The vulnerabilities in open source ecosystem are increasing like wild fire. It is important to address those. I will be speaking about issues and how to fix them with demo. I will pick up examples from React ecosystem as well.
This talk has been presented at React Summit 2022, check out the latest edition of this React Conference.
Vandana Verma Sahgal is a security relations leader at Snyk, a software security company. She is also the chair for OWASP (Open Web Application Security Project) and runs initiatives like InfoSec Girls, InfoSec Diversity, and Kids to promote cybersecurity understanding.
The main concerns with smart devices include the uploading and storage of data, the downloading of potentially malicious patches, and the risk of these devices being hacked to track user actions or steal information.
Developers play a crucial role in cybersecurity, especially in addressing issues related to new supply chain vulnerabilities and ensuring that software security is maintained through careful management of dependencies and third-party libraries.
The Equifax breach was a significant security incident where a vulnerability reported by Apache was not promptly addressed by some companies, including Equifax, leading to a massive data breach. This underscores the importance of early detection and response to vulnerabilities.
OWASP, or the Open Web Application Security Project, is a community-driven organization that aims to improve application security. It provides resources, tools, and forums for developers and security professionals to enhance their understanding and practices related to cybersecurity.
The SolarWinds attack involved a third-party library that was maliciously added to a software update, which was then distributed to SolarWinds customers. This led to widespread security breaches across numerous organizations.
Organizations can protect themselves from third-party dependency risks by regularly updating their software, monitoring for vulnerabilities, using tools like OWASP Dependency Check to scan their systems, and educating their teams on security best practices.
Lock4Shell is a vulnerability in the Apache Log4j logging library that significantly impacted many organizations, including major companies. It highlighted the risks associated with third-party components and the need for vigilant security measures.
Developers should respond to new vulnerabilities by promptly applying security patches, conducting thorough testing to ensure compatibility, and staying informed about the latest security threats and mitigation strategies.
Today I'm going to be talking about a new way of envisioning security issues and dependencies. I will be sharing my experience and understanding about those issues. I'm currently a security relations leader at Snyk, contributing to open-source projects in cybersecurity. We want everything to be automated, cool, and helpful. But what happens when the data is being uploaded somewhere? These smart devices are getting trained to deliver content at the earliest, but they may also be tracking everything you say.
Hi everyone, good morning, good afternoon, good evening, wherever you are. Today I'm going to be talking about a new way of envisioning security issues and dependencies. I'm sure some of you know about it, some of you don't know about it. So today I will be sharing my experience and my understanding about those issues.
My name is Vandana Verma Sahgal, and about myself, about my background, I'm currently a security relations leader at Snyk, which is a software security company. When I'm not working at Snyk, I generally contribute to open-source projects in cybersecurity and part of certain conferences like BlackHat. So I'm currently the chair for OWASP, which is Open Web Application Security Project, a community driven to motivate people to understand application security. I also run InfoSec Girls, InfoSec Diversity and Kids, so that we can have cybersecurity understanding for everyone. That's about myself.
Now, while I talk about what security issues are, what exactly do you see in this picture? This is something which is more of a futuristic image of what we really want. We want everything to be automated. We want everything to be super cool. We want everything to be different and helpful for us. I want it. I want smart TVs to smart devices, to smart users, everything smart at home. So I just need to play a button, and everything is good. But there's one thing which is there. What happens when the data is being uploaded somewhere? And that's natural. We've heard and even we've seen the data is getting uploaded somewhere. Why do we say that? Because the point comes is anything that you speak to these smart devices that actually get it trained. Because you want everything at the earliest. They're getting trained to deliver the content at the earliest. So, data is being somewhere, stored somewhere. Now, I am sure these devices are being updated somewhere. So, there'll be a patch which might be downloaded. Now, when that patch gets downloaded, there are times where you would feel that there's something fishy. Or sometimes you don't even get to know that there are malicious things which are downloaded on your system. So, what do you do and what happens then? That they might be tracking you. Anything and everything that you're speaking might be getting tracked. Is it cool? No, it is not.
It is somewhat scary. But the point comes how should we actually deal with them? Developers play a very, very crucial role in cybersecurity incidents. Now, this event stream incident, which doesn't seem to be new, but it dates back to many, many years. All my websites are on open source content. Are there any issues in those dependencies? What happens when people start attacking developer tooling? In January, 2021, somebody actually tried to attack Visual Studio Code where they were able to get access to the GitHub. When there's a certain vulnerability which gets reported, what we really need to do is understand what the vulnerability's all about. What happened with Equifax? February 14th, Apache notified that there are certain issues.
It is somewhat scary. But the point comes how should we actually deal with them? So, developers play a very, very crucial role in cybersecurity incidents. And especially when we talk about these new supply chain issues which are there, the whole landscape which is being changed, and the way we have started to care about software security.
Now, this event stream incident, which doesn't seem to be new, but it dates back to many, many years. When in somebody said I want to help you out, and hire the maintainers, but then instead they added a crypto miner, and nobody even knew about it. So you're working and something is running in the background. So how much exactly do you know about what is in your system?
Now, I'll tell you about myself. All my websites are on open source content. I'm using whatever is there on the internet. Now comes, are there any issues in those dependencies? Maybe, so this is the image that I have in mind. This is all my app. But, actual thing is that this is the only code, the red dot in the middle, which is the code, which is developed by me or maybe my friends, maybe the company itself. But what is rest? The whole rest is the open source code, third party dependencies, third-party libraries and whatnot. How exactly you're going to be taking care of that? What happens when people start attacking developer tooling?
Now, being in security, I might not use Visual Studio Code or any IDE very often. But can it happen? If I'm a developer, I wouldn't be using day in and day out. I would be using, and even for that matter, being in security, I want to learn about a lot of new things, so I learn these things. That's what happened. In January, 2021, somebody actually tried to attack Visual Studio Code where they were able to get access to the GitHub. Of many accounts, but they diligently reported that. It could have gone in any wrong direction. When somebody gets the house key, they can do anything. For example, you've got four doors in the house, then there are four windows. Now, you're going on vacation, you've closed all the doors, but what happened to the windows? Maybe there's one window which is open, which you did not realize and somebody gets into your house and takes all the stuff. It's crazy, and that can happen with anyone, and that's when we need to understand what's inside our code.
Now, there are certain lessons that we learnt from the Equifax breach that happened a few years back. Now, why we are still talking about it, because it actually envisions one very important aspect, that when there's a certain vulnerability which gets reported, after that, what we really need to do is we need to understand what the vulnerability's all about. Can we fix it or not? And if it's critical, how soon can we address it? What happened with Equifax? February 14th, Apache notified that there are certain issues. There was a release of fix, people started exploiting the exploit. And even though some companies already updated it, there are some companies which could not. One of them was Equifax.
Now, it was a huge state breach and especially concerning the libraries. What it tells us is that we need to detect these issues as early as possible. We need to respond to them. And when we respond to them, we need to do it with the whole organization, within the whole organization.
Now, it was a huge state breach and especially concerning the libraries. What it tells us is that we need to detect these issues as early as possible. We need to respond to them. And when we respond to them, we need to do it with the whole organization, within the whole organization. Trust me, it took us good two, three days to understand where we are, where do we stand. Everyone was getting crazy. Do we have this version? Do we use Apache on this application? And a lot of time, what happens? You don't even know that you are using Apache or maybe this any third-party version, which is vulnerable in your ecosystem. Why? Because we sometimes tend to miss in updating CMDBs.
We need to make sure that we understand these issues and the supply chain risks. There's one library, one dependency, that can lead to big issues. Companies are spending more and more money on these. We need to track and understand third-party dependencies. There have been cases where maintainers remove libraries, causing disruptions. In 2016, there was an issue with Collar and Faker libraries. These issues can come in any form and impact enterprises. Lock for shake is a popular logging platform written in Java.
Now, when we say that, the most important aspect comes is that, are we able to maintain it regularly? Maybe, maybe not. So what shall we do with that? We need to make sure that we understand these issues and on top of it, these supply chain risks. Are they new? I don't think so they're new, because they have been there for a very, very long time. And it started getting into the limelight after the SolarWinds attack, where there was a third-party library which was added as part of our DLL, which was added as part of the package, which the package was shipped to everyone and everyone was using it.
Now, this is a big concern, which means, there's one library, one dependencies, which is there as part of your code that can lead to big issues. And on top of it, the point comes, how are we trying to address that? We are still seeing these issues every year in a year. Companies, organizations are spending more and more money on these.
Now, let me tell you something very interesting. There are times when maintainers, themselves remove the libraries. These are some of the cases wherein somebody removed the package and the whole packet started breaking and everybody got crazy. Now, this also does this one important thing when we're using third-party dependencies to open-source content, it's important we track it and we understand if something happens to them, how are we going to deal with that? And let's not go back this very very long, which is 2016. Just two months back, or three months back, there was an issue with Collar and Faker. These are two major libraries as part of the Node.js ecosystem. The maintainer was the same for both. Now, this maintainer removed the whole package from one of the libraries for one of the ecosystem and for the other dependency, the person added a loop condition. Now, what do you do in that case wherein I have a package because I want a new update now that has a loop condition and it's breaking my whole code? Isn't that scary? And that brings us that even these issues can come in any form, in any part as part of the registries. So what do these registries contain? Could be malicious issues, could be vulnerabilities, could be whatnot. And these issues are not only just for the ecosystems which are smaller, but they're impacting enterprises as well. Medium business units and everyone.
This brings us to the point wherein this lock for a shake. I'll tell you my own story. In December, I was on vacation in the first week. I was like, oh, I've not taken vacation for a very long time. We've been at home, so let's take a vacation. So we went to travel. Now, during the similar time, lock for shake happened. What is that? I didn't even know, but then I start seeing messages and everyone started talking about it. So I wanted to understand what it is. So lock for shake is basically a very popular logging platform. Apache-based logging platform written in Java.
People use these platforms very easily because they're easy to use. But what happens when it impacts organizations? How do you deal with that? Organizations were vulnerable due to the use of the JNDEI framework. The attack highlighted the importance of understanding third-party components and the risks they pose. OWASP's top 10 risks list reveals regulatory compliance and cloud security control failures. Dependency on third-party SaaS applications can lead to data breaches and other security issues. A demo showcasing a vulnerable Java exploit is presented.
And people use these platforms very easily because they're easy to use. But what happens when it impacts huge amounts of organizations from Cesar to Amazon to IBM to any company, even sneak, we'll be talking about it.
Now, when that happens, how do you deal with that? And what was the part of, what was the issue in there? So anyone who was using a lab server and was using JNDEI, they were vulnerable because it was a very highly or very useful framework a lot of organizations were using. And they were trying to figure out whether they were vulnerable or not.
Now, organizations, so people, everyone was talking about it, sharing their views on social media, Twitter, LinkedIn on their own blogs. And this whole attack made us realize that if this small, small issue, which is there in the code, it can be a big concern, even if one library. They were people, there were organizations who were actually not vulnerable, but they were using third-party components which were making them vulnerable. Would you like that? I wouldn't like that. So I would like to know what I have and what I don't have. What I have, what is the list of it? Whether I'm using third-party vendors or not? Which is very, very important.
Also, I'll tell you something interesting about OWASP. So OWASP top 10 releases top 10 list of risks every three years. So it came up with the top 10 risks and injection, which is supposed to be a 10, dropped down to third, and suddenly I saw these injection issues and they're becoming more and more prevalent. This is Lock4Shell, then many other vulnerabilities came and it just doesn't stop there. Why? Because it was actually the indication that there are regulatory compliance failures. We're talking about cloud. So there are cloud security control failures which are there. Sometimes intentional. Sometimes we don't even get to know. And these third party SaaS applications security failures because we are too much dependent on them, which also leads us that if something happens, anyone can deploy malwares and ransomwares, which can lead to data exfiltration, to integrity issues, to availability issues and whatnot. I wouldn't want that.
Now let me actually show you something very interesting. So here I have actually created a demo. Now what it says, I have it on my local system. I've not installed this vulnerable version of Java on my system, but it is in a system, is it a different folder? Now, what I have is I have created a Java group where I have this exploit. In the exploit, for you to see, I need to have a server running. If there's no vulnerable server, how would you get attacked? How would you get a vulnerable? So I have a log for shell server running. Now, this server is running on local host, which is HTTP server 8000. And there's an LDAP server, vulnerable Jindi server, which is running on port 9999. Now this whole thing is running.
Now, I need a client so that I can make it vulnerable. I will try and connect it with the server. It actually downloaded a malicious file and made it vulnerable. So let's see if this file exists or not. Let me remove this file completely. So it does not exist. Now let me connect it to the vulnerable server. It is gonna connect to the server. This file now exists here. If I am a malicious person, I know that this server is vulnerable. Now, when there's a website and it's vulnerable, what I'm gonna do is I'm gonna connect to it and upload certain files. What happens when a hacker tries to exfiltrate confidential data? That can be scary for an organization.
Now, I need a client so that I can make it vulnerable. So here is the client. And simply what I'll do is, I will try and connect it with the server. So let me execute this in Java. Now, when I connect from client to server, there is a file which does not exist, temporary pawn. But when I ran it and I connected it to the server, it actually downloaded a malicious file and made it vulnerable, which is, let's see if this file exists or not. So let's see.
So if you see this file exists, now you must be thinking, how can that happen? So let me do this. Let me remove this file completely. So let's see if this file exists or not now. Oh, sorry, let me go ahead. If you see, oh, I need to remove first. Now I'm gonna go ahead and show you if it exists or not. So it does not exist. Now the file does not exist. Now let me connect it to the vulnerable server. Here I'm gonna execute Java, and it is gonna connect to the server. Now while it's running, it's trying to connect to that Djinni server, and this file now exists here, which it says that it's just a small file that I have downloaded in a temporary folder. If I am malicious person, I know that this server is vulnerable. For example, right now we're talking about React.js Summit. I'm sure they must have a website. Now, when there's a website and it's vulnerable, I know it's vulnerable, what I'm gonna do is I'm gonna connect to it and upload certain files. So anyone who connects to that server gets downloaded these malicious files. It could be a ransomware. Oh, nothing should happen because people are more aware, especially the development teams that are becoming more and more aware about security issues, at least more than us. What I can see, I have a lot of friends working in development teams and they are pro-security people because they understand security better than me because they know the ecosystem well, day in and day out.
Now, the simple issues. It took me a few seconds to exploit it. What happens when a hacker tries and exfiltrate the data, which is very, very confidential and nobody should know about it. That can be scary for an organization.
Even though popular frameworks are used, there are still important security issues to understand and address. It is crucial to have a comprehensive list of these issues and be aware of the components used in our applications. As a security analyst, I used to encounter these issues regularly, but now it affects everyone. This highlights the significance of addressing security concerns and acknowledging their impact.
Now, what it takes us, that even though these popular frameworks are there, there are certain issues which need to understand. We need to have a list of all of these issues. And more on top of it, we should know what we have in our house. So we tried and hack the app. Generally, I do it after this, but I did it early to set the context. And on top of it, what we used to see, that this is the life of a security analyst. On Thursday night, Friday night, you would have these issues. Well, let me tell you, this is not the case anymore. When the zero rate drops, it impacts everyone from a security analyst to anyone and everyone. And that also tells us that these security issues are real.
We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career
Node Congress 2022
JSNation 2023
JSNation 2023
React Summit US 2023
React Summit 2022
React Advanced 2021
JSNation US 2024React Summit 2023JSNation 2024JSNation 2024JSNation 2022
DevOps.js Conf 2022
Comments