Security in open source projects

Slide 1

Slide 1 text

FROSCON 2019 SECURITY TRACK Security in open source projects José Manuel Ortega @jmortegac

Slide 2

Slide 2 text

@jmortegac jmortega.github.io about.me/jmortegac

Slide 3

Slide 3 text

CONFERENCES http://jmortega.github.io/

Slide 4

Slide 4 text

CONFERENCES

Slide 5

Slide 5 text

AGENDA

Slide 6

Slide 6 text

AGENDA

Slide 7

Slide 7 text

AGENDA ● Security in open source projects ● Vulnerabilities in dependencies ● Detecting vulnerabilities in code base ● Improving security in open source

Slide 8

Slide 8 text

AGENDA Functionality vs security ● Security is always a secondary concern ● Primary goal of software is to provide some functionality or services ● Managing associated risks to software we are developing is a derived/ secondary concern

Slide 9

Slide 9 text

AGENDA Functionality vs security Functionality is about what software should do, security is (also) about what it should not do

Slide 10

Slide 10 text

AGENDA Functionality vs security

Slide 11

Slide 11 text

Coding Flaws ● flaws that can be understood looking at the program itself. ○ confusing two program variables and errors in the program logic ● problems in the interaction with the underlying platform or other systems and services ○ buffer overflows in C(++) code ○ integer overflows in most programming languages ○ SQL injection, XSS, CSRF in web-applications

Slide 12

Slide 12 text

● Buffer overﬂow ● Use-after-free ● Stack corruption Memory vulnerabilities

Slide 13

Slide 13 text

Buffer overﬂow // A C program to demonstrate buffer overflow #include #include #include int main(int argc, char *argv[]) { // Reserve 5 byte of buffer plus the terminating NULL. // should allocate 8 bytes = 2 double words, // To overflow, need more than 8 bytes... char buffer[5]; // copy the user input to mybuffer, without any // bound checking a secure version is srtcpy_s() strcpy(buffer, argv[1]); printf("buffer content= %s\n", buffer); return 0; }

Slide 14

Slide 14 text

Buffer overﬂow

Slide 15

Slide 15 text

Know your dependencies ● What open source components you are using? ● What versions you are currently running, and where? ● How these components can be updated, where do you get the update, what do you need to do to install them?

Slide 16

Slide 16 text

AGENDA PACKAGE REPOSITORIES

Slide 17

Slide 17 text

Third-party libraries

Slide 18

Slide 18 text

Third-party libraries Reusable Components = Reusable Vulnerabilities ● Attackers are increasingly targeting popular libraries and 3rd party components ● Up to 90% of the attack surface of an application may be due to 3rd party code

Slide 19

Slide 19 text

AGENDA DEPENDENCIES

Slide 20

Slide 20 text

AGENDA DEPENDENCIES

Slide 21

Slide 21 text

AGENDA OWASP DEPENDENCY-CHECK

Slide 22

Slide 22 text

AGENDA DEPENDENCY-CHECK

Slide 23

Slide 23 text

AGENDA SNYK

Slide 24

Slide 24 text

AGENDA SNYK

Slide 25

Slide 25 text

Services

Slide 26

Slide 26 text

Services

Slide 27

Slide 27 text

Services

Slide 28

Slide 28 text

Services

Slide 29

Slide 29 text

Package vulnerabilities

Slide 30

Slide 30 text

NPM Package vulnerabilities

Slide 31

Slide 31 text

NPM Package vulnerabilities

Slide 32

Slide 32 text

SQL inyection vulnerabilities

Slide 33

Slide 33 text

Detecting security vulnerabilities

Slide 34

Slide 34 text

Malicious Python packages

Slide 35

Slide 35 text

SAST vs DAST How you can detect security vulnerabilities?

Slide 36

Slide 36 text

STATIC

Slide 37

Slide 37 text

FIND SECURITY BUGS

Slide 38

Slide 38 text

SONARQUBE

Slide 39

Slide 39 text

SONARQUBE

Slide 40

Slide 40 text

SONARQUBE

Slide 41

Slide 41 text

Static Application Security Testing (SAST)

Slide 42

Slide 42 text

Static Application Security Testing (SAST)

Slide 43

Slide 43 text

Security Dashboard GitLab

Slide 44

Slide 44 text

NodeJsScan

Slide 45

Slide 45 text

NodeJsScan

Slide 46

Slide 46 text

NodeJsScan

Slide 47

Slide 47 text

Bandit

Slide 48

Slide 48 text

Bandit

Slide 49

Slide 49 text

Bandit SELECT %s FROM derp;” % var “SELECT thing FROM ” + tab “SELECT ” + val + ” FROM ” + tab + … “SELECT {} FROM derp;”.format(var)

Slide 50

Slide 50 text

Dynamic Application Security Testing (DAST)

Slide 51

Slide 51 text

DYNAMIC

Slide 52

Slide 52 text

AGENDA OWASP ZAP

Slide 53

Slide 53 text

Dynamic Application Security Testing (DAST)

Slide 54

Slide 54 text

AGENDA SQL INYECTION

Slide 55

Slide 55 text

AGENDA SQL INYECTION

Slide 56

Slide 56 text

AGENDA SQL INYECTION

Slide 57

Slide 57 text

Open Source Security What can we do to improve the security of Open Source Software? ● We can do all the same things as we do when building commercial software ● The big difference is that we have to do it collaboratively.

Slide 58

Slide 58 text

Propietary vs OS vulnerabilities

Slide 59

Slide 59 text

Open Source Security OSS is not more or less secure, but it is different • Typically there are many more people contributing • Sometimes there is a culture of “code is more important than specification” • There may be less market pressure to put security first

Slide 60

Slide 60 text

Open Source Security Security is a process, not a product

Slide 61

Slide 61 text

Software Development Life Cycle

Slide 62

Slide 62 text

Software Development Life Cycle

Slide 63

Slide 63 text

Core Infrastructure Initiative

Slide 64

Slide 64 text

Core Infrastructure Initiative https://bestpractices.coreinfrastructure.org/en/projects/1/0#security

Slide 65

Slide 65 text

Core Infrastructure Initiative https://bestpractices.coreinfrastructure.org/en/projects/1/0#security

Slide 66

Slide 66 text

Core Infrastructure Initiative https://github.com/coreinfrastructure/best-practices-badge/blob/master /doc/security.md

Slide 67

Slide 67 text

Open Source Security

Slide 68

Slide 68 text

AGENDA GITHUB ALERTS

Slide 69

Slide 69 text

Secrets searching on github ○ Credentials(Cryptographic keys, BBDD credentials, API tokens (AWS), SSH keys) ○ Infrastructure(Services configuration (DHCP, SMTP, etc),IPs and internal URLs) ○ Code(Commits, History, Comments, Dependencies, Vulnerabilities)

Slide 70

Slide 70 text

Secrets searching on github ● Private keys (id_rsa, id_dsa, *.pfx) ● History files (.bash_history and similar) - these often have passwords which were mistyped ● Log files (/var/log/*) - again, they often have details you might forget to look for in .htaccess, .htpasswd - Apache directory specific configuration files ● web.config - IIS directory specific config file ● wp-config.php - Wordpress config

Slide 71

Slide 71 text

Secrets searching on github

Slide 72

Slide 72 text

Secrets searching on github

Slide 73

Slide 73 text

Secrets searching on github

Slide 74

Slide 74 text

Remove sensitive data

Slide 75

Slide 75 text

Remove sensitive data

Slide 76

Slide 76 text

CONCLUSIONS ● Open source maintainers ○ Practice secure code review ○ Regularly audit your code base for vulnerabilities ○ Define a process for communication of responsible disclosures

Slide 77

Slide 77 text

CONCLUSIONS ● Open source developers ○ Follow responsible disclosure policies if you are reporting a security vulnerability ○ Subscribe to the security communication channels of your open source dependencies

Slide 78

Slide 78 text

CONCLUSIONS ● Security is a very important aspect of software development. ● Measures can be taken to integrate it in the Software Development Life Cycle. ● It is possible to effectively integrate security into agile development as well

Slide 79

Slide 79 text

CONCLUSIONS