Vulnerable Dependencies - Going Beyond Discovery

Transcript

1. June 2020 Omer Levi Hevroni | AppSec Engineer | [email protected]

   Dependency Management - Going Beyond Discovery

2. Most dangerous command? npm install @omerlh

3. Direct vs Indirect dependencies Source: State of Open Source 2019

   Sub headline will be here @omerlh

4. What about vulnerable packages? Source: OWASP Top 10 2017 Sub

   headline will be here @omerlh

5. Vulnerability Severities by Year Source: State of Open Source 2019

   @omerlh

6. How we can check our dependencies? @omerlh

7. Or Just “npm install” @omerlh

8. confidential Finding vulnerabilities is easy @omerlh

9. What we do with all those finding? @omerlh

10. Zen and Art of Traiging confidential Zen and Art of

    Traiging @omerlh

11. I’m a developer @omerlh

12. AppSec Engineer @ Snyk @omerlh

13. Zen and Art of Traiging confidential Zen and Art of

    Traiging @omerlh

14. 0. Remediate all the vulns! @omerlh

15. • Triage • Figure Upgrade statertegy • Open a fix

    PR • Wait for tests • Deploy • Pray Easy Peasy? @omerlh

16. confidential

17. 1. Automation @omerlh

18. Automatic Fixes using GitHub @omerlh

19. • Review • Merge • Deploy • Monitor • Pray

    Are we done? @omerlh

20. 1.a Full Automation @omerlh

21. • Auto Merge • GitOps • Canary • Auto heal

    • Auto update dependencies What we need? @omerlh

22. Result - Noise! Sub headline will be here @omerlh

23. confidential

24. 2. Prioritize “All vulnerabilities are dangerous, but some vulnerabilities are

    more dangerous than others” @omerlh

25. Should we care about this vulnerability? Sub headline will be

    here @omerlh

26. • Do we use the vulnerable method? • How long

    since this vulnerability disclosed? • How long since it was reported on this project? • Is there a known exploit? • Does this service handle PII? • Does this service exposed to the internet? Interesting Factors @omerlh

27. Why should we care about exploitability? Source: Snyk Blog @omerlh

28. Severity != Risk @omerlh

29. Do we need all those packages? @omerlh

30. 3. Visibility @omerlh

31. “ You can’t manage what you can’t measure “ Peter

    Drucker @omerlh

32. • Average severity per service/team/group • Median time to remediate

    • # of vulnerabilities per service/team/group • Learning from SRE world Interesting Metrics @omerlh

33. OWASP Defect Dojo Sub headline will be here @omerlh

34. • Hall of Fame • Weekly/Monthly reports • Slack updates

    • Part of service/team/company SLA • Bottom up/top down strategy Using the metric @omerlh

35. 4. Communication @omerlh

36. • Developers • Product manager • Stakeholders Who is our

    audience? @omerlh

37. Bad - no one understand this! Sub headline will be

    here @omerlh

38. • “Hackers can steal user data” • “Hackers can cause

    denial of service” • Link to business requirements ◦ “As a user, I want to store my email” ◦ “As a user I want to buy apples” Good - business impact @omerlh

39. Wrapping Up @omerlh

40. Zen and the Art of Triaging Automation Prioritization Visibility Communication

    @omerlh

41. • Docker containers? • Virtual machines? • Even more challenging

    areas • Use the same principles Wait, what about... @omerlh

42. Questions?

43. Thank You! @omerlh