Tweet
Tweet

Slide 1

Slide 1 text

Sean Sullivan October 17, 2017 Portland Java Users Group

Slide 2

Slide 2 text

• software engineer • 21 years on the JVM • Scala since 2011 • back office systems About me Java is fine.

Slide 3

Slide 3 text

September 7, 2017

Slide 4

Slide 4 text

www.equifax.com

Slide 5

Slide 5 text

Last Week Tonight — October 15, 2017

Slide 6

Slide 6 text

Last Week Tonight — October 15, 2017

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. September 2017

Slide 11

Slide 11 text

https://nvd.nist.gov

Slide 12

Slide 12 text

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload CVE-2017-5638

Slide 13

Slide 13 text

allows remote attackers to execute arbitrary commands CVE-2017-5638

Slide 14

Slide 14 text

via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string CVE-2017-5638

Slide 15

Slide 15 text

http://blog.talosintelligence.com/2017/03/apache-0-day- exploited.html

Slide 16

Slide 16 text

http://blog.talosintelligence.com/2017/03/apache-0-day- exploited.html

Slide 17

Slide 17 text

Struts 2.x internals

Slide 18

Slide 18 text

OGNL expressions

Slide 19

Slide 19 text

com.opensymphony.xwork2.ognl.OgnlUtil

Slide 20

Slide 20 text

ognl.OgnlRuntime

Slide 21

Slide 21 text

import java.lang.reflect.*; public static Object invokeMethod( Object target, Method method, Object[] argsArray) OgnlRuntime.java

Slide 22

Slide 22 text

September 9, 2017

Slide 23

Slide 23 text

September 14, 2017

Slide 24

Slide 24 text

October 3, 2017

Slide 25

Slide 25 text

security advice from the Apache Software Foundation

Slide 26

Slide 26 text

Understand which supporting frameworks and libraries are used in your software products and in which versions. Keep track of security announcements affecting this products and versions. apache.org — September 9, 2017

Slide 27

Slide 27 text

Establish a process to quickly roll out a security fix release of your software product once supporting frameworks or libraries needs to be updated for security reasons. Best is to think in terms of hours or a few days, not weeks or months. apache.org — September 9, 2017

Slide 28

Slide 28 text

Any complex software contains flaws. Don't build your security policy on the assumption that supporting software products are flawless apache.org — September 9, 2017

Slide 29

Slide 29 text

Establish security layers. It is good software engineering practice to have individually secured layers behind a public- facing presentation layer such as the Apache Struts framework. apache.org — September 9, 2017

Slide 30

Slide 30 text

Establish monitoring for unusual access patterns to your public Web resources. We recommend such monitoring as good operations practice for business critical Web- based services. apache.org — September 9, 2017

Slide 31

Slide 31 text

Automatic patching?

Slide 32

Slide 32 text

I have talked to other software companies and people in this space who say some companies have an automated system that when a patch comes out it automatically gets installed. That is not what you had necessarily, right? Rep Greg Walden October 3, 2017

Slide 33

Slide 33 text

I am unaware of an automatic patch. Richard Smith former Equifax CEO October 3, 2017

Slide 34

Slide 34 text

automatic dependency upgrades for Scala applications?

Slide 35

Slide 35 text

https://github.com/flowcommerce/dependency

Slide 36

Slide 36 text

https://twitter.com/mbryzek/status/913953394473172993

Slide 37

Slide 37 text

how to prevent Java applications from calling exec()

Slide 38

Slide 38 text

java.lang.SecurityManager

Slide 39

Slide 39 text

public void checkExec(String command)

Slide 40

Slide 40 text

public class MySecurityManager extends SecurityManager { @Override public void checkExec(String command) { throw new SecurityException("nope"); } }

Slide 41

Slide 41 text

How can I learn more about web application security?

Slide 42

Slide 42 text

www.owasp.org

Slide 43

Slide 43 text

October 4, 2017

Slide 44

Slide 44 text

Conclusion • establish security layers • consider java.lang.SecurityManager • encrypt sensitive data • adopt OWASP best practices

Slide 45

Slide 45 text

questions?

Slide 46

Slide 46 text

THE END

Slide 47

Slide 47 text

No content

Slide 48

Slide 48 text

Bonus slides

Slide 49

Slide 49 text

Ars Technica — September 13, 2017

Slide 50

Slide 50 text

No content