Security Vulnerabilities in Third Party Code - Fix All the Things!
-
Upload
kymberlee-price -
Category
Software
-
view
208 -
download
2
Transcript of Security Vulnerabilities in Third Party Code - Fix All the Things!
![Page 1: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/1.jpg)
Security Vulnerabilities in Third Party Code: FIX ALL THE THINGS!KYMBERLEE PRICEBUGCROWD
![Page 2: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/2.jpg)
whoami?
Senior Director of a Red Team PSIRT Case Manager Data Analyst Internet Crime Investigator Security Evangelist Behavioral Psychologist Lawful Good @kym_possible
![Page 3: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/3.jpg)
Agenda
Quick overview of problem space A deeper look at 7 specific libraries Library Management SDL Recommendations Case study
![Page 4: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/4.jpg)
![Page 5: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/5.jpg)
![Page 6: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/6.jpg)
Development Realities
Can only pick two!
![Page 7: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/7.jpg)
security
Hint!
![Page 8: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/8.jpg)
Where the Vulns Are
“Third-party programs are responsible for 76% of the vulnerabilities discovered in the 50 most popular programs in 2013, say the results of Secunia's Vulnerability Review 2014”
http://www.net-security.org/secworld.php?id=16448
When reviewing this report, you find that it is flawed and
not referring to 3rd Party Libraries but third party
software i.e. non-Microsoft programs.
![Page 9: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/9.jpg)
Vulnerabilities by Type
Source: VulnDBJuly, 14 2015
![Page 10: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/10.jpg)
![Page 11: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/11.jpg)
![Page 12: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/12.jpg)
![Page 13: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/13.jpg)
Logjam
![Page 14: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/14.jpg)
bashHOLE?
![Page 15: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/15.jpg)
Shell Shock.. meh
BashBleed
![Page 16: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/16.jpg)
![Page 17: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/17.jpg)
2013-01-12 – GNU C Library Function Heap Buffer Overflow (GHOST)
2005-06-08 – Microsoft IE Script Code Obfuscation (Ghost)
![Page 18: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/18.jpg)
![Page 19: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/19.jpg)
How many vulnerabilities do you think there have been in OpenSSL
since Heartbleed?(please don’t use the Secunia counting method!)
Lets Play Another Game!
![Page 20: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/20.jpg)
IDåç Disc Date CVSSTitle124300 7/9/2015 4 OpenSSL crypto/x509/x509_vfy.c X509_verify_cert() Function Alternative Certificate Chain Handling Certificate Validation Bypass 123176 6/11/2015 10 OpenSSL DTLS Application Data Buffering Invalid Free Remote Memory Corruption 123175 6/11/2015 7.8 OpenSSL signedData Message Unknown Hash Function Processing Infinte Loop Remote DoS 123174 6/11/2015 7.8 OpenSSL crypto/pkcs7/pk7_doit.c PKCS7_dataDecode() Function ASN.1-encoded PKCS#7 Blob Handling NULL Pointer Dereference Remote DoS 123173 6/11/2015 8.5 OpenSSL crypto/x509/x509_vfy.c X509_cmp_time() Function ASN1_TIME String Handling Out-of-bounds Read Issue 123172 6/11/2015 7.8 OpenSSL crypto/bn/bn_gf2m.c BN_GF2m_mod_inv() Function ECParameters Structure Binary Polynomial Field Parsing Infinite Loop Remote DoS 122875 6/2/2015 10 OpenSSL NewSessionTicket Ticket Re-use Double-free Remote Unspecified Issue 122733 5/26/2015 7.8 OpenSSL crypto/bn/random.c BN_rand() Function Off-by-one Buffer Overflow DoS 122331 5/19/2015 4 Transport Layer Security (TLS) Protocol DHE_EXPORT Ciphers Downgrade MitM (Logjam) 122984 5/19/2015 7.5 OpenSSL crypto/bn/bn_print.c BN_bn2hex() Function Off-by-one Buffer Overflow Weakness 119692 3/18/2015 7.8 OpenSSL Invalid Signature Algorithms Extension Renegotiation NULL Pointer Dereference Remote DoS 119760 3/16/2015 7.1 OpenSSL ssl/d1_lib.c dtls1_listen() Function SSL Object State Preservation DoS 119757 3/16/2015 7.8 OpenSSL SSLv2 CLIENT-MASTER-KEY Message Handling Assertion Remote DoS 119758 3/16/2015 7.1 OpenSSL ssl/s3_pkt.c ssl3_write_bytes() Function Multiblock Implementation DoS 119614 3/16/2015 7.8 OpenSSL Client Authentication DHE Ciphersuite Zero-length ClientKeyExchange Message Handling Remote DoS 119756 3/16/2015 7.1 OpenSSL PKCS#7 Missing Outer ContentInfo Handling NULL Pointer Dereference DoS 119759 3/16/2015 7.1 OpenSSL crypto/rsa/rsa_ameth.c rsa_item_verify() Function Invalid PSS Parameters Handling NULL Pointer Dereference DoS 119755 3/16/2015 9.3 OpenSSL crypto/asn1/tasn_dec.c ASN1_item_ex_d2i() Function ASN.1 Structure Reuse Memory Corruption 119761 3/16/2015 7.1 OpenSSL crypto/asn1/a_type.c ASN1_TYPE_cmp() Function Invalid Read DoS 119673 3/10/2015 2.6 OpenSSL s3_clnt.c ssl3_client_hello() Function Unseeded PRNG Handshake Completion Predictable Output 120058 3/3/2015 2.6 OpenSSL Malformed TLS Handshake False Start Data Remote MitM Disclosure Weakness 119328 3/2/2015 5.4 OpenSSL crypto/x509/x509_req.c X509_to_X509_REQ() Function Public Key Handling NULL Pointer Dereference DoS 118817 2/25/2015 10 OpenSSL crypto/ec/ec_asn1.c d2i_ECPrivateKey() Function Error Handling Use-after-free DoS 117855 1/19/2015 2.6 Secure Sockets Layer Version 3 (SSLv3) / Transport Layer Security (TLS) Protocols RC4 Cipher Key Invariance Weakness MitM Plaintext Disclosure (BAR-MITZVAH) 116791 1/8/2015 7.8 OpenSSL dtls1_buffer_record() Function DTLS Record Saturation Handling Memory Leak Remote DoS 116793 1/8/2015 7.8 OpenSSL dtls1_get_record DTLS Message Handling NULL Pointer Dereference Remote DoS 116790 1/8/2015 5.1 OpenSSL TLS DH Certificate Missing Certificate Verify Message Handling MitM Spoofing (SKIP-TLS) 116796 1/8/2015 5.1 OpenSSL Bignum Squaring Incorrect Result Weakness 116794 1/6/2015 4 OpenSSL RSA Temporary Key Handling EXPORT_RSA Ciphers Downgrade MitM (FREAK) 116792 1/5/2015 4.3 OpenSSL Signature Algorithm / Signature Encoding Modification Certificate Fingerprint Manipulation Weakness 116795 1/5/2015 5 OpenSSL Missing Server Key Exchange Message Handling ECDH Ciphersuite Downgrade Issue 116423 10/16/2014 7.8 OpenSSL s23_srvr.c ssl23_get_client_hello() Function SSLv3 Handshake Handling NULL Pointer Dereference Remote DoS 113377 10/15/2014 5 OpenSSL no-ssl3 Build Option SSL 3.0 Handshake Handling Weakness 113373 10/14/2014 7.8 OpenSSL DTLS SRTP Extension Parsing Code Handshake Message Handling Memory Leak Remote DoS 113374 10/14/2014 7.8 OpenSSL SSL/TLS/DTLS Server Failed Session Ticket Verification Handling Memory Leak Remote DoS 113251 10/13/2014 2.6 SSL 3.0 Protocol CBC-mode Ciphers Fallback MitM Remote Cleartext Information Disclosure (POODLE) 109892 8/6/2014 7.8 OpenSSL DTLS Handshake Messages Processing Memory Consumption Remote DoS 109893 8/6/2014 7.8 OpenSSL DTLS Packet Handling Double-free Remote DoS 109894 8/6/2014 5 OpenSSL OBJ_obj2txt Multiple Pretty Printing Functions Pretty Printing Output Remote Information Disclosure 109898 8/6/2014 7.1 OpenSSL SRP Ciphersuite NULL Pointer Dereference Remote DoS 109891 8/6/2014 7.8 OpenSSL Crafted DTLS Packet Handling Memory Leak Remote DoS 109897 8/6/2014 10 OpenSSL SRP Protocol Code Multiple Parameter Remote Buffer Overflow 109896 8/6/2014 2.6 OpenSSL SSL/TLS Server Code ClientHello Message Fragmentation Forced TLS Downgrade Weakness 109902 8/6/2014 9.3 OpenSSL ssl_parse_serverhello_tlsext Resumed Session EC Point Format Extension Handling Race Condition Use-after-free Issue 109895 8/6/2014 7.8 OpenSSL Anonymous (EC)DH Ciphersuite Crafted Handshake Messages NULL Pointer Dereference Remote DoS 107731 6/4/2014 7.8 OpenSSL TLS Client Anonymous ECDH Ciphersuite Unspecified Remote DoS 107730 6/4/2014 10 OpenSSL Invalid DTLS Fragment Handling Remote Buffer Overflow 107732 6/4/2014 7.8 OpenSSL ssl/d1_both.c dtls1_get_message_fragment() Function Invalid DTLS Handshake Handling Remote DoS 107729 6/3/2014 4 OpenSSL Crafted Handshake Weak Keying Material Rollback MitM Weakness 119743 5/6/2014 9.3 OpenSSL crypto/evp/encode.c EVP_DecodeUpdate() Function Base64 Decoding Integer Underflow 106531 4/30/2014 7.8 OpenSSL / LibReSSL ssl/s3_pkt.c do_ssl3_write() Function NULL Pointer Dereference Remote DoS 105763 4/11/2014 4 OpenSSL ssl/s3_pkt.c ssl3_read_bytes() Function Use-after-free Remote Content Injection 105465 4/7/2014 5 OpenSSL TLS Heartbeat Extension Packets Handling Out-of-bounds Read Remote Memory Disclosure (Heartbleed)
47 NewVulns
10 CVSSv2 Score Max
10 Had Exploit
Public or PoC
Average CVSS 5.23
14 Had Private Exploit
![Page 21: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/21.jpg)
Lets Talk Data
![Page 22: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/22.jpg)
Vulnerability data Spreadsheet software Probably a browser
Putting Data to Use(without being a data scientist)
![Page 23: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/23.jpg)
Data from public sources is limitedFFMPEG: CVE Details vs. VulnDB
CVE Details: 191VulnDB: 1,000+
DATA CAVEAT
“Fixes the following vulnerabilities [CVE LIST] …and more security issues that have no CVE number. Many of these issues can be exploited when a remote file is played back and a few are probable arbitrary code execution vulnerabilities.”
![Page 24: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/24.jpg)
Vuln Spread:
…And multiple products by HP, Oracle (including Java), F-Secure, IBM, MySQL, Novell, OpenBSD, Intel, Juniper, Rapid7, nginx, Huawei, Trend Micro, Linux, Tableau, McAfee, F5, Cisco, Fortinet, Sophos, Python, Citrix, SUSE, Ubuntu, Debian, FreeBSD, RedHat…
![Page 25: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/25.jpg)
Vuln Spread:
And also… OSX, Webkit, Firefox, OpenJDK, OpenOffice, StarOffice, Ubuntu, Gentoo, Oracle Solaris, SUSE, Slackware, BlackBerry products, Fedora, RedHat, Debian, Avaya products, PlayStation 3/4/Vita, Opera for Wii, multiple video games…
![Page 26: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/26.jpg)
Vuln Spread:
Visio, PowerPoint, Adobe Photoshop/Flash/Illustrator, Webkit, iOS, OSX, Android, GIMP, Fedora, Debian, Ubuntu, Slackware, Red Hat, SUSE, Gentoo, Oracle Solaris, VMWare Server, and countless applications.
![Page 27: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/27.jpg)
Vuln Spread:
Tivoli, Fedora, HP-UX, Ubuntu, NetIQ, Attachmate…
![Page 28: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/28.jpg)
Vuln Spread:
Linux, Opera, Konqueror, HP, Sony & Logitech Google TVs…
![Page 29: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/29.jpg)
Vuln Spread:
![Page 30: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/30.jpg)
Library Vuln Count
Vulns Per Year
Releases Per Year
Average CVSS
90 10-11 3 5.4950 6 2 7.4328 3 2-3 6.65
100 12 5 4.72522 80 11 8.96539 98 4 7.07*2010-to present
*2009-to present
2015 Vulns
% total
29 32.2%0 0%0 0%4 4%
135 25.9%58 10.7%
The Numbers: Jan 2007-July 2015
![Page 31: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/31.jpg)
![Page 32: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/32.jpg)
Efficiency At What Cost?
Not just one library impacting many organizations
A single application may have as many as 100 different third party libraries implemented That is a whole lot of patching to keep up on for
both devs and customers
![Page 33: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/33.jpg)
What should you measure library quality on? Count of vulnerabilities Frequency of update releases Average severity of vulns (CVSS or other) Existence of POC or Exploit
DEBATE
Yes!
![Page 34: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/34.jpg)
Take Aways
![Page 35: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/35.jpg)
![Page 36: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/36.jpg)
![Page 37: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/37.jpg)
Open source is secure because everyone can review it - more eyes
makes all bugs shallow.
Everyone *could* look at it, but they don’t.
Accountability for quality is deferred.
Code Quality
![Page 38: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/38.jpg)
That means closed source is more secure because no one
can review it and it is supported by big enterprises,
right?
Bad code is just that, bad code.Bad code exists in Closed Source
software as well.
Code Quality
![Page 39: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/39.jpg)
![Page 40: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/40.jpg)
Vulnerability Management
Vulnerability management is the "cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities", especially in software and firmware. Vulnerability management is integral to computer security and network security.
Vulnerabilities can be discovered with a vulnerability scanner, which analyzes a computer system in search of known vulnerabilities, such as open ports, insecure software configuration, and susceptibility to malware. Unknown vulnerabilities, such as a zero-day attack may be found with fuzz testing, which can identify certain kinds of vulnerabilities, such as a buffer overflow exploit with relevant test cases. Such analyses can be facilitated by test automation. In addition, antivirus software capable of heuristic analysis may discover undocumented malware if it finds software behaving suspiciously (such as attempting to overwrite a system file).
Correcting vulnerabilities may variously involve the installation of a patch, a change in network security policy, reconfiguration of software (such as a firewall), or educating users about social engineering.
https://en.wikipedia.org/wiki/Vulnerability_management
![Page 41: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/41.jpg)
![Page 42: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/42.jpg)
So Vuln Mgmt is A NetSec Issue!
![Page 43: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/43.jpg)
Cost to Fix Vulnerabilities
The National Institute of Standards and Technology (NIST) estimates that code fixes performed after release can result in 25+ times the cost of fixes performed during the design phase.
tl;dr: Pay me now or pay me later… with interest.
![Page 44: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/44.jpg)
“
”
Fix vulnerabilities as early as is practical, resulting in fewer vulnerabilities to patch at the most expensive time - late in the development cycle.
THE GOAL OF VULNERABILITY MANAGEMENT
![Page 45: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/45.jpg)
Easy, right?
Securityversus…
Performance
Usability
Functionality
Development cost & time
![Page 46: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/46.jpg)
Secure Development Lifecycle
Training Requirements Design Implementation Verification Release Response
Vulnerabilities introduced
Vulnerabilities identified
Vulnerabilities identified
OSS Vulnerabilities identified
![Page 47: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/47.jpg)
Vulnerability Management Process
Identify Issue1 Assess
Impact2 Dev & Test Fix3 Deploy
Fix4 Post Release5
Patch
Tuesday!
![Page 48: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/48.jpg)
Incident Response
Identify Issue1 Assess
Impact2 Dev & Test Fix3 Public
Release w/ CVE
4 Post Release5
Identify Issue1 Assess
Impact2 Dev & Test Fix3 Release4 Post
Release5So you’re a software vendor…
Enterprise admin?
Your patch lifecycle starts
HERE
But wait!
The vulnerability
was in a third
party library!
![Page 49: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/49.jpg)
Identify Issues
Internal Security Research Team, Consultants – pre-release vuln assessments External Security Researchers – post release incident response, bug bounties Third Party Libraries/OSS Disclosures – both pre and post release Automated Tools & Analysis Crash log analysis
Lots of vulnerabilities to manage Vulnerability Management
Identify Issue1
![Page 50: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/50.jpg)
Assess Impact: Prioritization Matters
You have 150 vulnerabilities open with CVSS 7.5+ Your inbound new vulnerabilities average 15 dev tasks
per week, from both internal and external sources What do you fix first?
Highest CVSS Score? FIFO? LIFO? Externally known issues? Issues with Exploit Presence in Metasploit?
Intelligent prioritization reduces risk
Assess Impact2
![Page 51: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/51.jpg)
![Page 52: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/52.jpg)
Dev & Test Fix
“Just ship it, we can patch that later” is not cost effective, but becomes more likely the closer you get to release dates
Vulnerabilities are inevitable. Choose those that you fix pre-release and those you postpone to post-release carefully.
Don’t put off fixing the complicated vulnerabilities – they won’t get easier once the product is in customer hands
Sustainment planning is not just for post-release – you will have to patch vulnerabilities in perfectly functional code before RTM
Dev & Test Fix3
Now lets go write some code!secure^
![Page 53: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/53.jpg)
Vulnerability Management in SDL
Define guiding Security principles
Define prioritization model and sustainment plan
Requirements Design Implementation Verification
Design for security and reduce attack surface
Evaluate vuln trends in libraries as part of selection criteria
Automated static analysis tools
Deprecate unsafe functions
Code scanning tools to monitor all third party libraries – know what you use and where
Automated static and dynamic analysis tools, fuzzing
Manual pen testing & attack surface review
Update 3rd party libraries regularly
![Page 54: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/54.jpg)
Be Prepared
Analysis of vulnerability trends to predict future workload How many vulnerabilities are identified per month? What are their sources?
What are the vulnerability types? Is dev training indicated? How quickly is your vulnerability backlog growing (or shrinking)? What is your average Time To Fix? What early monitoring processes can you put in place to minimize
surprises? Can you identify low friction areas to diminish risk?
![Page 55: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/55.jpg)
Network Admins
Ask potential software vendors about their SDL program and vulnerability trends
Monitor the third party libraries being used in software you deploy and press vendors for security fixes
Make it clear security is a priority
![Page 56: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/56.jpg)
Case Study
![Page 57: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/57.jpg)
Strong security team in rapidly growing enterprise software company
Attended my OSS talk with Jake Kouns at BlackHat 2014 Requested a copy of our slides for internal use
Shared both their own SIRT data and our data regarding security risk with Leadership
Case Study: VMWare
![Page 58: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/58.jpg)
Already had mature incident response monitoring of 3rd party libraries in released products
Adding proactive evaluation and rating/approval of third party libraries in development phase
Case Study: VMWare
![Page 59: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/59.jpg)
Evaluated and implemented code scanning tool for finding third party libraries in products
MOOSECON internal security conference session on 3rd party library vulnerabilities
Case Study: VMWare
![Page 60: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/60.jpg)
Active testing of third party and OSS libraries along with native code in products
Partnering with dev teams to create proactive plans for routine patching cadence as part of dev lifecycle
Case Study: VMWare
![Page 61: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/61.jpg)
ThanksJAKE KOUNSRISK BASED SECURITY
![Page 62: Security Vulnerabilities in Third Party Code - Fix All the Things!](https://reader035.fdocuments.us/reader035/viewer/2022062523/58f01c051a28ab2b118b45c3/html5/thumbnails/62.jpg)
Discussion
Kymberlee Price Senior Director of Researcher Operations@kym_possible Bugcrowd