object lessons
play

Object lessons Deserialization after Apache Commons Collections T i - PowerPoint PPT Presentation

Jul 11, 2023 •440 likes •692 views

Object lessons Deserialization after Apache Commons Collections T i m J a r r e t t , N o v e m b e r 2 0 1 6 Who am I? @tojarrett Over 20 years in the software business At Veracode since 2008 Grammy award winner Bacon

  1. Object lessons Deserialization after Apache Commons Collections T i m J a r r e t t , N o v e m b e r 2 0 1 6

  2. Who am I? • @tojarrett • Over 20 years in the software business • At Veracode since 2008 • Grammy award winner • Bacon number of 3

  3. Deseriali- what?

  4. What is deserialization? Serialize: to snapshot a ”live” in-memory SERIALIZING object into a flat, serial stream of data that “marshalling,” can be stored or transmitted for “pickling,” reconstitution “freezing,” “flattening” Deserialize: reverse the process

  5. Timeline of the deserialization vulnerability Nov 25, Nov 2005: Nov 2013: Nov 6, 2015: 2015: ACC ACC 3.0 ACC 4.0 RCE exploits 4.1 Apr 2008: Jan 2015: Nov 12, ACC 3.2.1 "Marshalling 2015: ACC Pickles" 3.2.2

  6. How big a deal was this vuln?

  7. Veracode 2016 State of Software Security • Largest quantitative study of application security risk • Based on over 330,000 actual application testing results • 34 different industries represented • Large and small organizations, commercial software providers, open source projects, software outsourcers • Static analysis, dynamic analysis, software composition analysis

  8. Sources of application risk Configuration and deployment issues First party code Risky components

  9. Most prevalent Java components

  10. Most prevalent vulnerable Java components

  11. Developers don’t update out-of-date libraries

  12. Apache Commons Collections: a case study

  13. ACC by industry INDUSTRY VERTICAL % OF JAVA APPS WITH ACC 3.2.1 Tech 67.9% Healthcare 42.1% Other 26.7% Financial services 22.4% Manufacturing 20.4% Retail & Hospitality 16.2% Government 16.0%

  14. Component family tree Spring Web (1779) Apache Commons Spring Framework BeanUtils (1348) (501) ... Spring TestContext Framework (3007) Core Hibernate ORM Spring Web MVC Functionality (1185) (1314) ... Hadoop Core (399) Apache Commons Collections 3.2.1 (1290) Apache Commons SonarQube Plugin API Configuration (803) (262) ... Spring Context Support (916) Apache Velocity (748) SnakeYAM (519) ...

  15. Not just in Open Source

  16. Addressing component risk

  17. Addressing component risks in the SDLC 1 Policy first 2 Build an inventory 3 Developer education 4 Integrate testing

  18. Policy

  19. Build an inventory

  20. Developer education

  21. Developer education

  22. Integrate

  23. No free lunch

  24. THANK YOU Twitter: @tojarrett State of Software Security: https://www.veracode.com/soss

Recommend

Object Oriented Object 3 Programming Object 1 Object 2 Object 4 For : COP 3330. Object

Object Oriented Object 3 Programming Object 1 Object 2 Object 4 For : COP 3330. Object

4/13/2017 OOP Object Oriented Object 3 Programming Object 1 Object 2 Object 4 For : COP 3330. Object oriented Programming (Using C++) ht t p: / / www. com pgeom . com / ~pi yush/ t each/ 3330 Objects: State (fields), Behavior (member

632 views • 6 slides
Transition Fundamentals and Success Principles as Object Lessons Mary Stuart Hunter Associate

Transition Fundamentals and Success Principles as Object Lessons Mary Stuart Hunter Associate

Looking Back and Looking Around: Transition Fundamentals and Success Principles as Object Lessons Mary Stuart Hunter Associate Vice President and Executive Director National Resource Center for The First-Year Experience and Students in

1.03k views • 70 slides
Geronimos Cadillac Lessons for Learning Object Repositories Sergeant, sergeant, dont you

Geronimos Cadillac Lessons for Learning Object Repositories Sergeant, sergeant, dont you

Geronimos Cadillac Lessons for Learning Object Repositories Sergeant, sergeant, dont you feel Theres something wrong with your automobile Governor, governor, aint it strange They didnt have no cars on the Indian range

174 views • 14 slides
Specifying Interfaces Object Design: Chapter 9, Object Design ! Object design is the process of

Specifying Interfaces Object Design: Chapter 9, Object Design ! Object design is the process of

Object-Oriented Software Engineering Using UML, Patterns, and Java Specifying Interfaces Object Design: Chapter 9, Object Design ! Object design is the process of adding details to the requirements analysis and making implementation decisions

500 views • 28 slides
Object-Oriented Databases Object Oriented Databases ODMG Standard Object Model, Object

Object-Oriented Databases Object Oriented Databases ODMG Standard Object Model, Object

Object-Oriented Databases Object Oriented Databases ODMG Standard Object Model, Object Definition Language, Object Query Language Programming Language Bindings Outlook October 17, 2008 Michael Grossniklaus Department of

786 views • 27 slides
Object-Oriented Paradigm http://cs.mst.edu The Concept Bundled together in one object

Object-Oriented Paradigm http://cs.mst.edu The Concept Bundled together in one object

Object-Oriented Paradigm http://cs.mst.edu The Concept Bundled together in one object Data Types Functionality Encapsulation State variables used to describe the object Functions dictating how the object interacts and

230 views • 18 slides
Chapter 8, Object Design: Object design is the process of adding details to the requirements

Chapter 8, Object Design: Object design is the process of adding details to the requirements

Object Design Object-Oriented Software Engineering Chapter 8, Object Design: Object design is the process of adding details to the requirements analysis and making implementation decisions Reuse and Patterns I The object designer must

301 views • 15 slides
Lessons Learned Lessons Learned From From Lessons Learned Lessons Learned From From

Lessons Learned Lessons Learned From From Lessons Learned Lessons Learned From From

Protg 2006, July 26th, Stanford I R I S A C 1 R E C Saint-Cyr Lessons Learned Lessons Learned From From Lessons Learned Lessons Learned From From Ontology Ontology Design Design Ontology Ontology Design Design Jean Andr B

371 views • 12 slides
Outline Object-orientation and databases CS 235: Object-oriented model: ODL Object

Outline Object-orientation and databases CS 235: Object-oriented model: ODL Object

Outline Object-orientation and databases CS 235: Object-oriented model: ODL Object Query Language Introduction to Databases Svetlozar Nestorov Lecture Notes #15 CS 235: Introduction to Databases 2 Object-Oriented DBMSs ODMG

550 views • 8 slides
Mul$-Object Synchroniza$on Mul$-Object Programs What happens

Mul$-Object Synchroniza$on Mul$-Object Programs What happens

Mul$-Object Synchroniza$on Mul$-Object Programs What happens when we try to synchronize across mul$ple objects in a large program? Each object

607 views • 31 slides
Mul$-Object Synchroniza$on Mul$-Object Programs What happens

Mul$-Object Synchroniza$on Mul$-Object Programs What happens

Mul$-Object Synchroniza$on Mul$-Object Programs What happens when we try to synchronize across mul$ple objects in a large program? Each object

1.14k views • 47 slides
Object Oriented Programming in C# February 13, 2008 The C# object model 1 Implementing an

Object Oriented Programming in C# February 13, 2008 The C# object model 1 Implementing an

Object Oriented Programming in C# February 13, 2008 The C# object model 1 Implementing an object oriented language 2 1/27 Goals of the C# object system. polymorphism the ability to write code which operates on many typesrealized by

439 views • 30 slides
Multi-Object Tracking Challenge CV3DST Lecture Exercises Multi-Object Tracking Multi-Object

Multi-Object Tracking Challenge CV3DST Lecture Exercises Multi-Object Tracking Multi-Object

Multi-Object Tracking Challenge CV3DST Lecture Exercises Multi-Object Tracking Multi-Object Tracking Origins SONAR, RADAR Given a raw stream of sensory data: Localize objects Estimate object identities over time

340 views • 16 slides
Developing Objects Segregation capabilities and the notion of Object Containment from unlabeled

Developing Objects Segregation capabilities and the notion of Object Containment from unlabeled

Developing Objects Segregation capabilities and the notion of Object Containment from unlabeled natural videos Daniel Harari Joint work with Nimrod Dorfman and Shimon Ullman Object Segregation Object 2 Object 1 Background Object

447 views • 40 slides
Chapter 5, Object Modeling From use cases to class diagrams Model and reality

Chapter 5, Object Modeling From use cases to class diagrams Model and reality

Object-Oriented Software Engineering Outline Chapter 5, Object Modeling From use cases to class diagrams Model and reality Activities during object modeling Using UML, Patterns, and Java Object identification Object types !

365 views • 7 slides
Lessons learned Techniques Limitations of formal specifications Cost of technical staff

Lessons learned Techniques Limitations of formal specifications Cost of technical staff

CRIM Lessons learned Techniques Limitations of formal specifications Cost of technical staff training Ease of communication between different system stakeholders by using object- oriented modeling techniques and OMT as notational

302 views • 9 slides
What is a Chair? The object The texture The object The texture The scene The object

What is a Chair? The object The texture The object The texture The scene The object

COS429 Computer Vision What is a Chair? The object The texture The object The texture The scene The object Instances vs. categories Instances Find these two toys Categories Find a bottle: Cant do Can nail it unless you do not care

1.59k views • 124 slides
Naming Architecture for Naming Architecture for Object to Object Communications

Naming Architecture for Naming Architecture for Object to Object Communications

Naming Architecture for Naming Architecture for Object to Object Communications <draft-lee-object-naming-00.txt> 75 th IETF Stockholm, July 2009 Gyu Myoung Lee (gmlee@it-sudparis.eu) G M L ( l @it d i ) Jun Kyun Choi

521 views • 11 slides
Imperative vs. object- oriented paradigms 1 11/14/17 Imperative vs. object-oriented u

Imperative vs. object- oriented paradigms 1 11/14/17 Imperative vs. object-oriented u

11/14/17 CSCI-2320 Object-Oriented Paradigm: Ruby Mohammad T . Irfan Imperative vs. object- oriented paradigms 1 11/14/17 Imperative vs. object-oriented u Imperative u Procedural decomposition u Procedures are all powerful u Data is

582 views • 45 slides
Presentation Design Principles Grouping Contrast Proportion Usability Presentation Design

Presentation Design Principles Grouping Contrast Proportion Usability Presentation Design

Presentation Design Principles Grouping Contrast Proportion Usability Presentation Design Framework Properties color, size, intensity, metaphor, shape, Navigation Object Object Object Object Text Icon , Menu Object Object

719 views • 20 slides
What does it mean to be Object Oriented? What does it mean to be OO? What are the

What does it mean to be Object Oriented? What does it mean to be OO? What are the

Comp-304 : Object-Oriented Design What does it mean to be Object Oriented? What does it mean to be OO? What are the characteristics of Object Oriented programs (later: OO design) ? What does Object Oriented programming add (as opposed to

772 views • 55 slides
Page 1 1. Add Visibility Information Implementation of UML Visibility in Java Tournament UML

Page 1 1. Add Visibility Information Implementation of UML Visibility in Java Tournament UML

Object Design Object-Oriented Software Engineering ! Object design is the process of adding details to the requirements analysis and making implementation decisions ! The object designer must choose among different ways to implement the analysis

323 views • 5 slides
CSE 331 The Object class; Object equality and the equals method slides created by Marty Stepp

CSE 331 The Object class; Object equality and the equals method slides created by Marty Stepp

CSE 331 The Object class; Object equality and the equals method slides created by Marty Stepp based on materials by M. Ernst, S. Reges, D. Notkin, R. Mercer, Wikipedia http://www.cs.washington.edu/331/ 1 The class Object The class Object

495 views • 26 slides
May 2018 ALL THINGS ADAPTED LESSONS What are adapted lessons? therapeutic music lessons

May 2018 ALL THINGS ADAPTED LESSONS What are adapted lessons? therapeutic music lessons

May 2018 ALL THINGS ADAPTED LESSONS What are adapted lessons? therapeutic music lessons adapted lessons music therapy with a focus on an instrument music lessons for kids with special needs the same as music therapy?

550 views • 16 slides

More recommend