Secure Software Development with 3rd Party Dependencies
- 1. Secure Software Development with 3rd Party Dependencies Tharindu Edirisinghe, WSO2 Colombo Security Meetup - 15th June 2016 http://www.meetup.com/colombo-security-meetup/events/231681389/ tharindue.blogspot.com @thariyarox https://lk.linkedin.com/in/ediri ediri@live.com
- 2. What is a 3rd Party Library ? A reusable software component developed to be either freely distributed or sold by an entity other than the original vendor of the development platform. The third-party software component market thrives because many programmers believe that component-oriented development improves the efficiency and the quality of developing custom applications. Common third-party software includes macros, bots, and software/scripts to be run as add-ons for popular developing software. Source : https://en.wikipedia.org/wiki/Third-party_software_component
- 3. Using 3rd Party Components in Software Development C# project dependencies in Microsoft Visual Studio Java project dependencies in IntelliJ Idea
- 4. Direct 3rd Party Dependencies The external software components (developed by some other organization/s) that your project depends on.
- 5. Direct 3rd Party Dependencies with Known Vulnerabilities The external software components (developed by some other organization/s) with known vulnerabilities that your project depends on.
- 6. Transitive 3rd Party Dependencies The software components that your external dependencies depend on.
- 7. Transitive 3rd Party Dependencies with Known Vulnerabilities The software components with known vulnerabilities that your external dependencies depend on.
- 8. Common Vulnerabilities and Exposures (CVE) What is CVE ? CVE is a list of information security vulnerabilities and exposures that aims to provide common names for publicly known cyber security issues. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this "common enumeration." Who owns CVE ? CVE is sponsored by US-CERT (United States Computer Emergency Readiness Team) the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. Source : https://cve.mitre.org/about/faqs.html
- 9. CVE Example ID : CVE-2015-5262 Overview : http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors. Severity: Medium CVSS Score: 4.3 Source : https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5262
- 10. Common Vulnerability Scoring System (CVSS) CVSS provides a way to capture the principal characteristics of a vulnerability, and produce a numerical score reflecting its severity, as well as a textual representation of that score. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes. Source : https://www.first.org/cvss/specification-document
- 11. National Vulnerability Database (NVD) NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics. Source : https://nvd.nist.gov/
- 12. Using 3rd Party Dependencies Securely - The Big Picture NVD 3rd Party Dependencies In-house Development All the 3rd party dependencies (including 3rd party transitive dependencies) should be checked in NVD for identifying vulnerabilities. CVE-2015-5262 CVE-2014-3577 CVE-2012-6153
- 13. Veracode : Software Composition Analysis (SCA) Source : https://www.veracode.com/products/software-composition-analysis
- 14. Source Clear (SRC:CLR) Source : https://srcclr.com/
- 15. OWASP Dependency Check Dependency-Check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. Currently Java, .NET, Ruby, Node.js, and Python projects are supported; additionally, limited support for C/C++ projects is available for projects using CMake or autoconf. This tool can be part of a solution to the OWASP Top 10 2013 A9 - Using Components with Known Vulnerabilities. Source : https://www.owasp.org/index.php/OWASP_Dependency_Check
- 16. OWASP Dependency Check - Useful Resources Official Website https://www.owasp.org/index.php/OWASP_Dependency_Check Vulnerability Detection http://dontpanic.42.nl/2014/06/checking-framework-vulnerabilities.html Command Line Tool (CLI) https://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html Suppressing False Positives https://jeremylong.github.io/DependencyCheck/general/suppression.html Continuous Vulnerability Detection with Jenkins Integration https://medium.com/@PrakhashS/checking-vulnerabilities-in-3rd-party-dependencies-using-owasp-dependency-check- plugin-in-jenkins-bedfe8de6ba8#.cvgwcptjm
- 17. OWASP Dependency Check - Demo - Using Maven plugin for Java based projects - Using Command Line (CLI) tool for identifying vulnerable dependencies - Analyzing generated reports - Suppressing vulnerabilities for avoiding false positives - Dependency Check integration with Jenkins
- 18. Continuous Vulnerability Management in a Corporate Environment Request for using 3rd Party Dependency Engineering Engineering Management NVD Vulnerability Analysis Report Approval Development Team QA Team Builder Process Vulnerability Analysis Report
- 19. Getting Rid of Vulnerable Dependencies NVD 3rd Party Dependencies In-house Development - Upgrade direct 3rd party dependencies to a higher version - For transitive dependencies, check if the directly dependent component has a higher version that depends on a safer version of the transitive dependency. - Contact the developers of the component and get the issue fixed. CVE-2015-5262 CVE-2014-3577 CVE-2012-6153
- 20. Security in Software Development Life Cycle (SDLC) Source : https://www.checkmarx.com/glossary/a-secure-sdlc-with-static-source-code-analysis-tools/
- 21. Challenges : Handling False Positives Even though the vulnerability analysis tools report that there are vulnerabilities in a 3rd party dependency, there can be cases where those are not applicable to your product because of the way you have used that software component. Image Source : http://www.123rf.com/photo_30641222_doctor-is-checking-a-fat-man-shoot-in-the-hospital.html
- 22. Challenges : Handling False Negatives Even though the vulnerability analysis tools reports that your external dependencies are safe to use, still there can be unknown vulnerabilities. Image Source : http://www.whattoexpect.com/pregnancy/pregnancy-health/monthly-doctor-visits-during-pregnancy.aspx
- 23. Summary - Identify the external dependencies of your projects - Identify the vulnerabilities in the dependency software components. - Analyze the impact - Remove false positives - Prioritize the vulnerabilities based on the severity - Get rid of vulnerabilities (upgrade versions, use alternatives) - Provide patches to your products