General

• If couldn’t use OSS, you’d have no app or tools. It’s in many components. hhe question isn’t whether you are using it but whether you know.
• Takes a long time to fix because need to wait for each person down the tree to fix/pull the fixed version.

Struts 2 vulnerabiity

• FBI alert
• “Really important” but to who?
• At time of disclosure and shortly thereafter, not muh change. Not many downloads of new version right after announcement
• Roughly 5% upgrade as soon as new version comes out

Stats from research

• 90% of downloaded components from Maven Central in local repos
• 71% of apps have have been deployed have critical to severe vulnerabilities

Lego
Every block has a # on it. If find manufacturing issue, can go back to machine that is causing problem so can fi it. Toyota works the same way. If there is a problem, want to know who is affeced. Supply chain management.

The right questions

• How do you select components for your application. It shouldn’t be google. It shouldn’t be what your friends are using.
• Is project still in active development?
• How do developers know when they should upgrade

Need to ensure that is deployed is same jar as locally and in the build.

We are used to looking the other way

My take
My only gripe is that the talk started early. I could have been there early. But I wasn’t because over the first day and a half of conference, everything started on time. The actual talk was good. Ryan covered the importance of component selection and upgrading. And he was funny. Adding him to my mental list of great speakers. As with his earlier session with Jeff Williams, it wasn’t a Sonatype CLM ad.

speaker: Eoin Keary

As an industry, we are very busy but things don’t seem to be getting better. Big companies are hacked. If we have the brainpower and the budget, why aren’t things improving?

Asymmetric arms race

• like the bear. you don’t need to outrun the bear, just the guy behind you.
• You may be secure at any given time. But it’s like a treadmill. Things change

Too many variables and too limit time to ensure “real” security. Many attacks go after the business logic.

Current state

• 10 men years of development and two weeks of ethical hacking
• Testing targets 80-90% coverage.

“Risk comes from not knowing what you’re doing” – Warren Buffet

Testing is time limited. Tools give false positives so still need to investigate output. Code is pushed frequently. The value of the pen test drops because the code no longer matches that test.

Most tools cant scan for DOM/XSS. See DOM XSS Test Cases,

Robots are good at detecting known unknowns. Humans are good at detecting unknown unknowns.

We eat cheeseburger until the doctor says you are going to get a heart attack. We write insecure code until we get hacked.

Tool: https//github.com/jeremy long/DependencyCheck

We can’t improve what we can’t measure.. Risk changes depending on context. Just because it is XSS, doesn’t automatically make it high. Maybe it is on a page only one person can access.

My take
Nice analogies. It felt a bit like preaching to the choir though. I had trouble finding the organization in the presentation (hence the lack of organization in this blog post). In hindsight, I should have guessed this given the lengthy abstract. Also some of the “new” things were in earlier preentation. I left half an hour in. Possible the second half was better.

A9 is the new addition to the OWASP Top 10. The panel is Ryan Berg (Sonatype CSO), Jeff Williams (Aspect) with Mark Miller (TSWA) moderating.

80% of an application is assembled from open source components.

• Jeff: still have about same amount of custom code, but amount of library code exploded.
• Ryan: when started doing dynamic analysis, classpaths were too big to load all the classes. But don’t pay attention to entire universe pull in. Has seen examples were it is 99% of the app being open source. Thinks 90% is common.
• Jeff: # is mileading. Much of that code is never invoked. Some there to compile parts of a dependency and are never used. Don’t expect 80% of vunlerabilities to be in open source code.
• Ryan: It’s callable even if not calling. OGNL attack in Struts can call ANYTHING on classpath
• Ryan: 1.3 is the most popular version of Struts. Not even Struts 2. [Struts 1 and 2 are completely different, this isnt a patching problem. The guy on Struts 1.2 is a patching problem]

26 million downloads # overcounts because builds not projects but undercounts because enterprises download once for all projects

Attitude

• Ryan:
  I just want this library and I want it to work. I don’t care how many friends it brings with it. Roach motel.
• Jeff: The libraries come from the dependencies. Not a great way to find out what bringing in. [maven dependency tree does this]

Nearly 2/3 of organization don’tknow which component are used in their applications

• Ryan: Most organizations don’t know what apps they have. That’s job #1. Know the critical apps but not by most use. Assume your intranet is on the internet when doing security.
• Jeff: First mention of Sonatype’s product. [surprised this didn’t come from Ryan]
• Jeff: Question assumption that need a bill of materials. Matters more what is in them. Is it crap? Manufacturing chooses parts intelligently. Material data safety sheets. We should want a library that is supported and was written by people who know about app sec.
• Ryan: Is the component active. Has it had a release in the last two years. If nobody is around who caes that there is a problem…
• Ryan: Developers want to use the cool thing. “Spring sold out; everyone using Stripes now”. Has same security issues. From a business standpoint, don’t want to be on the newest, coolest thing and be th one to discover problem.s
• Jeff: Make app sec visible so can make informed decisions about risk.
• Jeff: A9 is about making one piece of metadata visible so don’t make ridiculous decisions. That info isn’t visible to th people at StackOverflow saying to use the cool thing
• Ryan: Many developers donn’t know what a web requet looks like anymore. Frameworks abstract all tis information. Start trusting the library.

Maven Central

• Jeff: “sha” in answer to what comes out of Maven Central
• Ryan: How many people check the checksum after download. Very few

How inventory

• Jeff: Can scan ports to find web apps. Or can instrument app servers. Once know where apps are, need to catalog libraries using.
• Ryan: Don’t assume a jar called log4j-1.3.jar isn’tlog4j-1.3.5 or log4j-2.0.jar, People have policies saying can only use a certain version name.

Patching

• Jeff: Open source developers don’t put security fixes in branches all the time. Sometimes you have to pull in the next functional release to get it
• Ryan: Hae to pay attention or acknowledge risk of being on older version. Must accept burden/exposure.
• Jeff: When asked about vendors don’t find out about security issue their product uses until the public does. Then they need to start. The bigger problem is when the only mention of the patch is in a SVN commit comment. Want it to be seemless like OS patches are now – automatic updates. It hasn’t always been that way.

What can we expect

• Ryan: Happy to see getting back to basic blocking. Should you be using a library with a vulnerability you can google. This is step 1.
• Jeff: For every known vulnerability, probably many unknown ones since not scrutinized
• Ryan: How bring supply chain mechanics to software development.

My take
Great session. Jeff and Ryan sounded like they were having a real conversation/discussion about little differences while presenting the same message. And Ryan didn’t plug Sonatype CLM which surprised me. They have a vendor table so everyone should have seen it that wanted to. But still, it was nice that he focused on information and not marketing.