One Article Review
| Source |  Veracode |
|---|---|
| Identifiant | 3416942 |
| Date de publication | 2021-09-23 08:55:21 (vue: 2021-09-23 13:05:44) |
| Titre | Application Security Testing Evolution and How a Software Bill of Materials Can Help |
| Texte | Early in my career, I developed web applications. At the time there were practically no frameworks or libraries to help. I was coding with Java using raw servlets and JSPs – very primitive by today's standards. There was no OWASP Top 10 and writing secure code was not something we paid much attention to. I specifically remember coding an open redirect years ago. I didn't know it was a vulnerability at the time. In my mind, it was a great feature for my Java servlet to recognize a special query string parameter that, if present, would trigger a redirection to the given URL! Interestingly, a dynamic scan or penetration test of the application would not have found my vulnerability. The name of the parameter was undocumented and not easy to guess. On the other hand, static application security testing (SAST) or a manual code review would have found it. My first stint at Veracode was in 2012, after six years working as an application security consultant. It was exciting to join an up-and-coming company on the cutting-edge of AppSec testing. Since then, open source software has grown enormously and proliferated in all aspects of application development. Building apps today is faster because of how easy it is to integrate these components into our own projects. Package managers and open source registries like Maven repository, NPM registry, PyPI, and RubyGems.org provide a way for developers to quickly access and leverage a rich plethora of ready-to-use libraries and frameworks. The downside with this model of building applications is that vulnerabilities present in open source components are inherited by our software as well. This has resulted in many data breaches over the years (Equifax via Apache Struts comes to mind). One of the reasons I recently re-joined Veracode is to have the opportunity work with a premier Software Composition Analysis (SCA) tool. SCA is complementary to SAST. While SAST checks 1st-party code for security flaws, SCA looks at 3rd-party code like open source libraries. In terms of the OWASP Top 10, this falls under OWASP #9 – Using Components with Known Vulnerabilities. If your application is using a vulnerable component, it's not necessarily your fault. The vulnerable component may be present because a library that your code is using directly has a dependency on another library. This is called a transitive dependency. Transitive dependencies are pulled in automatically by build systems, aka package managers. Data from our State of Software Security: Open Source Edition report shows that 71 percent of applications have a vulnerability in an open source library on initial scan, and that nearly half of those (47 percent) are transitive. Now let's talk about a software bill of materials (SBOM). An SBOM lists the individual components that are included in a piece of software. This can help with identifying vulnerabilities or license risks that may affect your organization. The concept of an SBOM is not new, but it's garnered much more interest lately due to the recent U.S. Cybersecurity Executive Order. One of its requirements is having an SBOM for all critical software sold to the federal government. There are different SBOM specifications in the marketplace today. I will focus on CycloneDX, which was recently accepted as a flagship OWASP project. CycloneDX is a security-focused SBOM specification and capable of describing the following types of components: Application Container Device File Firmware Framework Library Operating System Service CycloneDX's supported data formats are XML, JSON, and Protobuf. Here's an example of a CycloneDX SBOM in JSON format: Right away we can see that the software represented by this SBOM includes one library –Apache's Commons Collections ver |
| Envoyé | Oui |
| Condensat | –apache – using components 2012 about above accepted access and added advisories affect after six years working as an application age ago alike all also among analysis and frameworks and open and proliferated in all and protobuf and writing announced another an open an sca apache application applications applications is application application is using application would not have appsec are are xml aspects aspects of assigned as a flagship owasp as open source attention to at 3rd at veracode was in author authorship/supplier automatically away a component a dynamic a redirection to the a security a software a strong a way for because because many been been tampered with besides what be embedded into the be present because bill both breaches over build building but called can can provide additional information applicable career cases check checks 1st child/nesting code code like open code was not coding an open redirect years collections version comes coming company complementary compliance component components components: components across different programming component manually component may composition concept confirm container continuously copyleft license copyleft provision and suggests very minimal risk critical cutting cve cybersecurity cyclonedx cyclonedx also provides data database database supplements dependencies dependencies are dependency describing developers developers to development device didn different digital directly discussed does downside with this due each early easy edge of efficient enormously equifax especially etc evaluating evidence evolution example examples example sbom example was released under exciting executive exist expect external faster fault federal file finally firmware first focus focused sbom following types format: formats for security flaws found my vulnerability framework free from garnered generated the given url goes government great feature for guess half hand has hash values in hasn has grown have having health hear help helps help with identifying vulnerabilities here how identify if your important include: included includes includes license individual information information as information like ancestors inherited integrate integrity interest in many data in my its i recently re i specifically remember java joined json jsps – very know known languages and package lately let leverage leveraged leverage a libraries to library library library that your code is license licenses like like maven lists ll typically need managers manual marketplace materials may meeting mentioned metadata mind model of more most much my java servlet national nearly necessarily never new non not note not necessarily inform now no frameworks number nvd nvd with of how one on cyclonedx on initial scan operating opportunity work with order organization org provide a way for other others our state owasp own projects package parameter was parent party pedigree penetration test of percent piece premier software present primitive project provide public pulled purchasing purl purpose query question quickly raw servlets ready reasons recently recent u references registry relationships repository represented require requirements requirements is resulted review would have found it rich plethora right risks sast sbom sboms sbom enable sbom is sca scan sca looks sca or secure security security: open security consultant security testing see sell service shows signatures simply since software sold something we paid much source components source edition report source libraries source library source registries source software specifications specifications in specification and capable standardized standards static stint string parameter struts supported supports authenticity checks via systems system s commons take talk teams terms testing text text is present in this that an |
| Tags | Vulnerability |
| Stories | Equifax |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.