object lessons
play

Object lessons Deserialization after Apache Commons Collections T i - PowerPoint PPT Presentation

Object lessons Deserialization after Apache Commons Collections T i m J a r r e t t , N o v e m b e r 2 0 1 6 Who am I? @tojarrett Over 20 years in the software business At Veracode since 2008 Grammy award winner Bacon


  1. Object lessons Deserialization after Apache Commons Collections T i m J a r r e t t , N o v e m b e r 2 0 1 6

  2. Who am I? • @tojarrett • Over 20 years in the software business • At Veracode since 2008 • Grammy award winner • Bacon number of 3

  3. Deseriali- what?

  4. What is deserialization? Serialize: to snapshot a ”live” in-memory SERIALIZING object into a flat, serial stream of data that “marshalling,” can be stored or transmitted for “pickling,” reconstitution “freezing,” “flattening” Deserialize: reverse the process

  5. Timeline of the deserialization vulnerability Nov 25, Nov 2005: Nov 2013: Nov 6, 2015: 2015: ACC ACC 3.0 ACC 4.0 RCE exploits 4.1 Apr 2008: Jan 2015: Nov 12, ACC 3.2.1 "Marshalling 2015: ACC Pickles" 3.2.2

  6. How big a deal was this vuln?

  7. Veracode 2016 State of Software Security • Largest quantitative study of application security risk • Based on over 330,000 actual application testing results • 34 different industries represented • Large and small organizations, commercial software providers, open source projects, software outsourcers • Static analysis, dynamic analysis, software composition analysis

  8. Sources of application risk Configuration and deployment issues First party code Risky components

  9. Most prevalent Java components

  10. Most prevalent vulnerable Java components

  11. Developers don’t update out-of-date libraries

  12. Apache Commons Collections: a case study

  13. ACC by industry INDUSTRY VERTICAL % OF JAVA APPS WITH ACC 3.2.1 Tech 67.9% Healthcare 42.1% Other 26.7% Financial services 22.4% Manufacturing 20.4% Retail & Hospitality 16.2% Government 16.0%

  14. Component family tree Spring Web (1779) Apache Commons Spring Framework BeanUtils (1348) (501) ... Spring TestContext Framework (3007) Core Hibernate ORM Spring Web MVC Functionality (1185) (1314) ... Hadoop Core (399) Apache Commons Collections 3.2.1 (1290) Apache Commons SonarQube Plugin API Configuration (803) (262) ... Spring Context Support (916) Apache Velocity (748) SnakeYAM (519) ...

  15. Not just in Open Source

  16. Addressing component risk

  17. Addressing component risks in the SDLC 1 Policy first 2 Build an inventory 3 Developer education 4 Integrate testing

  18. Policy

  19. Build an inventory

  20. Developer education

  21. Developer education

  22. Integrate

  23. No free lunch

  24. THANK YOU Twitter: @tojarrett State of Software Security: https://www.veracode.com/soss

Recommend


More recommend