Upload
derrick-hunter
View
198
Download
3
Embed Size (px)
DESCRIPTION
OWASP A9 USING KNOWN VULNERABLE COMPONENTS ITEC6873
Citation preview
A9 – Using Known Vulnerable Components
ITEC 6873By Derrick Hunter
• Threat Agents
• Attack Vectors
• Security Weaknesses
• Technical Impacts
• Importance
• How to prevent
• Discussion questions
A9 – USING KNOWN VULNERABLE COMPONENTSAgenda
Components, such as libraries, frameworks, and other software modules, almost always
run with full privileges. If a vulnerable component is exploited, such an attack can
facilitate serious data loss or server takeover. Applications using components
with known vulnerabilities may undermine application defenses and enable a range of
possible attacks and impacts.
A9 – USING KNOWN VULNERABLE COMPONENTS
Threat Agents
Some vulnerable components can be identified and exploited with automated tools, expanding
the threat agent pool beyond targeted attackers to include chaotic actors.
Anyone who can
send untrusted data to the
system
ATTACK VECTORS
AVERAGE EXPLOITABILITY
SECURITY WEAKNESS
WIDE SPREAD
DIFFICULTDETECHABILITY
TECHNICAL IMPACTS
MODERATE
POSSIBLE WEAKNESSES
INJECTION
BROKEN ACCESS CONTROL
CROSS SITE SCRIPTING
EXAMPLE
• Apache CXF Authentication Bypass – By failing to provide an identity token, attackers could invoke any web service with full permission.
• Spring Remote Code Execution – Abuse of the Expression Language implementation in Spring allowed attackers to execute arbitrary code, effectively taking over the server.
WHY IS THIS SO IMPORTANT
• Open source applications allow coders to quickly create new and innovative software, but the lack of visibility into component vulnerabilities and associated fixes means that vulnerable components may stay in use long after the threat has been identified.
SOFTWARE THAT HAS A HISTORY OF
KNOWN VULNERABILITIES
STRUTS2
Open source web application framework was downloaded 80,000
times even after 30+ public vulnerability announcements.
SOFTWARE THAT HAS A HISTORY OF
KNOWN VULNERABILITIES
HTTP CLIENT
Component with broken SSL validation was downloaded 66,000
times one year after a critical security alert was issued.
.
SOFTWARE THAT HAS A HISTORY OF
KNOWN VULNERABILITIES
BOUNCY CASTLE
In 2013 this cryptography API with a Level 10 critical vulnerability was downloaded 20,000 times—despite warnings given five years earlier. .
HOW TO PREVENT
• Make sure you are using the current application versions.
• Monitor the security of components in databases, project mailing lists, and security mailing lists, and keep them up to date.
• Establish security policies governing component use, such as requiring certain software development practices, passing security tests, and acceptable licenses.
• Consider adding security wrappers around components to disable unused functionality and secure weak or vulnerable aspects of the component.
References OWASP
• OWASP Dependency Check (for Java libraries)
• OWASP SafeNuGet (for .NET libraries thru NuGet)
• Good Component Practices Project
• Keyhole Software. (November 18, 2013). Top 10 Web Application Security Risks From OWASP. In Java Code Geeks. Retrieved October 29, 2014, from http://www.javacodegeeks.com/2013/11/top-10-web-application-security-risks-from-owasp.html.
• Sonatype.org. (2008-2014). OWASP Top TenImproving online software security. In Sonatype. Retrieved October 29, 2014, from http://www.sonatype.com/spotlight/owasp-top-ten.
QUESTIONS?
• Give an example of a company using a known vulnerable component in the news.
• How has some companies decided to deal with this issue?
• What would you add to the list of how to prevent this issue?