New Way of Envisioning Security in the Dependencies

Hi everyone, good morning, good afternoon, good evening, wherever you are. Today I'm going to be talking about a new way of envisioning security issues and dependencies. I'm sure some of you know about it, some of you don't know about it. So today I will be sharing my experience and my understanding about those issues.

My name is Vandana Verma Sahgal, and about myself, about my background, I'm currently a security relations leader at Snyk, which is a software security company. When I'm not working at Snyk, I generally contribute to open-source projects in cybersecurity and part of certain conferences like BlackHat. So I'm currently the chair for OWASP, which is Open Web Application Security Project, a community driven to motivate people to understand application security. I also run InfoSec Girls, InfoSec Diversity and Kids, so that we can have cybersecurity understanding for everyone. That's about myself.

Now, while I talk about what security issues are, what exactly do you see in this picture? This is something which is more of a futuristic image of what we really want. We want everything to be automated. We want everything to be super cool. We want everything to be different and helpful for us. I want it. I want smart TVs to smart devices, to smart users, everything smart at home. So I just need to play a button, and everything is good. But there's one thing which is there. What happens when the data is being uploaded somewhere? And that's natural. We've heard and even we've seen the data is getting uploaded somewhere. Why do we say that? Because the point comes is anything that you speak to these smart devices that actually get it trained. Because you want everything at the earliest. They're getting trained to deliver the content at the earliest. So, data is being somewhere, stored somewhere. Now, I am sure these devices are being updated somewhere. So, there'll be a patch which might be downloaded. Now, when that patch gets downloaded, there are times where you would feel that there's something fishy. Or sometimes you don't even get to know that there are malicious things which are downloaded on your system. So, what do you do and what happens then? That they might be tracking you. Anything and everything that you're speaking might be getting tracked. Is it cool? No, it is not.

It is somewhat scary. But the point comes how should we actually deal with them? So, developers play a very, very crucial role in cybersecurity incidents. And especially when we talk about these new supply chain issues which are there, the whole landscape which is being changed, and the way we have started to care about software security.

Now, this event stream incident, which doesn't seem to be new, but it dates back to many, many years. When in somebody said I want to help you out, and hire the maintainers, but then instead they added a crypto miner, and nobody even knew about it. So you're working and something is running in the background. So how much exactly do you know about what is in your system?

Now, I'll tell you about myself. All my websites are on open source content. I'm using whatever is there on the internet. Now comes, are there any issues in those dependencies? Maybe, so this is the image that I have in mind. This is all my app. But, actual thing is that this is the only code, the red dot in the middle, which is the code, which is developed by me or maybe my friends, maybe the company itself. But what is rest? The whole rest is the open source code, third party dependencies, third-party libraries and whatnot. How exactly you're going to be taking care of that? What happens when people start attacking developer tooling?

Now, being in security, I might not use Visual Studio Code or any IDE very often. But can it happen? If I'm a developer, I wouldn't be using day in and day out. I would be using, and even for that matter, being in security, I want to learn about a lot of new things, so I learn these things. That's what happened. In January, 2021, somebody actually tried to attack Visual Studio Code where they were able to get access to the GitHub. Of many accounts, but they diligently reported that. It could have gone in any wrong direction. When somebody gets the house key, they can do anything. For example, you've got four doors in the house, then there are four windows. Now, you're going on vacation, you've closed all the doors, but what happened to the windows? Maybe there's one window which is open, which you did not realize and somebody gets into your house and takes all the stuff. It's crazy, and that can happen with anyone, and that's when we need to understand what's inside our code.

Now, there are certain lessons that we learnt from the Equifax breach that happened a few years back. Now, why we are still talking about it, because it actually envisions one very important aspect, that when there's a certain vulnerability which gets reported, after that, what we really need to do is we need to understand what the vulnerability's all about. Can we fix it or not? And if it's critical, how soon can we address it? What happened with Equifax? February 14th, Apache notified that there are certain issues. There was a release of fix, people started exploiting the exploit. And even though some companies already updated it, there are some companies which could not. One of them was Equifax.

Now, it was a huge state breach and especially concerning the libraries. What it tells us is that we need to detect these issues as early as possible. We need to respond to them. And when we respond to them, we need to do it with the whole organization, within the whole organization. Trust me, it took us good two, three days to understand where we are, where do we stand. Everyone was getting crazy. Do we have this version? Do we use Apache on this application? And a lot of time, what happens? You don't even know that you are using Apache or maybe this any third-party version, which is vulnerable in your ecosystem. Why? Because we sometimes tend to miss in updating CMDBs.

Now, when we say that, the most important aspect comes is that, are we able to maintain it regularly? Maybe, maybe not. So what shall we do with that? We need to make sure that we understand these issues and on top of it, these supply chain risks. Are they new? I don't think so they're new, because they have been there for a very, very long time. And it started getting into the limelight after the SolarWinds attack, where there was a third-party library which was added as part of our DLL, which was added as part of the package, which the package was shipped to everyone and everyone was using it.

Now, this is a big concern, which means, there's one library, one dependencies, which is there as part of your code that can lead to big issues. And on top of it, the point comes, how are we trying to address that? We are still seeing these issues every year in a year. Companies, organizations are spending more and more money on these.

Now, let me tell you something very interesting. There are times when maintainers, themselves remove the libraries. These are some of the cases wherein somebody removed the package and the whole packet started breaking and everybody got crazy. Now, this also does this one important thing when we're using third-party dependencies to open-source content, it's important we track it and we understand if something happens to them, how are we going to deal with that? And let's not go back this very very long, which is 2016. Just two months back, or three months back, there was an issue with Collar and Faker. These are two major libraries as part of the Node.js ecosystem. The maintainer was the same for both. Now, this maintainer removed the whole package from one of the libraries for one of the ecosystem and for the other dependency, the person added a loop condition. Now, what do you do in that case wherein I have a package because I want a new update now that has a loop condition and it's breaking my whole code? Isn't that scary? And that brings us that even these issues can come in any form, in any part as part of the registries. So what do these registries contain? Could be malicious issues, could be vulnerabilities, could be whatnot. And these issues are not only just for the ecosystems which are smaller, but they're impacting enterprises as well. Medium business units and everyone.

This brings us to the point wherein this lock for a shake. I'll tell you my own story. In December, I was on vacation in the first week. I was like, oh, I've not taken vacation for a very long time. We've been at home, so let's take a vacation. So we went to travel. Now, during the similar time, lock for shake happened. What is that? I didn't even know, but then I start seeing messages and everyone started talking about it. So I wanted to understand what it is. So lock for shake is basically a very popular logging platform. Apache-based logging platform written in Java.

And people use these platforms very easily because they're easy to use. But what happens when it impacts huge amounts of organizations from Cesar to Amazon to IBM to any company, even sneak, we'll be talking about it.

Now, when that happens, how do you deal with that? And what was the part of, what was the issue in there? So anyone who was using a lab server and was using JNDEI, they were vulnerable because it was a very highly or very useful framework a lot of organizations were using. And they were trying to figure out whether they were vulnerable or not.

Now, organizations, so people, everyone was talking about it, sharing their views on social media, Twitter, LinkedIn on their own blogs. And this whole attack made us realize that if this small, small issue, which is there in the code, it can be a big concern, even if one library. They were people, there were organizations who were actually not vulnerable, but they were using third-party components which were making them vulnerable. Would you like that? I wouldn't like that. So I would like to know what I have and what I don't have. What I have, what is the list of it? Whether I'm using third-party vendors or not? Which is very, very important.

Also, I'll tell you something interesting about OWASP. So OWASP top 10 releases top 10 list of risks every three years. So it came up with the top 10 risks and injection, which is supposed to be a 10, dropped down to third, and suddenly I saw these injection issues and they're becoming more and more prevalent. This is Lock4Shell, then many other vulnerabilities came and it just doesn't stop there. Why? Because it was actually the indication that there are regulatory compliance failures. We're talking about cloud. So there are cloud security control failures which are there. Sometimes intentional. Sometimes we don't even get to know. And these third party SaaS applications security failures because we are too much dependent on them, which also leads us that if something happens, anyone can deploy malwares and ransomwares, which can lead to data exfiltration, to integrity issues, to availability issues and whatnot. I wouldn't want that.

Now let me actually show you something very interesting. So here I have actually created a demo. Now what it says, I have it on my local system. I've not installed this vulnerable version of Java on my system, but it is in a system, is it a different folder? Now, what I have is I have created a Java group where I have this exploit. In the exploit, for you to see, I need to have a server running. If there's no vulnerable server, how would you get attacked? How would you get a vulnerable? So I have a log for shell server running. Now, this server is running on local host, which is HTTP server 8000. And there's an LDAP server, vulnerable Jindi server, which is running on port 9999. Now this whole thing is running.

Now, I need a client so that I can make it vulnerable. So here is the client. And simply what I'll do is, I will try and connect it with the server. So let me execute this in Java. Now, when I connect from client to server, there is a file which does not exist, temporary pawn. But when I ran it and I connected it to the server, it actually downloaded a malicious file and made it vulnerable, which is, let's see if this file exists or not. So let's see.

So if you see this file exists, now you must be thinking, how can that happen? So let me do this. Let me remove this file completely. So let's see if this file exists or not now. Oh, sorry, let me go ahead. If you see, oh, I need to remove first. Now I'm gonna go ahead and show you if it exists or not. So it does not exist. Now the file does not exist. Now let me connect it to the vulnerable server. Here I'm gonna execute Java, and it is gonna connect to the server. Now while it's running, it's trying to connect to that Djinni server, and this file now exists here, which it says that it's just a small file that I have downloaded in a temporary folder. If I am malicious person, I know that this server is vulnerable. For example, right now we're talking about React.js Summit. I'm sure they must have a website. Now, when there's a website and it's vulnerable, I know it's vulnerable, what I'm gonna do is I'm gonna connect to it and upload certain files. So anyone who connects to that server gets downloaded these malicious files. It could be a ransomware. Oh, nothing should happen because people are more aware, especially the development teams that are becoming more and more aware about security issues, at least more than us. What I can see, I have a lot of friends working in development teams and they are pro-security people because they understand security better than me because they know the ecosystem well, day in and day out.

Now, the simple issues. It took me a few seconds to exploit it. What happens when a hacker tries and exfiltrate the data, which is very, very confidential and nobody should know about it. That can be scary for an organization.

Now, what it takes us, that even though these popular frameworks are there, there are certain issues which need to understand. We need to have a list of all of these issues. And more on top of it, we should know what we have in our house. So we tried and hack the app. Generally, I do it after this, but I did it early to set the context. And on top of it, what we used to see, that this is the life of a security analyst. On Thursday night, Friday night, you would have these issues. Well, let me tell you, this is not the case anymore. When the zero rate drops, it impacts everyone from a security analyst to anyone and everyone. And that also tells us that these security issues are real.