Webinar–Delivering a Next Generation Vulnerability Feed

© 2019 Synopsys, Inc. 1
Delivering a Next-Generation Vulnerability Feed
The Advent of BDSA and the State of Vulnerability Reporting
Synopsys Software Integrity Group 2019

Introduction
Siobhan Hunter, BDSR (Black Duck Security Research)
• The BDSR (Black Duck Security Research)
team forms part of the Synopsys
Cybersecurity Research Centre (CyRC).
• We are tasked with identifying and
researching reported vulnerabilities in open
source software.
• We currently deliver our Black Duck Security
Advisories (BDSAs) feed to customers via the
Hub.

Agenda
Introduction and a little background
• BDSA: A gourmet feed
Showcase BDSAs
• ImageMagick
• LibreOffice
• Apache CouchDB
Enhanced research projects
• Apache Struts
Summary

BDSA: A little background
Vulnerability analysis at Black Duck Security Research (BDSR)

Yet another feed?
Source Vulnerabilities
SourceClear Vulnerability Database 2,031,202 vulnerabilities
National Vulnerability Database (NVD) 84,795 vulnerabilities reported since 2009
VulnDB 135,908 entries
Snyck 74% more vulnerabilities than NVD
Rapid7 47,902 exploitable vulnerabilities
Security Focus >100,000 vulnerabilities

Vulnerability analysis at BDSR
Beyond the rest
What does Synopsys do differently?
• Harness this firehose of vulnerability data
• Create a finely tuned feed of vulnerability reports
• Verify the accuracy of the vulnerability report
• Focus on the vulnerabilities that are relevant to our customers
What do we deliver?
Security advisories that are
• Selected
• Prioritized
• Researched
• Delivered with same-day notification
What’s so great about BDSAs?
• Consistency and high-quality information
• CVE agnostic: if it affects customer components, we cover it
• Actionable mitigation, workaround, and remediation guidance
• Direct mapping to affected applications for rapid evaluation of risk exposure
• CVSS 2.0/3.0 severity scoring

Setting the scene
The raw material for vulnerability research
How are OS vulnerabilities currently reported?
• Vulnerabilities are reported in hundreds of places across the internet
• Some are discovered and reported by CVE Numbering Authorities (CNAs)
• Some researchers exercise responsible disclosure, some don’t
I N D E P E N D E N T
R E S E A R C H E R S
V E N D O R S & P R O J E C T S
A G G R E G AT O R S
B O U N T Y S I T E S

Selecting our ingredients
The harvesting of sources
We have carefully curated the list of sources we use
throughout the lifetime of the project.
We use various criteria to determine specific
sources, such as:
• Components used by our customers (based on
telemetry from KB)
• Coverage of CNA organizations
• Signal-to-noise ratio of the source
• Quality of the information provided
We continuously refine our source processing.

Our recipe for quality and consistency
Customer requests
• Requests for clarification
• Verification of scoring
• In-depth research
• Check affected version ranges
• Additional component coverage

BDSA: Worked examples
ImageMagick CVE-2019-7395
LibreOffice CVE-2018-16858
Apache CouchDB

Case Study 1
Reported in GitHub 5 Feb. 2019

Case Study 1
Reported in Bugzilla on
the same day

Case Study 1
Subsequently replicated across all the
advisory fora

Case Study 1
CVSS2 Base Score 5.0 (Medium)
CVSS3 Base Score 5.3 (Medium)
With Temporal Metrics 3.2 (Low)
CVSS3 with Temporal 4.6 (Low)

Case Study 1
What does “added value” mean for our customers?
• Immediately accessible details in title and overview description
• Thorough technical treatment of vulnerable code and attack vectors
• Thorough research and reporting of vulnerable version range
• Immediate actionable information regarding fix commits, fixed releases, relevant references, and
embedded links
• Both CWE and CAPEC classifications
• Accurate extended scoring that includes base and temporal metrics

Importance of uniformity and the human touch

Case Study 2

Case Study 1
And subsequently replicated across all
the advisory fora2019

Case Study 2

Case Study 2
NVD analysis published over 7
weeks later on 27 March
At any given time, we have numerous completed BDSAs in KB with a CVE but no corresponding NVD entry
These are reserved CVE numbers allocated by CNAs (CVE Numbering Authorities)
All are ranked (i.e., have appeared in customer BOMs)

Apache CouchDB
Case Study 3

Apache CouchDB
Case Study 3
• Many vulnerabilities for popular components do not get allocated CVEs
• BDSAs are created as a matter of priority
• Historically, these vulnerabilities have been actively added to the BDSA stock
• Why has this become prevalent?
Vulnerabilities with no allocated CVE represent
20%–25% of our overall BDSAs

Threat Research Information (TRI) reports
What is a TRI report?
The tale of CVE-2018-11776

TRI reports
What is a TRI report?
• Deep-dive research into selected vulnerabilities
• Comprehensive analysis based on replication and study of the vulnerability and its exploitation
• Confirms vulnerability details, most especially the affected versions
Which vulnerabilities get this in-depth treatment?
• Customer requests
• Vulnerabilities for which further research is needed to accurately identify the details
• Vulnerabilities likely to affect a wide range of products
• Vulnerabilities with a high profile (media coverage)

TRI reports
What do they contain?
What a regular TRI report contains:
• Details of the vulnerability
• Common scenarios
• Reproduction environment
• Proof-of-concept and findings
• Confirmation of fixed versions of the affected
component
• Confirmation of vulnerable versions
• Mitigation methods
• Detection: IoC, IoA
• Collection of relevant data

Apache Struts CVE-2018-11776
TRI report results
Apache Struts Security Advisory before 24 Sept. 2018
BDSR research results:
23 new vulnerable versions discovered
New affected version ranges:
Struts 2.0.4–2.3.34

Apache Struts due diligence research
Component validation and vulnerability verification
Scope
• 57 Apache Struts Security Advisories
• Representing 64 individual vulnerabilities
• Across 115 versions of Apache Struts 2
Research
• Vulnerabilities verified across 115 versions of Apache Struts 2
• Remote code execution vulns confirmed
• Denial-of-service vulns qualified
• Identification of false positives and false negatives
Findings
• 61 additional unique vulnerable Struts versions
• 24 official Apache advisories with incorrect vulnerable version ranges

So to summarise…

Issues we are addressing
Reasons to rave about BDSAs
• Incomplete data: consumers need to be informed and armed with the knowledge they
need to make accurate data-driven decisions when addressing vulnerabilities
• Inconsistent scoring, lack of temporal considerations
• Uncertainties, ambiguities, and obfuscation through low-quality reporting
• Expensive vulnerability investigation
• Slowness in reporting
• Irrelevant information: no targeted customer-centric focus
• Lack of diligence, governance, truth-finding
• Lack of engagement

Tangible benefits to our customers
Reasons to rave about BDSAs
• Quality and consistency
• Completeness: research thoroughness = more relevant actionable content than other
feeds
• Accuracy: time taken to ensure information is correct and independently checked
• Speed: as fast as any, faster than most
• Individually penned by a vulnerability analyst: no copy-paste, no corners cut
• Customer-centric research prioritisation
• Precision approach to vulnerability coverage

Webinar–Delivering a Next Generation Vulnerability Feed

More Related Content

What's hot (18)

Similar to Webinar–Delivering a Next Generation Vulnerability Feed (20)

More from Synopsys Software Integrity Group (11)

Recently uploaded (20)

Webinar–Delivering a Next Generation Vulnerability Feed