Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Software Supply Chain Security
A9: Using Components with
Known Vulnerabilities
Agenda
• OWASP Top 10. 2017. A9. Using Components with Known
Vulnerabilities
• Example 1. NodeJS + decompress npm package
...
Is the Application Vulnerable?
• You do not know the versions of all components you use
• Software is vulnerable, unsuppor...
Example 1. NodeJS + decompress npm package
Example 1. NodeJS + decompress npm package
Example 1. NodeJS + decompress npm package
Example 1. NodeJS + decompress npm package
Example 2. Ruby on Rails + rubyzip gem
Example 2. Ruby on Rails + rubyzip gem
Example 2. Ruby on Rails + rubyzip gem
SAMM 2.0
OWASP Application Security Verification Standard
Tools
• npm audit
• Retire.js
• Vulners agent/nmap/nessus/etc.
• OWASP Dependency-Check
• OWASP Dependency-Track
OWASP Dependency-Check
• https://owasp.org/www-project-dependency-check/
• Version 5.3.2
• Command Line
• Ant Task
• Maven...
OWASP Dependency-Track
• 3.8.0
• Intelligent Supply Chain Component Analysis platform
• Open Source
• Dashboard
• API and ...
OWASP Dependency-Track
Links
https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/
https://owasp.org/www-project-dependency-check/
https://ow...
Q&A
Software Supply Chain Security та компоненти з відомими вразливостями
Software Supply Chain Security та компоненти з відомими вразливостями
Software Supply Chain Security та компоненти з відомими вразливостями
Nächste SlideShare
Wird geladen in …5
×

Software Supply Chain Security та компоненти з відомими вразливостями

Video: https://youtu.be/hYcGFs1H6kU

  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

Software Supply Chain Security та компоненти з відомими вразливостями

  1. 1. Software Supply Chain Security A9: Using Components with Known Vulnerabilities
  2. 2. Agenda • OWASP Top 10. 2017. A9. Using Components with Known Vulnerabilities • Example 1. NodeJS + decompress npm package • Example 2. Ruby on Rails + rubyzip gem • Recommendations and tools • Q&A
  3. 3. Is the Application Vulnerable? • You do not know the versions of all components you use • Software is vulnerable, unsupported, or out of date • You do not scan for vulnerabilities regularly • You do not subscribe to security bulletins • You do not fix or upgrade the underlying platform, frameworks, and dependencies in a risk-based, timely fashion • Developers do not test the compatibility of updated, upgraded, or patched libraries • you do not secure the components’ configurations (OWASP Top-10 A6:2017-Security Misconfiguration)
  4. 4. Example 1. NodeJS + decompress npm package
  5. 5. Example 1. NodeJS + decompress npm package
  6. 6. Example 1. NodeJS + decompress npm package
  7. 7. Example 1. NodeJS + decompress npm package
  8. 8. Example 2. Ruby on Rails + rubyzip gem
  9. 9. Example 2. Ruby on Rails + rubyzip gem
  10. 10. Example 2. Ruby on Rails + rubyzip gem
  11. 11. SAMM 2.0
  12. 12. OWASP Application Security Verification Standard
  13. 13. Tools • npm audit • Retire.js • Vulners agent/nmap/nessus/etc. • OWASP Dependency-Check • OWASP Dependency-Track
  14. 14. OWASP Dependency-Check • https://owasp.org/www-project-dependency-check/ • Version 5.3.2 • Command Line • Ant Task • Maven Plugin • Gradle Plugin • Jenkins/SBT/Leiningen Plugin
  15. 15. OWASP Dependency-Track • 3.8.0 • Intelligent Supply Chain Component Analysis platform • Open Source • Dashboard • API and Integration
  16. 16. OWASP Dependency-Track
  17. 17. Links https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/ https://owasp.org/www-project-dependency-check/ https://owasp.org/www-project-dependency-track/ https://owasp.org/www-project-application-security-verification- standard/ https://owasp.org/www-project-samm/
  18. 18. Q&A

×