application risk and components at app sec usa – ryan berg’s part


  • If couldn’t use OSS, you’d have no app or tools. It’s in many components. hhe question isn’t whether you are using it but whether you know.
  • Takes a long time to fix because need to wait for each person down the tree to fix/pull the fixed version.

Struts 2 vulnerabiity

  • FBI alert
  • “Really important” but to who?
  • At time of disclosure and shortly thereafter, not muh change. Not many downloads of new version right after announcement
  • Roughly 5% upgrade as soon as new version comes out

Stats from research

  • 90% of downloaded components from Maven Central in local repos
  • 71% of apps have have been deployed have critical to severe vulnerabilities

Every block has a # on it. If find manufacturing issue, can go back to machine that is causing problem so can fi it. Toyota works the same way. If there is a problem, want to know who is affeced. Supply chain management.

The right questions

  • How do you select components for your application. It shouldn’t be google. It shouldn’t be what your friends are using.
  • Is project still in active development?
  • How do developers know when they should upgrade

Need to ensure that is deployed is same jar as locally and in the build.

We are used to looking the other way

  • Have to in order to have apps on your phone. They can do anything
  • When download JavaScript, get full file and minized version. And you hope they are the same thing.
  • How likely is this to occur? We really want to release so justify mitigating factors and inflate them
  • My take
    My only gripe is that the talk started early. I could have been there early. But I wasn’t because over the first day and a half of conference, everything started on time. The actual talk was good. Ryan covered the importance of component selection and upgrading. And he was funny. Adding him to my mental list of great speakers. As with his earlier session with Jeff Williams, it wasn’t a Sonatype CLM ad.

    1 thought on “application risk and components at app sec usa – ryan berg’s part

    1. Pingback: Application Security USA 2013 – live blog index | Down Home Country Coding With Scott Selikoff and Jeanne Boyarsky

    Leave a Reply

    Your email address will not be published.