DependencyCheck Scanning for vulnerable libraries BLUG JAN 2016
DependencyCheckScanning for vulnerable librariesBLUG JAN 2016
Who am I?
David Karlsenhttps://twitter.com/davidkarlsen
Work as architect for EVRY FinancialServices - CoE Java
Disclaimer
What the talk is about
The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of
software. Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risk
What is security?
Let’s not go there…
there are endless answers to this question - and they all depend on context
However...
The OWASP top 10
The OWASP Top Ten is a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of security experts from around the world who have shared their expertise to produce this list.
#9:
The OWASP Top 10 2013 contains a new entry: A9 - Using Components with Known Vulnerabilities
Making an application
ls -lh myapp.tar.gz… 79M
mylibs are about 1,2Mb
minus generated content: our own hand-written code is << 1Mb
e.g. majority of running codebase is 3rd party.
Open or closed-source
To the rescue: Dependency Check
The core engine contains a series of analyzers that inspect the project dependencies, collect pieces of information about the dependencies (referred to as evidence within the tool). The evidence is then used to identify the Common Platform Enumeration (CPE) for the given dependency. If a CPE is identified, a listing of associated Common Vulnerability and Exposure (CVE) entries are listed in a report.
Language support
Currently Java, .NET, Ruby, Node.js, and Python projects are supported; additionally, limited support for C/C++ projects is available for projects using CMake or autoconf
Tooling (e.g. wrappers around engine)
CLIAntMavenJenkinsHomebrewSonarQube
Pro / Con
Vulnerability awarenessDependency awareness - why are dependencies there? Do I really need them?
Create panicWill have false positives - make people blind
https://www.linkedin.com/in/davidkarlsen