SlideShare ist ein Scribd-Unternehmen logo

Tracking vulnerable JARs

Als ODP, PDF herunterladen
David Jorm
David Jorm
Karriere
1 von 24
Tracking vulnerable JARs Ruxcon 2012 David Jorm djorm@redhat.com
Contents  JAR (security) hell  Example (CVE-2010-1622)  JBoss products  Solution  jboss-manifest  Victi.ms DB  Enforce-victims-rule maven plugin  Demonstration SECURITY RESPONSE TEAM | RED HAT INC. 2
JAR (security) hell • Java/J2EE apps rely on a large number of libraries • There are several ways of handling this, but all rely on the application bundling its own dependencies. • Similar to every binary on a system being statically compiled, with no dynamically linked libraries • Library JARs are typically included as dependencies using build tools like maven that draw them from public repositories • The maven central repo is the most “canonical” source of compiled JARs SECURITY RESPONSE TEAM | RED HAT INC. 3
JAR (security) hell • Aspect Security performed a study1 in March 2012 that showed 29.8 million (26%) of library downloads from the maven central repository are for versions with known flaws • The study recommends app developers: – Provide tailored security policies that can be leveraged by the Java Security Manager to ensure limited impact of any exposure. – Enforce scans of dependencies against a known vulnerability DB. – Internalize and self manage Maven repositories to ensure absolute control of dependencies. 1 https://www.aspectsecurity.com/uploads/downloads/2012/03/Aspect-Security-The-Unfortunate-Reality-of-Insecure-Libraries.pdf SECURITY RESPONSE TEAM | RED HAT INC. 4
Example: CVE-2010-1622 in Spring (hi Meder) Source: http://www.sonatype.com/Products/Why-Sonatype/Reduce-Security-Risk/Security-Brief SECURITY RESPONSE TEAM | RED HAT INC. 5
Example: CVE-2010-1622 • How do you know your application is vulnerable and needs to be recompiled? How do you know to update your dependencies? SECURITY RESPONSE TEAM | RED HAT INC. 6
Example: CVE-2010-1622 • Track upstream website? Use alert service? Secunia, iSight, etc.? • How to communicate this to developers? How to map dependencies to CVEs? SECURITY RESPONSE TEAM | RED HAT INC. 7
JBoss Products • JBoss products are bundled with all dependent JARs, rather than using a dependency management system • Components within JBoss products bundle their own JARs • We often have multiple copies and/or multiple versions of the same JAR within one product • When a vulnerability is found in a JAR, how do we patch our products comprehensively? SECURITY RESPONSE TEAM | RED HAT INC. 8
Solution • Collate all released/engineering product builds • Recursively unpack them and generate a complete manifest database cataloging the JARs used by each build • Match the manifest database against a database of known vulnerable JARS • Perform a check against the database at build time SECURITY RESPONSE TEAM | RED HAT INC. 9
Solution SECURITY RESPONSE TEAM | RED HAT INC. 10
Solution • Requires three components: • jboss-manifest: a JAR manifest generator that recursively unpacks projects distributed as zip files to generator a text and SQL-based manifest of their packaged JARs • victims database: a canonical database of known- vulnerable JARs, identified by sha-512 fingerprints and linked to CVE IDs • enforce-victims-rule: a maven plugin to detect known-vulnerable JARs at build time based on the victi.ms database SECURITY RESPONSE TEAM | RED HAT INC. 11
jboss-manifest SECURITY RESPONSE TEAM | RED HAT INC. 12
jboss-manifest SECURITY RESPONSE TEAM | RED HAT INC. 13
jboss-manifest • 1) Recursively unpack archives – zip, war, ear etc. • 2) Within each archive, find all jar files • 3) For each jar file get information from: – The file itself – The contents of META-INF/MANIFEST.MF – The signer information in META-INF/*.DSA/RSA – Checksum • 4) For each jar file write a record to the manifest DB, matching the record to the product build containing this jar SECURITY RESPONSE TEAM | RED HAT INC. 14
jboss-manifest • Jenkins used to run scheduled job to check for newly released software • New artifacts are automatically run through jboss- manifest • System sends email alerts to SRT • When the victi.ms DB is updated, a jenkins job can be triggered to check for vulnerabilities in released software SECURITY RESPONSE TEAM | RED HAT INC. 15
Victi.ms DB • Open source project by Steve Milner • Maintains a web-based canonical database of vulnerable JARs, open to submissions from the community • By querying across the manifest and victi.ms databases, we get a report on all vulnerable builds • Code available here: https://bitbucket.org/ashcrow/victims/overview • Hosted instance here: http://victi.ms/ SECURITY RESPONSE TEAM | RED HAT INC. 16
Victi.ms DB • Red Hat maintains hashes for all flaws that affect components we ship • More community effort needed to make the database comprehensive • Potential for future automation, linking CVE/CPE (SCAP) mappings to JARs in the central repo SECURITY RESPONSE TEAM | RED HAT INC. 17
Enforce-victims-rule maven plugin • Builds on the maven enforcer plugin to check a maven project's dependencies against the victi.ms database of known vulnerable artifacts. • Checks are based on both metadata (artifact name and version) and JAR file hashes • Checks can be configured to trigger either warnings or fatal errors SECURITY RESPONSE TEAM | RED HAT INC. 18
Enforce-victims-rule maven plugin SECURITY RESPONSE TEAM | RED HAT INC. 19
Enforce-victims-rule maven plugin SECURITY RESPONSE TEAM | RED HAT INC. 20
Demonstration SECURITY RESPONSE TEAM | RED HAT INC. 21
Commercial tools • Sonatype “Insight App Health Check” – Includes source licensing and security checks – Available as GUI/maven plugin – Operates using remote service – $499 (per app?) • Aspect Security “Contrast” – Identifies flaws in your own code – Maven plugin – Doesn't handle known flaws in dependencies yet – Free version, commercial $199-399/mo SECURITY RESPONSE TEAM | RED HAT INC. 22
Resources • http://victi.ms • https://bitbucket.org/ashcrow/victims/overview • http://search.maven.org/#artifactdetails| com.redhat.victims|enforce-victims-rule|1.0|jar SECURITY RESPONSE TEAM | RED HAT INC. 23
Questions? SECURITY RESPONSE TEAM | RED HAT INC. 24

Empfohlen

Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processesDavid Jorm
 
OpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityOpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityDavid Jorm
 
AusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesAusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesDavid Jorm
 
Finding and exploiting novel flaws in Java software (SyScan 2015)
Finding and exploiting novel flaws in Java software (SyScan 2015)Finding and exploiting novel flaws in Java software (SyScan 2015)
Finding and exploiting novel flaws in Java software (SyScan 2015)David Jorm
 
Java Exploit Analysis .
Java Exploit Analysis .Java Exploit Analysis .
Java Exploit Analysis .Rahul Sasi
 
44CON & Ruxcon: SDN security
44CON & Ruxcon: SDN security44CON & Ruxcon: SDN security
44CON & Ruxcon: SDN securityDavid Jorm
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Christian Schneider
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaCODE WHITE GmbH
 

Empfohlen

Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processesDavid Jorm
 
OpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityOpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityDavid Jorm
 
AusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesAusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesDavid Jorm
 
Finding and exploiting novel flaws in Java software (SyScan 2015)
Finding and exploiting novel flaws in Java software (SyScan 2015)Finding and exploiting novel flaws in Java software (SyScan 2015)
Finding and exploiting novel flaws in Java software (SyScan 2015)David Jorm
 
Java Exploit Analysis .
Java Exploit Analysis .Java Exploit Analysis .
Java Exploit Analysis .Rahul Sasi
 
44CON & Ruxcon: SDN security
44CON & Ruxcon: SDN security44CON & Ruxcon: SDN security
44CON & Ruxcon: SDN securityDavid Jorm
 
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016
Surviving the Java Deserialization Apocalypse // OWASP AppSecEU 2016Christian Schneider
 
Exploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaExploiting Deserialization Vulnerabilities in Java
Exploiting Deserialization Vulnerabilities in JavaCODE WHITE GmbH
 
Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
Mitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMMitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMApostolos Giannakidis
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureKaspersky
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)CODE WHITE GmbH
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Apostolos Giannakidis
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
Csw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCsw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCanSecWest
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkVeilFramework
 
Csw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCsw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCanSecWest
 
OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)Jooho Lee
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Christian Schneider
 
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesEnterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesAlex Senkevitch
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration TestingOWASP
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application SecurityChong-Kuan Chen
 
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Priyanka Aash
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysisChong-Kuan Chen
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment Sergey Gordeychik
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization VulnerabilitiesLuca Carettoni
 
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-AutomationDevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-AutomationAlex Senkevitch
 
Fortify dev ops (002)
Fortify dev ops (002)Fortify dev ops (002)
Fortify dev ops (002)Madhavan Marimuthu
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsIBM Security
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsBlack Duck by Synopsys
 

Weitere ähnliche Inhalte

Was ist angesagt?

Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approachAntonio Parata
 
Mitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMMitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMApostolos Giannakidis
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureKaspersky
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)CODE WHITE GmbH
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Apostolos Giannakidis
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
Csw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCsw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCanSecWest
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkVeilFramework
 
Csw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCsw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCanSecWest
 
OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)Jooho Lee
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Christian Schneider
 
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesEnterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesAlex Senkevitch
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration TestingOWASP
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application SecurityChong-Kuan Chen
 
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Priyanka Aash
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysisChong-Kuan Chen
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment Sergey Gordeychik
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization VulnerabilitiesLuca Carettoni
 
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-AutomationDevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-AutomationAlex Senkevitch
 

Was ist angesagt? (20)

Securing your web applications a pragmatic approach
Securing your web applications a pragmatic approachSecuring your web applications a pragmatic approach
Securing your web applications a pragmatic approach
 
Mitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMMitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVM
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 
Csw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCsw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgeneration
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-framework
 
Csw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelistingCsw2016 freingruber bypassing_application_whitelisting
Csw2016 freingruber bypassing_application_whitelisting
 
OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
 
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It PosesEnterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
Enterprise Java: Just What Is It and the Risks, Threats, and Exposures It Poses
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration Testing
 
Android Application Security
Android Application SecurityAndroid Application Security
Android Application Security
 
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysis
 
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
WebGoat.SDWAN.Net in Depth: SD-WAN Security Assessment
 
Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities Defending against Java Deserialization Vulnerabilities
Defending against Java Deserialization Vulnerabilities
 
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-AutomationDevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
DevSecOps: A Secure SDLC in the Age of DevOps and Hyper-Automation
 
Fortify dev ops (002)
Fortify dev ops (002)Fortify dev ops (002)
Fortify dev ops (002)
 

Ähnlich wie Tracking vulnerable JARs

Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsIBM Security
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsBlack Duck by Synopsys
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline SecurityJames Wickett
 
Open-Source Security Management and Vulnerability Impact Assessment
Open-Source Security Management and Vulnerability Impact AssessmentOpen-Source Security Management and Vulnerability Impact Assessment
Open-Source Security Management and Vulnerability Impact AssessmentPriyanka Aash
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013drewz lin
 
vulnerable and outdated components.pptx
vulnerable and outdated components.pptxvulnerable and outdated components.pptx
vulnerable and outdated components.pptxwaleejhaider1
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsCheckmarx
 
Application Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability ManagerApplication Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability ManagerDenim Group
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris WysopalThreat Stack
 
Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)Canturk Isci
 
Preventing Supply Chain Attacks on Open Source Software
Preventing Supply Chain Attacks on Open Source SoftwarePreventing Supply Chain Attacks on Open Source Software
Preventing Supply Chain Attacks on Open Source SoftwareAll Things Open
 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckSoftware Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckBlack Duck by Synopsys
 
OWASP Dependency-Track Introduction
OWASP Dependency-Track IntroductionOWASP Dependency-Track Introduction
OWASP Dependency-Track IntroductionSergey Sotnikov
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOpsBlack Duck by Synopsys
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...Neil Matatall
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar NikaleAgile Testing Alliance
 
Project Penetration Testing Report(20 Points)Scenario.docx
Project Penetration Testing Report(20 Points)Scenario.docxProject Penetration Testing Report(20 Points)Scenario.docx
Project Penetration Testing Report(20 Points)Scenario.docxsimonlbentley59018
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to AdversariesDerek E. Weeks
 

Ähnlich wie Tracking vulnerable JARs (20)

Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
Open-Source Security Management and Vulnerability Impact Assessment
Open-Source Security Management and Vulnerability Impact AssessmentOpen-Source Security Management and Vulnerability Impact Assessment
Open-Source Security Management and Vulnerability Impact Assessment
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013
 
vulnerable and outdated components.pptx
vulnerable and outdated components.pptxvulnerable and outdated components.pptx
vulnerable and outdated components.pptx
 
Dependency check
Dependency checkDependency check
Dependency check
 
AppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOpsAppSec How-To: Achieving Security in DevOps
AppSec How-To: Achieving Security in DevOps
 
Application Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability ManagerApplication Security Program Management with Vulnerability Manager
Application Security Program Management with Vulnerability Manager
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
 
Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)Vulnerability Advisor Deep Dive (Dec 2016)
Vulnerability Advisor Deep Dive (Dec 2016)
 
Preventing Supply Chain Attacks on Open Source Software
Preventing Supply Chain Attacks on Open Source SoftwarePreventing Supply Chain Attacks on Open Source Software
Preventing Supply Chain Attacks on Open Source Software
 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckSoftware Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
 
OWASP Dependency-Track Introduction
OWASP Dependency-Track IntroductionOWASP Dependency-Track Introduction
OWASP Dependency-Track Introduction
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Introduction to maven
Introduction to mavenIntroduction to maven
Introduction to maven
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
 
Project Penetration Testing Report(20 Points)Scenario.docx
Project Penetration Testing Report(20 Points)Scenario.docxProject Penetration Testing Report(20 Points)Scenario.docx
Project Penetration Testing Report(20 Points)Scenario.docx
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries
 

Kürzlich hochgeladen

Complete Benefits of career counseling in India
Complete Benefits of career counseling in IndiaComplete Benefits of career counseling in India
Complete Benefits of career counseling in IndiaMere Mentor
 
Banged Dubai Call Girls O525547819 Call Girls Dubai
Banged Dubai Call Girls O525547819 Call Girls DubaiBanged Dubai Call Girls O525547819 Call Girls Dubai
Banged Dubai Call Girls O525547819 Call Girls Dubaikojalkojal131
 
Nathan_Baughman_Resume_copywriter_and_editor
Nathan_Baughman_Resume_copywriter_and_editorNathan_Baughman_Resume_copywriter_and_editor
Nathan_Baughman_Resume_copywriter_and_editorNathanBaughman3
 
Abanoub Ghobrial, Planning Team Leader.pdf
Abanoub Ghobrial, Planning Team Leader.pdfAbanoub Ghobrial, Planning Team Leader.pdf
Abanoub Ghobrial, Planning Team Leader.pdfAbanoubGhobrial1
 
Training for Deaconess, biblical qualifications.ppt
Training for Deaconess, biblical qualifications.pptTraining for Deaconess, biblical qualifications.ppt
Training for Deaconess, biblical qualifications.pptVidalMendoza5
 
What is the career path of a VFX artist?
What is the career path of a VFX artist?What is the career path of a VFX artist?
What is the career path of a VFX artist?santoshjadhav126
 
APSC Motor Vechile Inspector 18 Posts.pdf
APSC Motor Vechile Inspector 18 Posts.pdfAPSC Motor Vechile Inspector 18 Posts.pdf
APSC Motor Vechile Inspector 18 Posts.pdfsoumita869
 
Abanoub Ghobrial, Planning Team Leader.pdf
Abanoub Ghobrial, Planning Team Leader.pdfAbanoub Ghobrial, Planning Team Leader.pdf
Abanoub Ghobrial, Planning Team Leader.pdfAbanoubGhobrial1
 
dentinalhypersensitivity, classification and material used
dentinalhypersensitivity, classification and material useddentinalhypersensitivity, classification and material used
dentinalhypersensitivity, classification and material usedaishwaryakhare5
 
Design, Desire and Demand Presentation.pptx
Design, Desire and Demand Presentation.pptxDesign, Desire and Demand Presentation.pptx
Design, Desire and Demand Presentation.pptxaaronbasko1
 
How To Land Your Next PM Dream Job - PMISSC Meeting - April 2024
How To Land Your Next PM Dream Job - PMISSC Meeting - April 2024How To Land Your Next PM Dream Job - PMISSC Meeting - April 2024
How To Land Your Next PM Dream Job - PMISSC Meeting - April 2024Hector Del Castillo, CPM, CPMM
 
Bobby singh - Digital Marketing Service
Bobby singh - Digital Marketing ServiceBobby singh - Digital Marketing Service
Bobby singh - Digital Marketing ServiceBobby singh
 
加拿大MUN学位证,纽芬兰纪念大学毕业证书1:1制作
加拿大MUN学位证,纽芬兰纪念大学毕业证书1:1制作加拿大MUN学位证,纽芬兰纪念大学毕业证书1:1制作
加拿大MUN学位证,纽芬兰纪念大学毕业证书1:1制作rpb5qxou
 
Thomas Calculus 12th Edition Textbook and helping material
Thomas Calculus 12th Edition Textbook and helping materialThomas Calculus 12th Edition Textbook and helping material
Thomas Calculus 12th Edition Textbook and helping materialsafdarhussainbhutta4
 
LinkedIn for Your Job Search in April 2024
LinkedIn for Your Job Search in April 2024LinkedIn for Your Job Search in April 2024
LinkedIn for Your Job Search in April 2024Bruce Bennett
 
Human Rights are notes and helping material
Human Rights are notes and helping materialHuman Rights are notes and helping material
Human Rights are notes and helping materialnadeemcollege26
 
怎么办理美国UCLA毕业证加州大学洛杉矶分校学位证书一手渠道
怎么办理美国UCLA毕业证加州大学洛杉矶分校学位证书一手渠道怎么办理美国UCLA毕业证加州大学洛杉矶分校学位证书一手渠道
怎么办理美国UCLA毕业证加州大学洛杉矶分校学位证书一手渠道7283h7lh
 
The Next Things To Immediately Do About Mating Press
The Next Things To Immediately Do About Mating PressThe Next Things To Immediately Do About Mating Press
The Next Things To Immediately Do About Mating Pressmatingpress170
 
401799841-Increasing-Crimes-and-Suicides-Among-Youth.pptx
401799841-Increasing-Crimes-and-Suicides-Among-Youth.pptx401799841-Increasing-Crimes-and-Suicides-Among-Youth.pptx
401799841-Increasing-Crimes-and-Suicides-Among-Youth.pptxwaghmare9860lavin
 
Jumark Morit Diezmo- Career portfolio- BPED 3A
Jumark Morit Diezmo- Career portfolio- BPED 3AJumark Morit Diezmo- Career portfolio- BPED 3A
Jumark Morit Diezmo- Career portfolio- BPED 3Ajumarkdiezmo1
 

Kürzlich hochgeladen (20)

Complete Benefits of career counseling in India
Complete Benefits of career counseling in IndiaComplete Benefits of career counseling in India
Complete Benefits of career counseling in India
 
Banged Dubai Call Girls O525547819 Call Girls Dubai
Banged Dubai Call Girls O525547819 Call Girls DubaiBanged Dubai Call Girls O525547819 Call Girls Dubai
Banged Dubai Call Girls O525547819 Call Girls Dubai
 
Nathan_Baughman_Resume_copywriter_and_editor
Nathan_Baughman_Resume_copywriter_and_editorNathan_Baughman_Resume_copywriter_and_editor
Nathan_Baughman_Resume_copywriter_and_editor
 
Abanoub Ghobrial, Planning Team Leader.pdf
Abanoub Ghobrial, Planning Team Leader.pdfAbanoub Ghobrial, Planning Team Leader.pdf
Abanoub Ghobrial, Planning Team Leader.pdf
 
Training for Deaconess, biblical qualifications.ppt
Training for Deaconess, biblical qualifications.pptTraining for Deaconess, biblical qualifications.ppt
Training for Deaconess, biblical qualifications.ppt
 
What is the career path of a VFX artist?
What is the career path of a VFX artist?What is the career path of a VFX artist?
What is the career path of a VFX artist?
 
APSC Motor Vechile Inspector 18 Posts.pdf
APSC Motor Vechile Inspector 18 Posts.pdfAPSC Motor Vechile Inspector 18 Posts.pdf
APSC Motor Vechile Inspector 18 Posts.pdf
 
Abanoub Ghobrial, Planning Team Leader.pdf
Abanoub Ghobrial, Planning Team Leader.pdfAbanoub Ghobrial, Planning Team Leader.pdf
Abanoub Ghobrial, Planning Team Leader.pdf
 
dentinalhypersensitivity, classification and material used
dentinalhypersensitivity, classification and material useddentinalhypersensitivity, classification and material used
dentinalhypersensitivity, classification and material used
 
Design, Desire and Demand Presentation.pptx
Design, Desire and Demand Presentation.pptxDesign, Desire and Demand Presentation.pptx
Design, Desire and Demand Presentation.pptx
 
How To Land Your Next PM Dream Job - PMISSC Meeting - April 2024
How To Land Your Next PM Dream Job - PMISSC Meeting - April 2024How To Land Your Next PM Dream Job - PMISSC Meeting - April 2024
How To Land Your Next PM Dream Job - PMISSC Meeting - April 2024
 
Bobby singh - Digital Marketing Service
Bobby singh - Digital Marketing ServiceBobby singh - Digital Marketing Service
Bobby singh - Digital Marketing Service
 
加拿大MUN学位证,纽芬兰纪念大学毕业证书1:1制作
加拿大MUN学位证,纽芬兰纪念大学毕业证书1:1制作加拿大MUN学位证,纽芬兰纪念大学毕业证书1:1制作
加拿大MUN学位证,纽芬兰纪念大学毕业证书1:1制作
 
Thomas Calculus 12th Edition Textbook and helping material
Thomas Calculus 12th Edition Textbook and helping materialThomas Calculus 12th Edition Textbook and helping material
Thomas Calculus 12th Edition Textbook and helping material
 
LinkedIn for Your Job Search in April 2024
LinkedIn for Your Job Search in April 2024LinkedIn for Your Job Search in April 2024
LinkedIn for Your Job Search in April 2024
 
Human Rights are notes and helping material
Human Rights are notes and helping materialHuman Rights are notes and helping material
Human Rights are notes and helping material
 
怎么办理美国UCLA毕业证加州大学洛杉矶分校学位证书一手渠道
怎么办理美国UCLA毕业证加州大学洛杉矶分校学位证书一手渠道怎么办理美国UCLA毕业证加州大学洛杉矶分校学位证书一手渠道
怎么办理美国UCLA毕业证加州大学洛杉矶分校学位证书一手渠道
 
The Next Things To Immediately Do About Mating Press
The Next Things To Immediately Do About Mating PressThe Next Things To Immediately Do About Mating Press
The Next Things To Immediately Do About Mating Press
 
401799841-Increasing-Crimes-and-Suicides-Among-Youth.pptx
401799841-Increasing-Crimes-and-Suicides-Among-Youth.pptx401799841-Increasing-Crimes-and-Suicides-Among-Youth.pptx
401799841-Increasing-Crimes-and-Suicides-Among-Youth.pptx
 
Jumark Morit Diezmo- Career portfolio- BPED 3A
Jumark Morit Diezmo- Career portfolio- BPED 3AJumark Morit Diezmo- Career portfolio- BPED 3A
Jumark Morit Diezmo- Career portfolio- BPED 3A
 

Tracking vulnerable JARs

  • 1. Tracking vulnerable JARs Ruxcon 2012 David Jorm djorm@redhat.com
  • 2. Contents  JAR (security) hell  Example (CVE-2010-1622)  JBoss products  Solution  jboss-manifest  Victi.ms DB  Enforce-victims-rule maven plugin  Demonstration SECURITY RESPONSE TEAM | RED HAT INC. 2
  • 3. JAR (security) hell • Java/J2EE apps rely on a large number of libraries • There are several ways of handling this, but all rely on the application bundling its own dependencies. • Similar to every binary on a system being statically compiled, with no dynamically linked libraries • Library JARs are typically included as dependencies using build tools like maven that draw them from public repositories • The maven central repo is the most “canonical” source of compiled JARs SECURITY RESPONSE TEAM | RED HAT INC. 3
  • 4. JAR (security) hell • Aspect Security performed a study1 in March 2012 that showed 29.8 million (26%) of library downloads from the maven central repository are for versions with known flaws • The study recommends app developers: – Provide tailored security policies that can be leveraged by the Java Security Manager to ensure limited impact of any exposure. – Enforce scans of dependencies against a known vulnerability DB. – Internalize and self manage Maven repositories to ensure absolute control of dependencies. 1 https://www.aspectsecurity.com/uploads/downloads/2012/03/Aspect-Security-The-Unfortunate-Reality-of-Insecure-Libraries.pdf SECURITY RESPONSE TEAM | RED HAT INC. 4
  • 5. Example: CVE-2010-1622 in Spring (hi Meder) Source: http://www.sonatype.com/Products/Why-Sonatype/Reduce-Security-Risk/Security-Brief SECURITY RESPONSE TEAM | RED HAT INC. 5
  • 6. Example: CVE-2010-1622 • How do you know your application is vulnerable and needs to be recompiled? How do you know to update your dependencies? SECURITY RESPONSE TEAM | RED HAT INC. 6
  • 7. Example: CVE-2010-1622 • Track upstream website? Use alert service? Secunia, iSight, etc.? • How to communicate this to developers? How to map dependencies to CVEs? SECURITY RESPONSE TEAM | RED HAT INC. 7
  • 8. JBoss Products • JBoss products are bundled with all dependent JARs, rather than using a dependency management system • Components within JBoss products bundle their own JARs • We often have multiple copies and/or multiple versions of the same JAR within one product • When a vulnerability is found in a JAR, how do we patch our products comprehensively? SECURITY RESPONSE TEAM | RED HAT INC. 8
  • 9. Solution • Collate all released/engineering product builds • Recursively unpack them and generate a complete manifest database cataloging the JARs used by each build • Match the manifest database against a database of known vulnerable JARS • Perform a check against the database at build time SECURITY RESPONSE TEAM | RED HAT INC. 9
  • 10. Solution SECURITY RESPONSE TEAM | RED HAT INC. 10
  • 11. Solution • Requires three components: • jboss-manifest: a JAR manifest generator that recursively unpacks projects distributed as zip files to generator a text and SQL-based manifest of their packaged JARs • victims database: a canonical database of known- vulnerable JARs, identified by sha-512 fingerprints and linked to CVE IDs • enforce-victims-rule: a maven plugin to detect known-vulnerable JARs at build time based on the victi.ms database SECURITY RESPONSE TEAM | RED HAT INC. 11
  • 12. jboss-manifest SECURITY RESPONSE TEAM | RED HAT INC. 12
  • 13. jboss-manifest SECURITY RESPONSE TEAM | RED HAT INC. 13
  • 14. jboss-manifest • 1) Recursively unpack archives – zip, war, ear etc. • 2) Within each archive, find all jar files • 3) For each jar file get information from: – The file itself – The contents of META-INF/MANIFEST.MF – The signer information in META-INF/*.DSA/RSA – Checksum • 4) For each jar file write a record to the manifest DB, matching the record to the product build containing this jar SECURITY RESPONSE TEAM | RED HAT INC. 14
  • 15. jboss-manifest • Jenkins used to run scheduled job to check for newly released software • New artifacts are automatically run through jboss- manifest • System sends email alerts to SRT • When the victi.ms DB is updated, a jenkins job can be triggered to check for vulnerabilities in released software SECURITY RESPONSE TEAM | RED HAT INC. 15
  • 16. Victi.ms DB • Open source project by Steve Milner • Maintains a web-based canonical database of vulnerable JARs, open to submissions from the community • By querying across the manifest and victi.ms databases, we get a report on all vulnerable builds • Code available here: https://bitbucket.org/ashcrow/victims/overview • Hosted instance here: http://victi.ms/ SECURITY RESPONSE TEAM | RED HAT INC. 16
  • 17. Victi.ms DB • Red Hat maintains hashes for all flaws that affect components we ship • More community effort needed to make the database comprehensive • Potential for future automation, linking CVE/CPE (SCAP) mappings to JARs in the central repo SECURITY RESPONSE TEAM | RED HAT INC. 17
  • 18. Enforce-victims-rule maven plugin • Builds on the maven enforcer plugin to check a maven project's dependencies against the victi.ms database of known vulnerable artifacts. • Checks are based on both metadata (artifact name and version) and JAR file hashes • Checks can be configured to trigger either warnings or fatal errors SECURITY RESPONSE TEAM | RED HAT INC. 18
  • 19. Enforce-victims-rule maven plugin SECURITY RESPONSE TEAM | RED HAT INC. 19
  • 20. Enforce-victims-rule maven plugin SECURITY RESPONSE TEAM | RED HAT INC. 20
  • 21. Demonstration SECURITY RESPONSE TEAM | RED HAT INC. 21
  • 22. Commercial tools • Sonatype “Insight App Health Check” – Includes source licensing and security checks – Available as GUI/maven plugin – Operates using remote service – $499 (per app?) • Aspect Security “Contrast” – Identifies flaws in your own code – Maven plugin – Doesn't handle known flaws in dependencies yet – Free version, commercial $199-399/mo SECURITY RESPONSE TEAM | RED HAT INC. 22
  • 23. Resources • http://victi.ms • https://bitbucket.org/ashcrow/victims/overview • http://search.maven.org/#artifactdetails| com.redhat.victims|enforce-victims-rule|1.0|jar SECURITY RESPONSE TEAM | RED HAT INC. 23
  • 24. Questions? SECURITY RESPONSE TEAM | RED HAT INC. 24

Hinweis der Redaktion

  1. I'll begin with an overview of some of the challenges our customer see with virtualization solutions today. I'll then cover an overview of RHEV, and walk you through some of its key features and functionality. After that, I will cover our pricing and packaging model - And I will also contrast it with some of the other products in the market. Finally, I'll discuss our vision for RHEV and the virtualization market in general with a brief overview of our virtualization infrastructure roadmap - and then we will open the line up for questions. So, lets begin ...
  2. With RHEV for Servers, Red Hat provides a robust virtualization platform optimized to give you the performance, scalability, security and ecosystem you need with a price structure that truly enables pervasive datacenter virtualization. For more information, visit our web page which includes a library of datasheets, feature demos, and a link to a TCO calculator where you can calculate how much RHEV can save you in your datacenter. The address is www.redhat.com/rhev Thank you for your time today, and now I will take any questions.