Understanding the Importance of OWASP Dependency-Check Project

Slide Note
Embed
Share

Explore the significance of OWASP Dependency-Check in managing software dependencies and mitigating known vulnerabilities in applications. Learn about the risks associated with using components with vulnerabilities and the challenges of patching programs. Discover how OWASP Dependency-Check provides a solution for software composition analysis and aids in addressing security concerns. Delve into the proactive measures application teams can take to enhance application security and reduce the impact of open-source vulnerabilities.

gwilk
gwilk Follow

Uploaded on Sep 24, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Depending on Vulnerable Libraries September 21st, 2016

  2. A bit about me Jeremy Long 15 years information security experience 10 years software development experience SAST enthusiast Contributor to the OWASP Java Encoder Project Lead developer/architect for OWASP dependency-check @ctxt / jeremy.long@owasp.org

  3. What are we going to talk about? Why should we care? Patching programs What application teams can do Deep dive into dependency-check Usage scenarios Governance

  4. Why should we care? CVE-2016-5000 - Apache POI Information Disclosure via External Entity Expansion (XXE) CVE-2016-4216 - Adobe XMP Toolkit for Java Information Disclosure via External Entity Expansion (XXE) CVE-2016-3081 - Remote code execution vulnerability in Apache Struts when dynamic method invocation is enabled CVE-2015-8103 - Remote code execution vulnerability in Jenkins remoting; related to the Apache commons-collections

  5. Black Duck - Open Source Security Analysis The State of Open Source Security in Commercial Applications https://info.blackducksoftware.com/rs/872-OLS- 526/images/OSSAReportFINAL.pdf 95% of applications include open source 67% of applications contained open source vulnerabilities Average age of open source vulnerability identified: 1,894 days

  6. OWASP Top 10 2013 Most critical web application risks A9 Using components with known vulnerabilities Prevalence: Widespread Detectability: Difficult Difficult for 4 reasons Awareness Visibility Lack of tooling in 2012/2013

  7. Patching Programs Generally do not cover application dependencies Lack of awareness of 3rd party or FOSS application dependencies Patching teams cannot push patches Patching application dependencies requires Possible code changes Full regression testing

  8. Enter OWASP dependency-check Project stated December 2011 (first published in 2012) Performs Software Composition Analysis Reports known vulnerabilities Easy solution to the OWASP 2013 Top 10 A9 Using components with known vulnerabilities Works as: Maven Plugin Gradle Plugin SBT Plugin Jenkins Plugin Ant Task Command Line

  9. Language/Technology Support Fully supported: Java & .NET Experimental Analyzers: CocoaPods Swift Package Manager Python PHP (composer) Node.js Ruby

  10. OWASP dependency-check HOW DOES IT WORK?

  11. Vulnerability Data Source National Vulnerability Database (NVD) https://nvd.nist.gov Contains a listing of Common Vulnerability and Exposures (CVE) Each CVE entry contains A description of the vulnerability or exposure A Common Vulnerability Scoring System (CVSS) score A list of the affected platforms identified by their Common Platform Enumeration (CPE)

  12. Library Identification Reporting on known/published vulnerabilities requires the correct identification of the libraries used

  13. Library Identification Problems Development & Security use different identifiers Development (GAV coordinates): org.springframework:spring-core:3.2.0.RELEASE Security uses Common Platform Enumeration (CPE): cpe:/a:springsource:spring_framework:3.2.0 cpe:/a:pivotal:spring_framework:3.2.0 cpe:/a:pivotal_software:spring_framework:3.2.0 No publicly available database exists to map between the two

  14. Evidence Based Identification Evidence is extracted from dependencies File name, manifest, POM, package names, etc. Evidence is grouped into Vendor, Product, and Version collections Local copy of the NVD CVE is maintained Lucene Index of the CPE information is created Evidence collected is used to search the index and identify the library by CPE

  15. Evidence Based Identification Issues False Positives Evidence extracted may cause incorrect identification False Negatives If key elements are not included in the dependency (e.g. jar, dll) the library will not be identified and may result in un-reported risk

  16. Dealing with False Positives Invalid dependency identification can be resolved using a suppression file: <suppress> <notes><![CDATA[ This suppresses false positives identified on spring security. ]]></notes> <gav regex="true">org\.springframework\.security:spring.*</gav> <cpe>cpe:/a:mod_security:mod_security</cpe> <cpe>cpe:/a:springsource:spring_framework</cpe> <cpe>cpe:/a:vmware:springsource_spring_framework</cpe> </suppress>

  17. OWASP dependency-check USING DEPENDENCY-CHECK

  18. Onboarding an Application Basic steps Configure plugin Proxy configuration Run initial scan Create and configure a suppression file (if needed) Plan the upgrade for identified vulnerable components

  19. OWASP dependency-check DEMO

  20. Use Cases for dependency-check Prove the existence of the problem Baseline test when conducting POCs with commercial solutions OWASP dependency-check is used as the primary tool to identify known vulnerable components

  21. Enterprise Deployments Use a centralized database to maintain the local copy of the NVD Single instance of dependency-check used to update Scanning instances do not need to update Use an internal Nexus instead of Maven Central Run dependency-check within their CI Continuous monitoring/reporting using OWASP dependency- check sonar plugin, OWASP dependency-track, or ThreadFix

  22. Vulnerable Dependencies as Code Quality Fail a build if known vulnerabilities are detected Jenkins, gradle, maven, ant plugins Put security into your code quality metrics OWASP dependency-check sonar plugin

  23. Governance Known vulnerable dependencies are only one part of the software composition problem Organizations should: Control what dependencies are allowed Cleared by architecture, legal, and security reviews Must be easy/quick to engage the governance process

  24. OWASP dependency-check QUESTIONS?

  25. More Information OWASP dependency-check http://jeremylong.github.io/DependencyCheck/ OWASP dependency-track https://github.com/stevespringett/dependency-track OWASP dependency-check-sonar-plugin https://github.com/stevespringett/dependency-check-sonar-plugin

  26. More Information Related Projects Ruby Bundler-Audit Retire.js Node Security Project

Related


Exploring OWASP: A Comprehensive Look at Application Security and Tools

Exploring OWASP: A Comprehensive Look at Application Security and Tools

kaiya
OWASP Bricks - Web Application Security Learning Platform

OWASP Bricks - Web Application Security Learning Platform

aleia
Modern Threat Modeling & Cloud Systems in OWASP Sacramento

Modern Threat Modeling & Cloud Systems in OWASP Sacramento

maven
Leveraging Artifact Dependency Graphs for Software Vulnerability Detection

Leveraging Artifact Dependency Graphs for Software Vulnerability Detection

eithne
Understanding Autonomy and Dependency in Aging

Understanding Autonomy and Dependency in Aging

oli_tee
Specialist Mental Health Tobacco Dependency Services: Improving Access to Treatment

Specialist Mental Health Tobacco Dependency Services: Improving Access to Treatment

bowen
Behavior Education Program (BEP) / Check-In Check-Out (CICO) Overview

Behavior Education Program (BEP) / Check-In Check-Out (CICO) Overview

fmiq
Enhancing Delirium Management in Surgical High Dependency Patients 65 and Over

Enhancing Delirium Management in Surgical High Dependency Patients 65 and Over

dbote
Understanding Dependency Injection Principles in Software Development

Understanding Dependency Injection Principles in Software Development

julia
Understanding Chemical Dependency in Older Adults

Understanding Chemical Dependency in Older Adults

mack686
Accelerating the Mobile Web with Server-Aided Dependency Resolution

Accelerating the Mobile Web with Server-Aided Dependency Resolution

sou_eia
Understanding Historical Institutionalism in Comparative Policy Analysis

Understanding Historical Institutionalism in Comparative Policy Analysis

emmy
Understanding Vector Dependency and Independence

Understanding Vector Dependency and Independence

huyn_ar
Understanding Development Theories: Modernization and Dependency

Understanding Development Theories: Modernization and Dependency

ania_442
Child Welfare Services Overview

Child Welfare Services Overview

donovan
Alisha's Journey: Overcoming Co-Dependency, Trauma, and Self-Doubt

Alisha's Journey: Overcoming Co-Dependency, Trauma, and Self-Doubt

mitsuki
Neural Shift-Reduce Dependency Parsing in Natural Language Processing

Neural Shift-Reduce Dependency Parsing in Natural Language Processing

delyth
Advancements in Word Embeddings through Dependency-Based Techniques

Advancements in Word Embeddings through Dependency-Based Techniques

naha_7
Enhancing Collaboration for Tobacco Dependency Program Implementation in Dorset NHS

Enhancing Collaboration for Tobacco Dependency Program Implementation in Dorset NHS

erio
Enhanced Lexical Semantic Models for Question Answering - ACL 2013 Study

Enhanced Lexical Semantic Models for Question Answering - ACL 2013 Study

dgild
ELFT Tobacco Dependency Treatment Service Overview

ELFT Tobacco Dependency Treatment Service Overview

adal
Boeing Aircraft Sales Management System

Boeing Aircraft Sales Management System

righte
Comprehensive Guide to Check-In, Check-Out Universal Tier 2 Behavior Intervention for Teachers

Comprehensive Guide to Check-In, Check-Out Universal Tier 2 Behavior Intervention for Teachers

hafsah
Year 4 Multiplication Tables Check 2023 - Information for Parents and Carers

Year 4 Multiplication Tables Check 2023 - Information for Parents and Carers

eliana

More Related Content

Phonics Screening Check Overview for Year 2 Students
Phonics Screening Check Overview for Year 2 Students
Year 4 Multiplication Check Information
Year 4 Multiplication Check Information
Comprehensive Overview of Check-In/Check-Out Intervention for Behavioral Support in Schools
Comprehensive Overview of Check-In/Check-Out Intervention for Behavioral Support in Schools
Strategic Digital Initiative Presentation for ECONUM Project
Strategic Digital Initiative Presentation for ECONUM Project
Understanding Modern Phishing Techniques and Evilginx Framework
Understanding Modern Phishing Techniques and Evilginx Framework
Cybersecurity Challenges: Attacks on Web Applications and Cost of Security Breaches
Cybersecurity Challenges: Attacks on Web Applications and Cost of Security Breaches
Understanding DBS Checks: Process, Levels, and Eligibility
Understanding DBS Checks: Process, Levels, and Eligibility
Importance of Times Tables and the Multiplication Tables Check for Children
Importance of Times Tables and the Multiplication Tables Check for Children
Insights from TDL Open Source Project Meetings
Insights from TDL Open Source Project Meetings
Southampton Lung Health Check Programme Overview
Southampton Lung Health Check Programme Overview
Cross-platform C++ Development with CMake and vcpkg
Cross-platform C++ Development with CMake and vcpkg
Understanding the CICO Daily Cycle in School Interventions
Understanding the CICO Daily Cycle in School Interventions
Initiating and Planning Systems Development Projects
Initiating and Planning Systems Development Projects
HyTrEc2: Advancing Hydrogen Transport Economy in the North Sea Region
HyTrEc2: Advancing Hydrogen Transport Economy in the North Sea Region
Stakeholder Analysis in Project Management: Understanding and Influence
Stakeholder Analysis in Project Management: Understanding and Influence
Year 4 Multiplication Tables Check (MTC) 2022 Information
Year 4 Multiplication Tables Check (MTC) 2022 Information
Georgia Long-Term Care Background Check Program Overview
Georgia Long-Term Care Background Check Program Overview
Accounts Payable Procedures and Guidelines
Accounts Payable Procedures and Guidelines
Comprehensive Project Kickoff Presentation Template
Comprehensive Project Kickoff Presentation Template
Project Charter Template: A Comprehensive Guide for Effective Project Management
Project Charter Template: A Comprehensive Guide for Effective Project Management
Project Priority List Activity Update Summary
Project Priority List Activity Update Summary
Efficient Project and Site Organization for Improved Productivity
Efficient Project and Site Organization for Improved Productivity
Enhancing Yocto Project with Binary Package Feeds for Simplified Software Management
Enhancing Yocto Project with Binary Package Feeds for Simplified Software Management
Understanding Modern Project Management Fundamentals
Understanding Modern Project Management Fundamentals