Object lessons Deserialization after Apache Commons Collections T i m J a r r e t t , N o v e m b e r 2 0 1 6
Who am I? • @tojarrett • Over 20 years in the software business • At Veracode since 2008 • Grammy award winner • Bacon number of 3
Deseriali- what?
What is deserialization? Serialize: to snapshot a ”live” in-memory SERIALIZING object into a flat, serial stream of data that “marshalling,” can be stored or transmitted for “pickling,” reconstitution “freezing,” “flattening” Deserialize: reverse the process
Timeline of the deserialization vulnerability Nov 25, Nov 2005: Nov 2013: Nov 6, 2015: 2015: ACC ACC 3.0 ACC 4.0 RCE exploits 4.1 Apr 2008: Jan 2015: Nov 12, ACC 3.2.1 "Marshalling 2015: ACC Pickles" 3.2.2
How big a deal was this vuln?
Veracode 2016 State of Software Security • Largest quantitative study of application security risk • Based on over 330,000 actual application testing results • 34 different industries represented • Large and small organizations, commercial software providers, open source projects, software outsourcers • Static analysis, dynamic analysis, software composition analysis
Sources of application risk Configuration and deployment issues First party code Risky components
Most prevalent Java components
Most prevalent vulnerable Java components
Developers don’t update out-of-date libraries
Apache Commons Collections: a case study
ACC by industry INDUSTRY VERTICAL % OF JAVA APPS WITH ACC 3.2.1 Tech 67.9% Healthcare 42.1% Other 26.7% Financial services 22.4% Manufacturing 20.4% Retail & Hospitality 16.2% Government 16.0%
Component family tree Spring Web (1779) Apache Commons Spring Framework BeanUtils (1348) (501) ... Spring TestContext Framework (3007) Core Hibernate ORM Spring Web MVC Functionality (1185) (1314) ... Hadoop Core (399) Apache Commons Collections 3.2.1 (1290) Apache Commons SonarQube Plugin API Configuration (803) (262) ... Spring Context Support (916) Apache Velocity (748) SnakeYAM (519) ...
Not just in Open Source
Addressing component risk
Addressing component risks in the SDLC 1 Policy first 2 Build an inventory 3 Developer education 4 Integrate testing
Policy
Build an inventory
Developer education
Developer education
Integrate
No free lunch
THANK YOU Twitter: @tojarrett State of Software Security: https://www.veracode.com/soss
Recommend
More recommend