrastructure ● (MA) Modified Integrity : None ○ User access to the system is read only, cannot change the data included inside ● (MA) Modified Availability : None ○ Getting access will not let a user affect the system’s availability
CVSS v3 - Environmental Score Case # 4 - PYTHON-REQUESTS-72435 We managed to get it down to 2.3 (Low) Issue must still be addressed in 3 month Preferably, fixing will be best
Case # 4 - PYTHON-REQUESTS-72435 Our Options Upgrade ● Could be a good idea, if the fix is available Patching ● We should get rid of the redirection to HTTP Removing ● Not really possible... Ignoring ● We would rather not
Fixing the issue Case # 4 - PYTHON-REQUESTS-72435 Get rid of the HTTP redirection Long lasting mitigation
Questions on this case ?
Any General Questions? ? Any fun stories to share?

Recommandé

OWASP Quebec: "Security Stories" par Guillaume Croteau
OWASP Quebec: "Security Stories" par Guillaume CroteauOWASP Quebec: "Security Stories" par Guillaume Croteau
OWASP Quebec: "Security Stories" par Guillaume CroteauPatrick Leclerc
 
OWASP Québec - octobre 2016 - présentation sur les mots de passe
OWASP Québec - octobre 2016 - présentation sur les mots de passeOWASP Québec - octobre 2016 - présentation sur les mots de passe
OWASP Québec - octobre 2016 - présentation sur les mots de passePatrick Leclerc
 
OWASP Québec - Attaques et techniques de défense des sessions Web - par Louis...
OWASP Québec - Attaques et techniques de défense des sessions Web - par Louis...OWASP Québec - Attaques et techniques de défense des sessions Web - par Louis...
OWASP Québec - Attaques et techniques de défense des sessions Web - par Louis...Patrick Leclerc
 
Ce que vous devriez savoir sur le cloud computing (OWASP Quebec)
Ce que vous devriez savoir sur le cloud computing (OWASP Quebec)Ce que vous devriez savoir sur le cloud computing (OWASP Quebec)
Ce que vous devriez savoir sur le cloud computing (OWASP Quebec)Patrick Leclerc
 
Securite applicative et SDLC - OWASP Quebec - 15 avril 2014
Securite applicative et SDLC - OWASP Quebec - 15 avril 2014 Securite applicative et SDLC - OWASP Quebec - 15 avril 2014
Securite applicative et SDLC - OWASP Quebec - 15 avril 2014 Patrick Leclerc
 
Première rencontre d'owasp québec
Première rencontre d'owasp québecPremière rencontre d'owasp québec
Première rencontre d'owasp québecPatrick Leclerc
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 

Recommandé

OWASP Quebec: "Security Stories" par Guillaume Croteau
OWASP Quebec: "Security Stories" par Guillaume CroteauOWASP Quebec: "Security Stories" par Guillaume Croteau
OWASP Quebec: "Security Stories" par Guillaume CroteauPatrick Leclerc
 
OWASP Québec - octobre 2016 - présentation sur les mots de passe
OWASP Québec - octobre 2016 - présentation sur les mots de passeOWASP Québec - octobre 2016 - présentation sur les mots de passe
OWASP Québec - octobre 2016 - présentation sur les mots de passePatrick Leclerc
 
OWASP Québec - Attaques et techniques de défense des sessions Web - par Louis...
OWASP Québec - Attaques et techniques de défense des sessions Web - par Louis...OWASP Québec - Attaques et techniques de défense des sessions Web - par Louis...
OWASP Québec - Attaques et techniques de défense des sessions Web - par Louis...Patrick Leclerc
 
Ce que vous devriez savoir sur le cloud computing (OWASP Quebec)
Ce que vous devriez savoir sur le cloud computing (OWASP Quebec)Ce que vous devriez savoir sur le cloud computing (OWASP Quebec)
Ce que vous devriez savoir sur le cloud computing (OWASP Quebec)Patrick Leclerc
 
Securite applicative et SDLC - OWASP Quebec - 15 avril 2014
Securite applicative et SDLC - OWASP Quebec - 15 avril 2014 Securite applicative et SDLC - OWASP Quebec - 15 avril 2014
Securite applicative et SDLC - OWASP Quebec - 15 avril 2014 Patrick Leclerc
 
Première rencontre d'owasp québec
Première rencontre d'owasp québecPremière rencontre d'owasp québec
Première rencontre d'owasp québecPatrick Leclerc
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 

Contenu connexe

Dernier

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 

Dernier (20)

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 

En vedette

Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Applitools
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at WorkGetSmarter
 

En vedette (20)

Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 

Securing open sources libraries in open source code package

  • 1. Louis-Philippe Local Security Crawler Jean-Alexandre Resident Chaos Monkey Common Vulnerabilities & Exposures Addressing Open Source Vulnerabilities
  • 2. AGENDA 1 2 3 Understanding Acronyms Land & Conquer Tips & Tricks For Remediations Knowledge Application : Case Stories ▶ CVE’s ▶ CWE’s ▶ CVSS ▶ Updating ▶ Patching ▶ Removing ▶ Ignoring Issues ▶ Easy Cases ▶ Harder Cases ▶ A Glimmer Of Hope
  • 3. Acceptance Reality of the loss, of productivity settles in, and you start working Denial Bargaining What if... temporary escape you plead removing the requirement Overwhelming emotion, defense mechanism that buffers shock Anger Grief replaced with pain, you search for blame, feel intense guilt, and lash out CVE Anger Management Journey™ Cognitive framework
  • 4. Updating Recommendations, changing library numbers and automagically fixing CVE’s Ignoring Patching using context, ie. a forked repo with a fixe Siloed decision and questionable decisions Removing Dropping features to fix it... CVE Relevance Mitigation Journey™ Mitigation framework
  • 6. Weaponizing Information Identifying : ▶ Architecture ▶ Web presence ▶ Infrastructure Fingerprinting
  • 7. Exploit Tooling ▶ Script kiddies ▶ Low/No interaction required Automated Attacks
  • 8. Common Vulnerability And Exposure Known Vulnerability Database World CVE ● US Gov Sponsored ● Maintained by MITRE ● Specific Incremental Numbering
  • 9. Common Vulnerability And Exposure Known Vulnerability Database World CVE CWE ● US Gov Sponsored ● Maintained by MITRE ● Specific Incremental Numbering ● Taxonomy of CVE Common Weakness Enumeration ● Categorises security by weaknesses ● Lower numbers 15k-ish
  • 10. CWE-119 : Improper Restriction of Operations within the Bounds of a Memory Buffer Summary Weakness Prevalence Consequences Code execution Remediation Cost Ease of Detection Attack Frequency Attacker Awareness Prevention and Mitigations Architecture and Design Operation Implementation
  • 11. Common Vulnerability And Exposure Known Vulnerability Database World What about me Common Platform Enumeration, don’t I also qualify ? Well.. yes but no one cares about you for now… Common Vulnerability Scoring System CVE CWE CVSS ● US Gov Sponsored ● Maintained by MITRE ● Specific Incremental Numbering ● Taxonomy of CVE ● Categorises security by weaknesses ● Lower numbers 15k-ish Common Weakness Enumeration ● Third iteration CVSSv3 ● Simple scoring methodology ● Divided into severity powered by
  • 13. Common Vulnerability Scoring System (CVSS) Base Score Immutable Base Score Temporal Score Time-sensitive Information Environmental Score Contextual information powered by
  • 14. Base Score MITRE Managed - Immutable - Big picture of the CVE - How bad is it, doc?
  • 15. Temporal Score Time-sensitive - Exploit code maturity - Can try I it out?! - Trustworthiness - Remediation availability
  • 16. Environmental Score Contextual Information Environmental context for the vulnerable system Confidentiality : information leaked Integrity : information tampered Availability : loss of availability
  • 18. CVE Relevance Mitigation Journey Upgrading Indirect Dependency Upgrade Conflicts 1 Fixing Vulnerable Package
  • 19. Upgrading Vulnerable Packages … I just updated one tiny package now everything is broken… Upgrading ● Indirect Dependency Upgrade ● Conflicts ● Major Upgrades
  • 20. Not a valid response “We’re so out of date we’re not affected”
  • 22. Patching Vulnerable Packages Upgrading Patching ● Indirect Dependency Upgrade ● Major Upgrades ● Conflicts ● Simple patches ● Snyk patches ● Monkey patching
  • 24. Removing Vulnerable Packages Upgrading RemovalPatching ● Drop the feature ● Refactor the code ● Disable the feature ● Indirect Dependency Upgrade ● Major Upgrades ● Conflicts ● Simple patches ● Snyk patches ● Monkey patching
  • 25. Ignoring Vulnerable Packages Upgrading RemovalPatching ● Drop the feature ● Refactor the code ● Disable the feature ● Indirect Dependency Upgrade ● Major Upgrades ● Conflicts ● Simple patches ● Snyk patches ● Monkey patching Ignoring Issue ● Mute until fix ● Properly tag ● False positive
  • 27. Invest in making fixes easy
  • 28. Time to get your hands dirty
  • 29. ● Java Application Backend ○ Website internet facing ● Login functionality ○ Offers security training for employee App ContextCase #1
  • 30. Case # 1 - JAVA-COMGOOGLEGUAVA-32236 https://snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-32236 Technical Data Vulnerable package : com.google.guava [11.0, 24.1.1) CVE : CVE-2018-10237 CWE : CWE-119 CVSS : 5.9 CVSS Code : CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Vulnerability Type : Deserialization of Untrusted Data (DoS) Disclosed : 25 Apr, 2018 Published : 02 May, 2018 Vulnerable package : com.google.guava [11.0, 24.1.1) CVE : CVE-2018-10237 CWE : CWE-119 CVSS Score : 5.9 (Medium) CVSS Code : CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Vulnerability Type : Deserialization of Untrusted Data (DoS) Disclosed : 25 Apr, 2018 Published : 02 May, 2018
  • 31. Understanding the issue Case # 1 - JAVA-COMGOOGLEGUAVA-32236 Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable. Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable. Affects deserialization of AtomicDoubleArray and CompoundOrdering classes Relies on attacker-provided data Eager memory allocation leads to resource consumption and crash
  • 32. Case # 1 - JAVA-COMGOOGLEGUAVA-32236 Are we affected? We don’t deserialize any user provided data in our code One thing to keep in mind Code change
  • 33. Case # 1 - JAVA-COMGOOGLEGUAVA-32236 Our Options Upgrade ● We cannot Patching ● Hard to do ● Not future-proof Removing Where do we use Guava? ● Only for some isNullOrEmpty on strings? ● Lets get rid of Guava and fix everything Ignoring ● We would rather not
  • 35. ● Small animation rendering application in Linux ● User can playback animations App ContextCase #2
  • 36. Case # 2 - Direct3D Buffer Overflow https://nvd.nist.gov/vuln/detail/CVE-2017-7845 Technical Data Vulnerable package : ● Direct3D [, 11.1) CVE : CVE-2017-7845 CVSS : 8.8 (High) CVSS Code : CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Vulnerability Type : Buffer Overflow Published Date : Nov 06, 2018 Vulnerable package : ● Direct3D [, 11.1) CVE : CVE-2017-7845 CVSS : 8.8 (High) CVSS Code : CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Vulnerability Type : Buffer Overflow Published Date : Nov 06, 2018
  • 37. Understanding the issue Case # 2 - Direct3D Buffer Overflow Buffer overflow are very serious issues Affect a graphic library that is mostly used on Windows (and in emulator like Wine) A buffer overflow occurs when drawing and validating elements using Direct 3D 9 with the ANGLE graphics library, used for WebGL content. This is due to an incorrect value being passed within the library during checks and results in a potentially exploitable crash. Note: This attack only affects Windows operating systems. Other operating systems are unaffected. A buffer overflow occurs when drawing and validating elements using Direct 3D 9 with the ANGLE graphics library, used for WebGL content. This is due to an incorrect value being passed within the library during checks and results in a potentially exploitable crash. Note: This attack only affects Windows operating systems. Other operating systems are unaffected. A buffer overflow occurs when drawing and validating elements using Direct 3D 9 with the ANGLE graphics library, used for WebGL content. This is due to an incorrect value being passed within the library during checks and results in a potentially exploitable crash. Note: This attack only affects Windows operating systems. Other operating systems are unaffected. This CVE : Only affects Windows operating systems.
  • 38. Case # 2 - Direct3D Buffer Overflow Are we affected? Using Direct3D in Wine on Linux ....
  • 40. ● Serverless : Lambda granting employee access ○ Built on Python 3.6 App ContextCase #3
  • 41. Case # 3 - PYTHON-PYYAML-42159 https://snyk.io/vuln/SNYK-PYTHON-PYYAML-42159 Technical Data Vulnerable package : pyYaml [,4.1) CVE : CVE-2017-18342 CWE : CWE-94 CVSS : 9.8 CVSS Code : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability Type : Arbitrary Code Execution Disclosed : 26 Aug, 2017 Published : 28 Jun, 2018 Fix : 13 Mar, 2019* Vulnerable package : pyYaml [,4.1) CVE : CVE-2017-18342 CWE : CWE-94 CVSS : 9.8 CVSS Code : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability Type : Arbitrary Code Execution Disclosed : 26 Aug, 2017 Published : 28 Jun, 2018 Fix : 13 Mar, 2019*
  • 42. Understanding the issue Case # 3 - PYTHON-PYYAML-42159 ● yaml.load() is a dangerous function by design ● The CVE states that load() should be safe by default ● Project maintainer disagreed with the community on fix ● Method safe_load() exists and is safe for untrusted data ● For trusted data (loading your config for example) there is no issue Affected versions of this package are vulnerable to Arbitrary Code Execution due to using the insecure yaml.load() function.Affected versions of this package are vulnerable to Arbitrary Code Execution due to using the insecure yaml.load() function.
  • 43. Case # 3 - PYTHON-PYYAML-42159 Are we affected? We use pyYAML to load our configuration It is trusted data.
  • 44. Fixed in 4.1? Case # 3 - PYTHON-PYYAML-42159 Snyk claims that it is fixed in v4.1 Let’s update! …… wait. Version 4.1 was pulled from Pypi How can I fix it, if no fix are available?
  • 45. Case # 3 - PYTHON-PYYAML-42159 Our Options Upgrade If only… ● No patch available Patching Great option ● Change load() to safe_load() ● Beware : usual caveat ● Not future proof Removing Might require work ● Change library ● Do without? Ignoring Valid option : ● No untrusted data ● Beware : usual caveat
  • 47. ● Authenticated service providing read only configuration for production ○ Python 3.7 App ContextCase #4
  • 48. Case # 4 - PYTHON-REQUESTS-72435 https://snyk.io/vuln/SNYK-PYTHON-REQUESTS-72435 Technical Data Vulnerable package : request [,2.20) CVE : CVE-2018-18074 CWE : CWE-200 CVSS : 9.8 CVSS Code : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability Type : Information Exposure Disclosed : 09 Oct, 2018 Published : 10 Oct, 2018 Vulnerable package : request [,2.20) CVE : CVE-2018-18074 CWE : CWE-200 CVSS : 9.8 (High) CVSS Code : CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Vulnerability Type : Information Exposure Disclosed : 09 Oct, 2018 Published : 10 Oct, 2018
  • 49. Understanding the issue Case # 4 - PYTHON-REQUESTS-72435 ● Redirecting from HTTPS -> HTTP ● Send the Authorization header ○ Basic Auth == base64 credentials ● Request consider only host, not port/scheme The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network. Authorization: Basic Y292ZW9fdXNlcjpFbGV2YXRlMjAxOSE=Authorization: Basic coveo_user:0WA$P_QC!
  • 50. Are we affected? Case # 4 - PYTHON-REQUESTS-72435 ● We do use request ● We do downgrade to HTTP on authenticated pages (!!) ● How fast must we fix it?
  • 51. CVSS v3 - Temporal score Case # 4 - PYTHON-REQUESTS-72435 ● (E) Exploit Code Maturity : High ○ None is needed, just have to listen to the traffic ● (RL) Remediation Level : Official Fix ○ Just bump to v2.20 ● (RC) Report Confidence : Confirmed ○ The code is open source ○ Easy to verify ○ Have an official CVE (vetted)
  • 52. CVSS v3 - Environmental Score Case # 4 - PYTHON-REQUESTS-72435 ● (CR) Confidentiality Requirement : Medium ○ This system doesn’t contain highly confidential data but does contain some sensitive information ● (IR) Integrity Requirement : High ○ The asset integrity must not be compromised as it is a critical system. ● (AR) Availability Requirement : High ○ Critical system for the production, must stay up (ex: System is under SLA from clients) ● (MAV) Modified Attack Vector : Adjacent Network ○ The system is not directly accessible on the internet, but must be routed internally.
  • 53. CVSS v3 - Environmental Score Case # 4 - PYTHON-REQUESTS-72435 ● (MAC) Modified Attack Complexity : Not Defined ○ Nothing changes the complexity of the attack. ● (MPR) Modified Privileges Required : High ○ In order to intercept the HTTP communication, an attacker must be listening from inside the VPC network or share a local network with the victim (be on site) ● (MUI) Modified User Interaction : None ○ No engagement from the user is required ● (MS) Modified Scope : Unchanged ○ Compromising this asset don’t give access to another one.
  • 54. CVSS v3 - Environmental Score Case # 4 - PYTHON-REQUESTS-72435 ● (MA) Modified Confidentiality : Low ○ Getting unauthorized access doesn’t grant access to sensitive information in this system but does give insight of the infrastructure ● (MA) Modified Integrity : None ○ User access to the system is read only, cannot change the data included inside ● (MA) Modified Availability : None ○ Getting access will not let a user affect the system’s availability
  • 55. CVSS v3 - Environmental Score Case # 4 - PYTHON-REQUESTS-72435 We managed to get it down to 2.3 (Low) Issue must still be addressed in 3 month Preferably, fixing will be best
  • 56. Case # 4 - PYTHON-REQUESTS-72435 Our Options Upgrade ● Could be a good idea, if the fix is available Patching ● We should get rid of the redirection to HTTP Removing ● Not really possible... Ignoring ● We would rather not
  • 57. Fixing the issue Case # 4 - PYTHON-REQUESTS-72435 Get rid of the HTTP redirection Long lasting mitigation
  • 59. Any General Questions? ? Any fun stories to share?