We Hack Purple Podcast

We Hack Purple Streams! Securing Open Source Dependencies Its Not Just Your Code That You Need to Secure With Rana Khalil

December 23, 2022 We Hack Purple! Season 3
We Hack Purple Podcast
We Hack Purple Streams! Securing Open Source Dependencies Its Not Just Your Code That You Need to Secure With Rana Khalil
Show Notes Transcript

The importance of open source security management made headlines in 2017 when the Equifax breach resulted in the compromise of the personal information of millions of users. The breach was attributed to the use of a known vulnerable version of the Apache Struts open source framework. Since then, we’ve seen a rise in the disclosure (and exploitation) of vulnerabilities in open source software, such as the famous Log4Shell vulnerability that was dubbed as the “worst security flaw of the decade”. 

This resulted in studies being conducted and determining that open-source components make up more than half of an application codebase. The security implications of such a ratio can be significant. While organizations spend considerable time and effort ensuring that the custom code developed by them is secure, usually little to no consideration is put into evaluating the security of the used open-source components. This presentation will introduce Software Composition Analysis (SCA) - the process of identifying vulnerabilities in open-source dependencies. We’ll discuss the criteria you should consider when selecting an SCA solution and the importance of integrating such tools in your DevOps pipelines. 

Rana is an application security engineer consultant currently working at C3SA. She has a diverse professional background with experience in software development, quality assurance and pentesting. She holds a Bachelor and Master’s degree in Mathematics and Computer Science from the University of Ottawa. She has spoken about her research and work at several local and international conferences. In her non-existent free time, you can find her posting educational videos and holding workshops through her Academy and YouTube channel. She has received several awards and honorable mentions for her research and contributions to the cybersecurity community. 

Speaker Links: 
Youtube Channel: https://www.youtube.com/c/RanaKhalil101 
Academy: https://ranakhalil.com/ 
Twitter: https://twitter.com/rana__khalil 
LinkedIn: https://www.linkedin.com/in/ranakhalil1/ 
Medium Blog: https://ranakhalil101.medium.com/

welcome everyone to a we hack purple stream I'm Tanya Janka your host and

Amanda's also helping me host but today we have a special guest and her name's Rana she's my friend she's ridiculously

awesome and I'm so happy she said yes to being like being on our stream and so you

might notice I've tweeted about her a lot so she's finally here I'm really excited and with this Rana please take

it away hi everyone uh thanks for having me Tanya I'm very excited to be here as

well because for those that don't know Tanya is actually my mentor when I first started out she used to live in Ottawa

doesn't live anymore which really sucks um but I'm really excited to actually be

on um you know a show that she had started um and so I'll start off by sharing my


foreign let me know if you could see my screen

properly it looks great awesome all right um again I don't have

this ability on uh the chat and so feel free to stop me Tanya whenever anyone

has any questions and let me just remove the speaker top so that I could see the

slides myself all right okay

um so again thank you for uh taking the time to attend my presentation I'll start off by introducing myself

um so my name is uh Rana Khalil I have a bachelor's in a master's degree in mathematics and computer science I've

been fortunate enough to work in several areas in software engineering including quality assurance and software

development I made the switch to security about five years ago and now I currently work as an

application security engineer consultant at an organization called c3sa so for

those of you that are not aware what an application security engineer does essentially my responsibilities could be

divided into three the first one is testing any third-party applications or

in-house built applications that our clients use the second one is integrating security as part of the

software development life cycle so that's something that we're going to talk about um today so instead of

finding vulnerabilities let's say later in the sdlc what we do is we integrate

security as part of earlier in the sdlc so as part of every phase so that this way

um uh the it's significant it significantly cuts the effort at the time and the cost that is required to

fix those vulnerabilities and then the third responsibility is essentially developer education so you can see over

here on the slides I have an academy I also have a YouTube channel and a Blog

where I teach web application pen testing and I also do in-person training

teaching developers how to code securely um so that's pretty much it

um enough about me let's dive into the presentation

um so whenever I learn about a new topic and if you've attended one of my previous presentations they almost

always start this way um so when I learn about a new topic I always ask myself three questions the

what the why and the how if I can answer these three questions within the context

of the topic that I'm learning that means I have a basic solid understanding of that topic and so for our topic today

we're talking about securing open source dependencies so the questions that we're

going to be talking about are one what are open source dependencies two why

should dependencies be managed and three um how can these dependencies be secured

my aim for today is to have everyone in the audience be able to answer these

three questions by the end of the presentation and you'll see the whole presentation is based on these three

questions and then we'll also look back to answering these three questions at the end of the presentation

all right so we'll begin with our first question which is what are open source

dependencies now you'll notice I have a ton of diagrams in my presentation and

they're all references to how the real world works so pay attention to the diagrams and this is the first one so

you can see over here you've got all the modern digital infrastructure at the top and it's all built on open source

projects developed by people around the world now um as we go along in this presentation

you'll understand how fragile this ecosystem um can be and the issues that result

from having an ecosystem such as this one I feel like people tend to underestimate the type of issues that

can result from this type of system just because they don't really properly understand how big of a problem it can

be and so what we're going to do is first we're going to set the context to

understand the skill of this problem and then we'll talk about tools that have been developed specifically to address

this problem from a security perspective all right

um to set the context I borrowed a few slides from this amazing talk that was

given at the hack in the Box uh security conference it was titled finding

vulnerabilities and malware and open source code at scale and it was done by Mark curfew I've got the name of the

talk um on the screen the talk essentially focuses on how in

the future instead of ransomware in desktops it'll the future is going to move to ransomware and web applications

and that's done by uh introducing malicious code in open source libraries

that major Frameworks use on the Internet it's an interesting and really

scary talk because they actually have a demo in that talk I definitely recommend watching it but to get back to our topic

which relates to this talk um uh the talk really starts off by

essentially discussing how people consume open source software and it

Likens it to the making of echoed cocktail so um or essentially making a cocktail so

the first thing that you do is uh choose a framework for the application that you're developing so let's say if you're

developing an application in Java then maybe you're using the spring framework if you're developing an application in

Ruby then maybe you're using Ruby on Rails or for python maybe you're using the Django or flask or so on but the

idea is that the framework that you're using is open source which makes the basis of your entire project open source

code and then you want your application to have custom functionality

or custom features that allow you to sell your application and so you uh you

write your own custom code to add that functionality but then you realize well

I want other functionality in my application that other people have already implemented let's say being able

to log in using Facebook or being able to log in using other social media

accounts or let's say being able to pay through PayPal and so on so I make your life harder and reinvent the Wheel by

writing that code yourself so what you do is you actually import open source libraries

that solve the problem that you're trying to solve or that implement the functionality that you're looking for

and so what ends up happening is you essentially have a cocktail of code

where 90 of your code is open source code and only 10 percent is custom code

and that's a significant ratio because um while organizations spend

considerable time and effort ensuring that that 10 custom code is properly

secure usually little to no consideration is put into ensuring that the open source code which

makes up 10 90 of your application is actually secure

um now you might be thinking you know for the developers in the audience you might

be thinking well I'm not sure that's true I'm looking at my code base and I'm definitely only importing let's say

three libraries three open source libraries and there there's no way that can be 90 of my code and I actually get

that comment a lot um and so my answer to that is usually while it might seem to you that you're

only importing three open source libraries you're likely using much much more than that so what happens when

you're requesting a library let's see this is the library that you directly request in your code what happens is

this Library says wait a minute I need this library to survive and so it pulls it down and then this Library says well

wait a minute I need this library to survive and so it pulls it down and then this Library says well wait a minute I

need this library to survive and so it pulls it down and so on and so what you end up with is essentially let's say 100

libraries instead of the three libraries that you directly imported so the ones

that you directly import are the ones in green so these are called direct dependencies the ones that your direct

dependencies uh rely on are called indirect or transitive dependencies and

those are the ones that are in Gray now so you end up essentially with like

an interconnected graph of dependencies that becomes really difficult to manage

manually a really simple example that I like to use to better understand this

concept is imagine you invite three people to your house that you absolutely trust now you really trust those people

and that's why you're giving them the address to your house and letting them in but then those three people end up inviting three other people

and then those three other people end up inviting three other people and then those three people end up inviting three other people and so on and so instead of

three people showing up to your house um you end up with a hundred people at

your house and of them out of those 100 people maybe one of them is malicious and ends up trashing your house

um and so that's essentially kind of how libraries work if there is issues so

security issues or what we call vulnerabilities and any one of the

indirect dependencies it could trickle up to uh the direct dependencies and eventually make your application also

vulnerable and so we'll talk about that in the next section

all right um now to um understand how open source code makes up a large portion of the

modern digital infrastructure from a real world perspective let's look at a few statistics so uh synopsis does a

study every year where they do essentially an in-depth analysis or a study of the current state of open

source security compliance licensing and code quality risks in commercial software and the results are all

summarized in a report called the open source security risk analysis report or

in short will assess ossra and the link to the report is on the

slides um if you're interested in reading it um so essentially what they did is they

examined over 2400 Commercial Code bases across 17 Industries including financial

and Healthcare and they reported out of the 2400 code basis 97 of them contained

open source code so what that means is that almost all the code bases contains

some form of Open Source Code and then when they looked at each individual code base they found out that for each

individual code base 78 of the code is open source code and that's a

significant number so approximately eight percent eighty percent of each application was made up of Open Source

dependencies and only 20 was actually a custom code now again the ratio this

type of ratio can have significant compliance privacy and security related implications and that leads us to the

next question that we would like to answer which is why should open source dependencies be managed

now uh we briefly touched upon that in the past couple of slides um from

security and a privacy perspective but there's also a functional and a licensing perspective

um uh that uh that we will touch upon now uh to highlight the skill of this

problem from a functional perspective there's nothing better than using real world incidents that happened so a few

years ago a developer got really upset that one of his npm modules was taken

down due to a copyright infringement and so what he ended up doing is instead of just taking down the one Library he

ended up on publishing over 250 of the libraries that he developed for

um npm and he had put on npm and one of these modules was called the left pad

module or leftpad library and it was literally just 11 lines of code and all

it did was pad something to the left um now this might seem like not an issue

that he took down this 11 lines of code which are on the screen however this ended up causing a ripple effect that

took down majority of the applications worldwide that were built in JavaScript

so you had developers waking up to Broken builds and filled deployments just because someone took down 11 lines

of code from the npm repository and the reason was because this library was

embedded in a major framework called The Express framework which was used which

is used to build node.js applications and so the builds for majority of the

applications that were built using that framework ended up failing because they couldn't pull down that Library which is

quite insane if you really think about it and it goes back to showing how fragile this type of ecosystem can be

now of course after this incident npm put certain restrictions on who can

unpublish libraries and it essentially there's a ton of restrictions right now

but essentially the bottom line is if a library has any dependencies on it

you're not allowed to publish it but you could see the type of issues that really could result from

this type of ecosystem but again um this is from a functional perspective we're here to kind of talk about

security and privacy and so how does it affect the security and privacy of applications

well let's talk about a really famous speech that occurred a few years ago I'm

sure everyone in the audience has heard about the speech so it was called the

Equifax breach and it was where the personally identifiable information so

the pii information of hundreds of millions of users in the US and Canada

were stolen now the reason that breach occurred was because Equifax was using

uh the Apache struts framework and at the time the version of Apache

struts that they were using was vulnerable to a remote code execution uh vulnerability now they did know about uh

about it so they were informed that they were using a vulnerable version however they didn't patch it in time and so what

ended up happening is they ended up getting uh breached and the scary thing

about all this is that um these are all uh these are all article um headings or titles sorry

um and you could see over here one of the articles that came out during that time was that the code responsible for

the Equifax breach was downloaded 21 million times last year so the year before the breach had occurred the code

that was responsible for the breach was downloaded 21 million times which is insane and this one is even worse most

of the fortune 100s still use the flawed software that led to the Equifax breach and so even after the breach had

occurred and made worldwide news um uh they evaluated The Fortune 100 and

they saw that they're still using the same vulnerable software that allowed Equifax to be breached

which is insane um a more recent example again which I'm

sure everyone is aware of is the La Porte vulnerability that was released in

December of last year it affected millions of devices worldwide

um I remember last year when I saw someone post about this on Twitter

before it was picked up by the media I remember thinking oh my God we're screwed because lock for J is integrated

in millions of java based software and servers worldwide and like the

exploitation of this vulnerability which was really simple to exploit not only could lead to remote code execution but

essentially you could use the remote for execution vulnerability to install malware and other backdoors

in networks that you infiltrated um and so when this came out there was

essentially a worldwide Panic on figuring out if any of the software that you're using in your organization and

uses the lock for J library that was vulnerable and this highlights why it's

super important to have a software bill of materials or in short what we call an

s-bomb that lists all the components that your application or software is

using and we'll talk more about that when we reach the next section of how do

we solve this problem um all right so so far we've been

talking about libraries that were developed with good intention to serve a specific purpose however the developers

didn't develop them securely and so they unintentionally introduced

vulnerabilities into the code now there's a whole other type of libraries

that are made specifically to serve a malicious purpose this article came out

less than a week ago so you could see it's December 14 2022

morning developers that there was a flood of malicious JavaScript Python and

net packages that were uploaded to package repositories in hopes that developers would download them and fall

victim to this type of attack so this is a big problem that is definitely being used by throw actors that needs to be


um now the rise in the disclosure and um exploitation of vulnerabilities like the

Apache struts one which we discussed and the log project vulnerability is the reason that the use of vulnerable and

outdated components uh was listed as the six most critical security risk facing

web applications today so if I remember correctly used to be lower I think it was number eight or number 10 I can't

remember but now it's the sixth most critical security risk uh facing web applications today

I'll stop right now is there a question there's no questions in the chat there's

comments that you're really good at explaining and we really like your examples thank you thanks everyone if you have

any questions feel free to write it in the chat and um I'll be happy to answer them

all right so um if we go sorry go ahead Tanya

no no that was it that was all the stuff I wanted to say you're doing great awesome all right thank you all right so

um if we go back to the uh synopsis open source security and risk analysis report

that I referenced earlier um um we see that like out of the 24 uh

thousand over 24 000 applications that they analyze um they they um found out that 81 of

them contained at least uh one uh known open source vulnerability

um so um 80 of the applications that they analyze were using at least one library

that contained uh vulnerability and 49 of the applications uh were using a

library that contained a high risk vulnerability like the log project or

the Apache struts vulnerability that allows an external attacker to gain or

more code execution on your network now that's pretty that's pretty scary because that means 50 percent

of the applications that they analyze were vulnerable to uh we're using a

library that was vulnerable to remote code execution uh vulnerability which is

insane um so that's from a security perspective

another thing that they did look at in the report that we're now going to spend too much time on because it's not from a

security uh perspective but it is still important is licensing uh issues so in

some countries like the US creative work which includes software that was written

or code is protected exclusively by copyright by default and what that means

is that you're not allowed to legally use copy distribute or modify software

without the explicit permission from the Creator or author in the form of a

license that grants you the right to do so and so if the project that you're

essentially using think of it like you're taking something from GitHub if the project that you're using does not

contain a license then by default depending on um on the platform and also the country

of the person that wrote the piece of code um it might be copyright protected

um and that means you're not allowed to use it um and so again depending on your organization and

the type of product that you provide you might be introducing some form of risk or a legal risk to your organization by

using that software and so the study found that out of the 2400 code bases

that they looked at um 20 of them contained open source libraries that either had no license or

had a custom license so if it had no license again depending on the platform where you took the product uh sorry

where you took the software from or the country or the person that developed the software you might be at risk and you

might be introducing risks to your organization um and then a custom license is something that you need to review and

have a legal team look at before you could use it because a custom license could have essentially any clause in

there that says you're not allowed to use their um their specific Library

uh so the study also compared the different licenses that were available in each code base and they found out

that 53 of the audited code bases contained license conflicts what that

means is for example um uh an organization is making use of

an open source library that allows you to let's say freely use it even for

commercial purposes but then they're also importing another library that has a license that says

you're only allowed to use it um but not for commercial purposes so that means there is a conflict

um in the licenses now depending on the type of product that you're developing uh the uh licenses

um might open you up again to an additional level of risk that you might want to not take in your organization so

that's from like a licensing perspective how these open source dependencies could

cause certain issues okay

um so so far we've talked about the privacy I have a question oh okay sorry I I

picked the worst timing um so so Ken was saying not including a

license on the repo means it's not for public distribution can you expand on

this topic yeah so it makes sense yeah um so it depends on the platform uh that

you're using um it's sorry that you're taking the um library from

um and also the country um of the person that developed the license so I believe I looked at GitHub

and um it is not like I I can't remember correctly so don't call me on this

um but I looked at their Rules of Engagement and um it is not for public distribution if the user doesn't say

explicitly that it's for public distribution um I'll actually ask Tanya do you know

more on that topic so it it depends on like you're saying which country so by default everything

in Canada is copywritten like the moment you publish something it's a and are able to prove that you

are the one who first published whatever it is you own a copyright and I know this because I used to write music and

so the moment your song gets played on the radio or you release an album or any sort of thing like that you're like

that's right I was first um and it applies to code as well so if you wrote that code not while you were

working for an employer so if you work for an employer the work you create usually belongs to them but it depends

on if you're a contractor or full-time employee Etc but if you read the contract that you do generally they own

a copyright to the work that you do but not always and I have seen that trip people up

um I don't know what the default licensing is on GitHub though yeah yeah so us is the same as Canada by default

um software is uh copyrighted and so you're not allowed to use it without the explicit permission of

um the the person that wrote the code um I yeah so don't quote me on the

GitHub thing I read it a while ago and I remember seeing that it wasn't meant for public distribution unless a license is

included um but again um everybody do your research because I'm not sure

does that answer the question it does he says thanks so glad to hear that I'll keep it in mind when

publishing my repos I think the GitHub default is no license at all but npm includes a default license for you

okay awesome all right answer thank you any other questions

that is it mostly it's just me and Ken in the chat talking about how awesome you can do that thank you all right

okay um so so far we've talked about um privacy security and license

compliance issues we even discussed it from a functional perspective um that could potentially so the issues

that could potentially um come from using open source software um now the question is how can you avoid

all these types of issues um the first thing that you absolutely

need is something called a software bill of materials for in short and s-bomb

we've touched a little bit up on that when we were discussing the log for J vulnerability but essentially this is a

list of all the open source and third-party components that an application or a piece of software is

using so think of it as the equivalent of a list of ingredients that you find

on a package of food that you want to buy so just like I might want to know the ingredients because let's say I have

certain food sensitivities or I'm allergic to a certain type of food I

would like to know the list of ingredients in an item of food that I'm buying in the same sense

I want to know uh the software bill of materials for my application or the

application that I'm using so that I know exactly the risk that I'm introducing in my organization by using

that certain piece of software now depending on the software that you

use to create the SAS bomb it might include slightly different items I have

a small list of information that is usually included and it's based on something called the software package

data exchange standard or in short spdx now remember so you've got things like

the package supplier the package name the version whether it's a direct or indirect dependency the Creator and so

on but essentially now remember the graph that we looked at so when you

directly pull down a dependency those dependencies need other dependencies and those dependencies need other

dependencies and so on and so you end up with a huge graph of dependencies

um and so this is not something that you could uh do manually or you could

analyze manually just coming up with that full graph um and so this is

something that you need to do um automatically or in an automated uh

faction and that's essentially like all the direct dependencies and all the indirect or transitive dependencies

would be um would be included in something called uh the s-bomb

um now it became absolutely important to have this software bill of materials or

as bomb um when we saw an increase in the exploitation of vulnerabilities in

third-party software like the Apache struts vulnerability or the log project

of vulnerability and so last year it became mandatory in the US that you need

to provide an usbom or again a software bill of materials for uh software

vendors Contracting with the federal government just so that the government is aware of the level of risk it's

accepting um when using your software now I live in Canada so we're not there yet in

Canada um but it is something that I believe they're currently working on right now

and something that hopefully will happen um in the near future

oh we have another question yeah so if you're using npm is the package.json

file produced by mpm would that be a good enough example of an s-bomb

um I believe that only contains the direct dependencies isn't that correct

I don't know I actually don't program an npm but I have a feeling you're right because the um the transitive

dependencies are like the ones that are linked as like second layer generation and below I can't see anything in there

so yeah so I also don't program in npm but I would imagine that would only contain your direct dependencies and

then those dependencies also pull down other dependencies so you need a tool that actually

um I think there are um certain packages that you could use in npm that will generate that s-bomb for you um but I

don't think they would like specifically the package.json file would have that

yeah but great question awesome go on lead us Rana all right

um now again um creating this s-bomb is not something that you could do manually because it'll

take forever you'll have to you know go to um your config files and figure out which ones you're directly importing um

and then from there figure out you know for this Library which Library does it depend on and then for that Library

which Library does it depend on and then for that Library which Library it depends on and so on and so it takes

forever to do manually and so there are tools that are called software

composition analysis tools or in short SCA that automate the process of

generating an s-bomb um and not only do they do that they also identify known vulnerabilities in

the open source dependencies and ensure that you have license compliance when it

comes to those open source dependencies so having an Aspen is great but if

you're not doing anything about that aspawn to identify if any of the software that you're using is actually

vulnerable then um essentially it's just that you're aware that you

have a list of libraries but you're not actually checking them to see if they're vulnerable and so an SCA tool

essentially comes up with that ask Mom and then it cross-references it with vulnerability databases to identify if

there's any known vulnerabilities with the libraries that you're using so

essentially these tools work in three steps again the first one is to generate

an s-bomb so that's a list of all the direct and indirect dependencies with

the version numbers that you're using the second step is a cross references

the list with vulnerability data sources so depending on the tool that you're

using the vulnerability data sources might be different some tools actually most tools use on the nvd database but

you which is called the which stands for the national vulnerability database

however you could see the commercial tools have a variety of sources so

um the more sources that you have the better because sometimes vulnerabilities

don't actually make it to as you know a full-on TV and then end up getting put in the MVD database instead some of them

are just put in GitHub issues or comments or through private vulnerability databases or so on and so

the more variety that you have when it comes to your vulnerability data sources the better

now once you've cross-referenced the list of direct and indirect dependencies

with your vulnerability data sources if you get a hit that a specific library is

uh known to be vulnerable to so and so vulnerability then the tool will report it and that's essentially how the tools

work now uh there's a ton of SCA tools out there some of them are open source like

dependency check which is developed by the ovasp organization big shout out to

a wasp and everything you know for everything that they do so that's an example of an Open Source

One others are free but not open source so you've got npm audit is free GitHub

sorry not GitHub what was this called um uh dependency

Dependable I'm like trying to remember okay uh so dependent plot is integrated

in GitHub you could use it for free um it has its own separate issues

um I think there's a webinar by Jim Monaco that talks about uh dependabot

and like the set of issues that come with that but if you're not using anything the panda block is a great

source um to use until you could use a better product um and then there's other ones which are

commercial like Vera code um snake um and so on

um now I don't want to endorse a specific vendor so instead what I'm going to do is discuss the features that

you should consider When selecting an SCA tool and then I'll leave you to you

know depending on your organization what works best for you when it comes to choosing an STD tool

um so the first one and this is the most important one is language support So npm

audit can identify vulnerable npm libraries it can be used to identify

vulnerable Ruby libraries same goes um with again depend about one of the

issues that Jim Monaco talks about is that although it says it has support for many programming languages it was mainly

developed by JavaScript developers and so it covers JS libraries really well but when it comes to other languages it

does a mediocre job at best and so it's really important to make sure that the

sca tool that you're using actually covers the languages that are used by

your organization now the second one and we touched upon

this is the vulnerability data sources uh that the tool references so again the more diverse the vulnerability data

sources uh the more coverage that you're going to get um not everything is assigned to CBE rating

um and again you know it ends up getting logged in the National vulnerability database some of them are reported

through commit logs issue talkers social media private vulnerability databases and so on and so the more diverse the

vulnerability data sources the more coverage you're going to get

the third one is accuracy so the Tool's ability to identify if your application

is using a vulnerable function so it turns out just because you're using a

vulnerable component doesn't necessarily mean that you're vulnerable

um you have to actually be calling the vulnerable function or using the vulnerable function in order for you to

be vulnerable and I remember reading this somewhere I can't remember the statistics Source

um if anyone has it feel free to put it in the chat but the statistics have shown that 90 of the time you're not

actually vulnerable when you're importing a vulnerable library because you're not using the

vulnerable function um now that doesn't mean that you know oh the risk is so low

um no and that you shouldn't update um if you're not using the vulnerable function uh you should definitely update

because just because today you know you as a developer are not using the vulnerable function of an outdated

Library it doesn't mean that tomorrow a new developer is going to join the team or you might forget and you might

accidentally import um you might accidentally use the vulnerable function

um and so you should definitely update but the accuracy feature which is only available

um with actually very few um uh commercial tools

um comes in handy when it comes to um uh I guess uh

evaluating the risk of which one you want to update first so prioritizing

which one you want to update first because if I'm actually using the vulnerable function then I definitely want to update those first and then when

those are updated then I'm going to start updating the ones where I'm not actually using the vulnerable function

so it does come in handy but it's difficult to do because you would have to compare software compensation

analysis with um static code analysis as well

all right um the fourth one is the remediation capability um so some SCA tools have the ability to

auto-generate for requests and update to a non-vulnerable version however that

does come with its own risks of breaking the bill when you update and so

something that you might want to do in a test environment first before it gets pushed into prod

uh the fifth one is configuration and integration so the Tool's ability to be

configured to let's say um pull from different vulnerability sources

um or be integrated in your pipeline um and so on

and then the last one is reporting this one is self-explanatory and so I'm not

going to spend much time on it it depends on what is important for you in your organization and how you want that

information to be presented so depending on that that might affect the certain tool that you end up

selecting for your organization all right so um like I said I'm not

going to endorse a specific vendor um but what I'll say is from my personal

experience um uh you get what you paid for when it comes to Sea tools

um it's great to start with um open source or free um essay tools but then at some point

you'll realize the limitations of those tools and then you might want to move to uh commercials tools that provide more

of the features that we just discussed

all right um so we're almost done the presentation um but I didn't want to end it without

um showing you an example of an essay tool and showing you how easy it could be to run the sca tool

um so Olas to shop so it's right over here um is an open source intentionally

vulnerable application that is developed Again by the owasp organization and it's

written in node.js um and so the tool that I'm going to use to see if it's using any vulnerable

dependencies is npm audit and you'll see over here how easy it is to actually run

this tool it takes a couple of seconds maybe minutes if it's the first time that you run it and it'll report the vulnerable

dependencies I'm just going to click play

and you can see over here I'm just running it in the root repository of OAS

Juice Shop and then it just takes a couple of seconds to run and here we go you could see there's 76

vulnerabilities 67 of them are low five moderate too high and too critical and you can see over here it says it's scan

to 23 900 M5 packages so that's how many dependencies this small intentionally

vulnerable application was using so it highlights how you can't do this manually you definitely need an

automated tool to do this and you could see it gives you the information of each vulnerability

um the verification bypass one they're actually using the vulnerable function and so you could really exploit this

vulnerability and it essentially allows you to completely bypass um authentication as an unauthenticated

attacker and all it took was essentially just running npm audit in the reposit in the

root directory of uh the Repository that's how easy it is to get started

with um sea tools all right

so this concludes our presentation now uh before I end I wanted to Circle back

to the three questions uh that I said uh will answer during the presentation so

the first one was uh what are open source dependencies so we set the open

source dependencies or open source software that an application uses they

come in two forms the first one is direct dependencies which you directly Import in your code and indirect or

transitive dependencies which your direct dependencies depend on

the second question that we asked was why should open source dependencies be managed we looked at real world

incidents and statistics from the open source security and risk analysis report

that was done by synopsis to understand the open source dependencies need to be managed for the purpose of privacy

security and license compliance and then the third question uh that we

asked was how can these dependencies be managed and secured for that we talked

about software composition analysis tools or in short SCA tools to automate the process of generating an s-bomb and

identifying vulnerabilities in open source dependencies and identifying

licensing issues we also talked about the different features that you could consider When

selecting an SCA tool and that is it

um thank you for taking the time to listen to my presentation I hope that was useful

wow that took a flower I did not oh yeah it felt like it it was like 15 minutes

you were great and we have a few questions so I just put all of your links into the chat so people can just

click them if they want to but if you're watching this later we will post it in

the YouTube video comments underneath the video so if you're like oh I don't want to type that out don't worry we got you okay so there's two questions one is

do you have any thoughts on npm audit versus npm outdated I would run bows but do you have any

thoughts on it I've actually I have I'm only familiar with npm audit I'm not familiar with npm

outdated so I can't comment on that I think it just tells you if stuff's old I find whenever I get the npm I make a

mess um like it's like oh you ran this you should run that I'm like should I

yeah so if it tells you like if things are old so npm audit tells you if things are vulnerable if npm outdated tells you

if things are old um then I agree with Tanya you should run both um because just because it's outdated

doesn't mean that you aren't introducing a level of risk in the future by using

an outdated and unsupported uh piece of software so run both and then update

everything yeah oh I like it I I have a friend that works on SCA tool and I won't explain

which one because we're being vendor neutral but he was saying it's like having a ticking time bomb in your app

even if it's not exploitable if you have something where it's a really big vulnerability you still want to put it

in the backlog and fix it um okay so Camilla asks when updating

dependencies I see some people focusing on updating just the production dependencies do the dev dependencies

offer big risks as well or is it okay to prioritize production dependencies over Dev

it is definitely okay to prioritize production dependencies because that's what's external

um and that's what it's being used by the client and most of the time that's what has um uh pii information in it

um or confidential information in it um however that doesn't mean that you shouldn't update

um uh development um your development environment or your

test environment or so on I worked as a pen tester before I started working as

an application security engineer and so for some of uh our use cases is we acted

as an internal threat Factor um and so we were already we were given

access to the network and then from there we had a certain goal to reach another part of the network or another

Network that the organization was using and the way we did that was essentially look for

um vulnerable servers in those networks in order to see if they're exploitable

and then maybe they could give us or more code execution um to you know those to a server that is

within the network that we want to reach um so definitely something that can be

used by an internal attacker now if your deaf environment is also public then

that should be updated um right away as well I have to say like I think that if

you're gonna do testing you would want to test Endeavor a lower like I mean if

it's an emergency maybe you're gonna run off and do prod because you're working at Equifax and it's 2016. but like

I definitely want Dev and QA and uat to mirror prod so I can get good tests

right because like what if you updated it and then you broke everything you're gonna be unpopular to say the least

that's a great point it's actually quite conventional to start with prod and

update prod uh before um trying it out first in test because like updating libraries does sometimes

break builds um and so it's important to update them in the lower environments make sure they don't actually break

anything in the code and then replicate that in prod that's a great Point Tanya

I was guessing it's a security perspective it depends on how scary it is like I

worked somewhere once and we were so scared we turned off our servers like we had this big meeting and everyone was

freaking out and I was like we do have the option to just turn them off like overnight or for a day until we fix

everything and yeah we look dumb briefly but they're just so so worried about the

thing that we had going on and um yeah we just I this might sound nuts but we just turned them off

patch tested overnight and then in the morning turned them back on and we're like well you know we serve Canadians

hopefully most of them are in bed sometimes it's it's a good enough reason

to act like the vulnerability is a good enough reason to turn off your service yeah oh my gosh that was great does

anyone have any more questions from Rana and also I hope you clicked all the links I put and followed her on

everything she's also on Mastodon too I figured that out during the call

no I'm not you're not no I'm not oh okay so

um the thing that some Mastodon servers have been doing so it was the one that says bird site

um so there's there's one Mastodon server where they've followed a lot of people that are just really cool on

Twitter and they're taking your tweets and sharing them onto Mastodon so people

can follow your Twitter tweets on Mastodon okay interesting

well you're fortunately invited to the infosec.exchange server which is where

all of the security nerds are hanging out I was like why isn't she on infosec Exchange

I just never I never got around to it um but yeah no definitely something that I

want to join because everyone is moving to that platform um I'll of course continue Twitter until

it completely breaks down but um um I definitely um will be on Mastodon as well hopefully

in the near future for sure okay everyone this is literally your last chance until you see Rana

Ken this was so awesome thank you so much no problem thank you for attending

happy to be here do you have a question Ken

I've been able to um give all mine so thank you for that awesome awesome there's a whole bunch of

comments in the chat saying thank you and it was great and it was so helpful

yes thank you so much for being on our show Rana no problem thank you so much for having

me I'm so happy I'm finally on there we have purple sure I know well just to be

clear you can come on again whenever you want absolutely when I prepare a new presentation you'll be the first person

to contact about that awesome okay everyone since I got all

the questions and lots and lots and lots of thank yous we are gonna shut down for

now if you celebrate Hanukkah if you celebrate Christmas if you celebrate New

Year's if you celebrate literally anything I hope you have a wonderful time thank you so much Rana thank you

Amanda for organizing me so I show up on time and do all the things I'm supposed to do and thank you we have purple

community um I really appreciate you coming and I know a lot more of our community is

going to watch this when we release it to YouTube I will definitely send a message in the community so everyone can see and that's it that's all I got thank

you very much thank you for having me and happy holidays everyone