Speaker: Theresa Mammarella
For more, see the table of contents.
- Annual cost of cyber crime predicting to top 8 trillion. Only US and China have more than that as GDP
- Vulnerability – weakness/flaw in system
- Threat – attack vector, potential action
- Risk – probably frequency of that loss.
- Goal of cybersecurity is to minimize risk. Can’t control intent to do harm so focus on vunlerability
- CVE – Common Vulnerabilities and Exposures
- Format CVE-xxxx-yyyyy. xxxx = year came out. yyyy = identifier
- CVSS scoring – how bad is it on a scale of 0-10. Ten is worst
- CVSS score has three parts – basic (exploitability, impact), temporal, environmental. Good description here
- Basic is the one we see on the CVE
- CVE can be rejected. The number is used and cannot be reused. Example. Something thought found a vulnerability. Investigation was flawed and not an actual issue. Story about it here.
How to talk about
- Private disclosure – organization can choose when/whether to fix/share
- Coordinated/responsible disclosure – best practice – agreed upon time frame
- Full/public disclosure – share everything
- Best to report via company website, security.md file, security files on server, github private vulnerability reporting
Zero day vulnerability
- Either unknown to company or not yet fixed
- MOVEit file transfer issue for US government agencies
- In early 2010’s had about a month to patch before a lot of exploits. Now it can be as little as 15 minutes for bots to start seeking out vulnerable apps.
- log4jshell – remote code loading. Was reported responsibility but incomplete fix so zero days on those CVEs
- Could be as simple as a bounds check. For OpenSSL. Announced something big coming and get ready. When announced learned it only affected OpenSSL 3 (not 2) and high, not critical so boy who cried wolf situation.
Security Practices for Developers
- Insider threat includes poor training
- A lot more developers than info security. Increasingly harder for security teams to keep up.
- Cost of finding and fixing bugs increases over time
- Does this touch the internet? take untrusted input/ handle sensitive data?
- OWASP Top 10. Updated in 2021 to add insecure design, software/data integrity failures and server side request forgery (SSRF). Some merged such as injection.
- Starting OWASP Top 10 for Large Language Model Applications. A draft version is available
- mitre/hipcheck – scorecard for supply chain risk. Similarly, Sonatype security rating and OpenSSF Scorecard
- Open source dependency management. Embedded in many projects. 90% of app is open source on average. North Korea attacked many apps including Putty
- Typosquatting – look alike domain with one or two wrong characters
- Open source repo attackes – attempt to get maleware/weakness added into depednecy source
- Build tool attacks
- Dependency confusion – different version that shows up as latest
- Sometimes third party projects. ex: OpenSSF Scorecard
- NPM and PyPI often have supply chain attacks. Maven Central more so
- Scanning tools to find issues can be helpful
- You are responsible when things go wrong
Good talk. Covered concepts and good real life examples. I learned a few things like the OWASP Top 10 for LLMs. Appreciated the shout out to “the Java people in the front row” when talking about log4j. I added a few links in my blog that weren’t in the original presentation for things I wanted to learn more about.