Top Banner
DependencyCheck Scanning for vulnerable libraries BLUG JAN 2016
17

Dependency check

Apr 09, 2017

Download

Technology

David Karlsen
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Dependency check

DependencyCheckScanning for vulnerable librariesBLUG JAN 2016

Page 2: Dependency check

Who am I?

David Karlsenhttps://twitter.com/davidkarlsen

Work as architect for EVRY FinancialServices - CoE Java

https://twitter.com/davidkarlsen
Page 3: Dependency check

Disclaimer

Page 4: Dependency check

What the talk is about

The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of

software. Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risk

http://www.irs.gov/Charities-&-Non-Profits/Charitable-Organizations/Exemption-Requirements-Section-501(c)(3)-Organizations
https://www.owasp.org/index.php/Category:OWASP_Video
https://www.owasp.org/index.php/Category:OWASP_Video
https://www.owasp.org/index.php/Industry:Citations
Page 5: Dependency check

What is security?

Let’s not go there…

there are endless answers to this question - and they all depend on context

However...

Page 6: Dependency check

The OWASP top 10

The OWASP Top Ten is a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.

#9:

The OWASP Top 10 2013 contains a new entry: A9 - Using Components with Known Vulnerabilities

https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities
Page 7: Dependency check

Making an application

ls -lh myapp.tar.gz… 79M

mylibs are about 1,2Mb

minus generated content: our own hand-written code is << 1Mb

e.g. majority of running codebase is 3rd party.

Open or closed-source

Page 8: Dependency check
Page 9: Dependency check
Page 10: Dependency check

To the rescue: Dependency Check

The core engine contains a series of analyzers that inspect the project dependencies, collect pieces of information about the dependencies (referred to as evidence within the tool). The evidence is then used to identify the Common Platform Enumeration (CPE) for the given dependency. If a CPE is identified, a listing of associated Common Vulnerability and Exposure (CVE) entries are listed in a report.

http://nvd.nist.gov/cpe.cfm
http://cve.mitre.org/
Page 11: Dependency check

Language support

Currently Java, .NET, Ruby, Node.js, and Python projects are supported; additionally, limited support for C/C++ projects is available for projects using CMake or autoconf

Page 12: Dependency check

Tooling (e.g. wrappers around engine)

CLIAntMavenJenkinsHomebrewSonarQube

Page 13: Dependency check
Page 14: Dependency check
Page 15: Dependency check
Page 16: Dependency check

Pro / Con

Vulnerability awarenessDependency awareness - why are dependencies there? Do I really need them?

Create panicWill have false positives - make people blind

Page 17: Dependency check

[email protected]

https://www.linkedin.com/in/davidkarlsen

mailto:[email protected]
https://www.linkedin.com/in/davidkarlsen
https://www.linkedin.com/in/davidkarlsen

Related Documents
Dependency management

Dependency management

Category: Education
DELIVERING SECURITY IN CONTINUOUS DELIVERY ENVIRONMENT · TOOLS USED • Sample node.jsproject (OWASP NodeGoat) • Jenkins • Git • SonarQube • OWASP Dependency Check (Jenkins

DELIVERING SECURITY IN CONTINUOUS DELIVERY ENVIRONMENT ·.....

Category: Documents
Introduction to Dependency Grammar [0.2cm] and Dependency ...ufal.mff.cuni.cz/~bejcek/parseme/prague/Nivre1.pdf · Introduction to Dependency Grammar and Dependency Parsing Joakim

Introduction to Dependency Grammar [0.2cm] and Dependency...

Category: Documents
Dependency Injection & Design Principles Recap · Dependency Injection & Design Principles Recap ... (also called inversion of control) ... SOLID (Dependency inversion)

Dependency Injection & Design Principles Recap ·...

Category: Documents
Dependency Grammars: Dependency and Non-Dependency …

Dependency Grammars: Dependency and Non-Dependency …

Category: Documents
Dependency Certification

Dependency Certification

Category: Documents
Mr. Fisher -Impaired -Tolerance -Chemical Dependency -Psychological Dependency -Withdrawal -Physiological Dependency -Drug.

Mr. Fisher -Impaired -Tolerance -Chemical Dependency...

Category: Documents
SOFTWARE ENGINEERING - Duke University...DEPENDENCY INVERSION & DEPENDENCY INJECTION ¡ Does BirdHousefollow Dependency Inversion? Depends only on FlyingCreatureinterface ¡ Does it

SOFTWARE ENGINEERING - Duke University...DEPENDENCY...

Category: Documents
Dependency Injectionfintechasiapacific.com/pdf/techtalk_sujani.pdf · Reasons for use Dependency Injection – Decoupling: dependency injection makes your modules less coupled resulting

Dependency...

Category: Documents
CU21 CREATE DEPENDENCY NET - Configuration … Create Dependency Net.… · We need a simple syntax that says our ... CU21 Create Dependency Net and Constraint. CU21 Create Dependency

CU21 CREATE DEPENDENCY NET - Configuration … Create...

Category: Documents
Lecture 19: Dependency Grammars and Dependency Parsing

Lecture 19: Dependency Grammars and Dependency Parsing

Category: Documents
Field dependency

Field dependency

Category: Documents