New Way of Envisioning Security in the Dependencies

Rate this content
Bookmark

The vulnerabilities in open source ecosystem are increasing like wild fire. It is important to address those. I will be speaking about issues and how to fix them with demo. I will pick up examples from React ecosystem as well.

21 min
21 Jun, 2022

Video Summary and Transcription

Today's Talk explores the importance of understanding security issues and dependencies in software development. It emphasizes the role of developers in cybersecurity incidents and the need to detect and respond to vulnerabilities early. The Talk also discusses the risks associated with third-party dependencies and the impact of security breaches on organizations. Additionally, it highlights the significance of addressing security concerns and the potential consequences of exploiting vulnerabilities and exfiltrating data.

Available in Español

1. Introduction to Security Issues and Dependencies

Short description:

Today I'm going to be talking about a new way of envisioning security issues and dependencies. I will be sharing my experience and understanding about those issues. I'm currently a security relations leader at Snyk, contributing to open-source projects in cybersecurity. We want everything to be automated, cool, and helpful. But what happens when the data is being uploaded somewhere? These smart devices are getting trained to deliver content at the earliest, but they may also be tracking everything you say.

Hi everyone, good morning, good afternoon, good evening, wherever you are. Today I'm going to be talking about a new way of envisioning security issues and dependencies. I'm sure some of you know about it, some of you don't know about it. So today I will be sharing my experience and my understanding about those issues.

My name is Vandana Verma Sahgal, and about myself, about my background, I'm currently a security relations leader at Snyk, which is a software security company. When I'm not working at Snyk, I generally contribute to open-source projects in cybersecurity and part of certain conferences like BlackHat. So I'm currently the chair for OWASP, which is Open Web Application Security Project, a community driven to motivate people to understand application security. I also run InfoSec Girls, InfoSec Diversity and Kids, so that we can have cybersecurity understanding for everyone. That's about myself.

Now, while I talk about what security issues are, what exactly do you see in this picture? This is something which is more of a futuristic image of what we really want. We want everything to be automated. We want everything to be super cool. We want everything to be different and helpful for us. I want it. I want smart TVs to smart devices, to smart users, everything smart at home. So I just need to play a button, and everything is good. But there's one thing which is there. What happens when the data is being uploaded somewhere? And that's natural. We've heard and even we've seen the data is getting uploaded somewhere. Why do we say that? Because the point comes is anything that you speak to these smart devices that actually get it trained. Because you want everything at the earliest. They're getting trained to deliver the content at the earliest. So, data is being somewhere, stored somewhere. Now, I am sure these devices are being updated somewhere. So, there'll be a patch which might be downloaded. Now, when that patch gets downloaded, there are times where you would feel that there's something fishy. Or sometimes you don't even get to know that there are malicious things which are downloaded on your system. So, what do you do and what happens then? That they might be tracking you. Anything and everything that you're speaking might be getting tracked. Is it cool? No, it is not.

2. Security Issues and Dependencies

Short description:

It is somewhat scary. But the point comes how should we actually deal with them? Developers play a very, very crucial role in cybersecurity incidents. Now, this event stream incident, which doesn't seem to be new, but it dates back to many, many years. All my websites are on open source content. Are there any issues in those dependencies? What happens when people start attacking developer tooling? In January, 2021, somebody actually tried to attack Visual Studio Code where they were able to get access to the GitHub. When there's a certain vulnerability which gets reported, what we really need to do is understand what the vulnerability's all about. What happened with Equifax? February 14th, Apache notified that there are certain issues.

It is somewhat scary. But the point comes how should we actually deal with them? So, developers play a very, very crucial role in cybersecurity incidents. And especially when we talk about these new supply chain issues which are there, the whole landscape which is being changed, and the way we have started to care about software security.

Now, this event stream incident, which doesn't seem to be new, but it dates back to many, many years. When in somebody said I want to help you out, and hire the maintainers, but then instead they added a crypto miner, and nobody even knew about it. So you're working and something is running in the background. So how much exactly do you know about what is in your system?

Now, I'll tell you about myself. All my websites are on open source content. I'm using whatever is there on the internet. Now comes, are there any issues in those dependencies? Maybe, so this is the image that I have in mind. This is all my app. But, actual thing is that this is the only code, the red dot in the middle, which is the code, which is developed by me or maybe my friends, maybe the company itself. But what is rest? The whole rest is the open source code, third party dependencies, third-party libraries and whatnot. How exactly you're going to be taking care of that? What happens when people start attacking developer tooling?

Now, being in security, I might not use Visual Studio Code or any IDE very often. But can it happen? If I'm a developer, I wouldn't be using day in and day out. I would be using, and even for that matter, being in security, I want to learn about a lot of new things, so I learn these things. That's what happened. In January, 2021, somebody actually tried to attack Visual Studio Code where they were able to get access to the GitHub. Of many accounts, but they diligently reported that. It could have gone in any wrong direction. When somebody gets the house key, they can do anything. For example, you've got four doors in the house, then there are four windows. Now, you're going on vacation, you've closed all the doors, but what happened to the windows? Maybe there's one window which is open, which you did not realize and somebody gets into your house and takes all the stuff. It's crazy, and that can happen with anyone, and that's when we need to understand what's inside our code.

Now, there are certain lessons that we learnt from the Equifax breach that happened a few years back. Now, why we are still talking about it, because it actually envisions one very important aspect, that when there's a certain vulnerability which gets reported, after that, what we really need to do is we need to understand what the vulnerability's all about. Can we fix it or not? And if it's critical, how soon can we address it? What happened with Equifax? February 14th, Apache notified that there are certain issues. There was a release of fix, people started exploiting the exploit. And even though some companies already updated it, there are some companies which could not. One of them was Equifax.

3. State Breach and Organization-wide Response

Short description:

Now, it was a huge state breach and especially concerning the libraries. What it tells us is that we need to detect these issues as early as possible. We need to respond to them. And when we respond to them, we need to do it with the whole organization, within the whole organization.

Now, it was a huge state breach and especially concerning the libraries. What it tells us is that we need to detect these issues as early as possible. We need to respond to them. And when we respond to them, we need to do it with the whole organization, within the whole organization. Trust me, it took us good two, three days to understand where we are, where do we stand. Everyone was getting crazy. Do we have this version? Do we use Apache on this application? And a lot of time, what happens? You don't even know that you are using Apache or maybe this any third-party version, which is vulnerable in your ecosystem. Why? Because we sometimes tend to miss in updating CMDBs.

4. Supply Chain Risks and Third-Party Dependencies

Short description:

We need to make sure that we understand these issues and the supply chain risks. There's one library, one dependency, that can lead to big issues. Companies are spending more and more money on these. We need to track and understand third-party dependencies. There have been cases where maintainers remove libraries, causing disruptions. In 2016, there was an issue with Collar and Faker libraries. These issues can come in any form and impact enterprises. Lock for shake is a popular logging platform written in Java.

Now, when we say that, the most important aspect comes is that, are we able to maintain it regularly? Maybe, maybe not. So what shall we do with that? We need to make sure that we understand these issues and on top of it, these supply chain risks. Are they new? I don't think so they're new, because they have been there for a very, very long time. And it started getting into the limelight after the SolarWinds attack, where there was a third-party library which was added as part of our DLL, which was added as part of the package, which the package was shipped to everyone and everyone was using it.

Now, this is a big concern, which means, there's one library, one dependencies, which is there as part of your code that can lead to big issues. And on top of it, the point comes, how are we trying to address that? We are still seeing these issues every year in a year. Companies, organizations are spending more and more money on these.

Now, let me tell you something very interesting. There are times when maintainers, themselves remove the libraries. These are some of the cases wherein somebody removed the package and the whole packet started breaking and everybody got crazy. Now, this also does this one important thing when we're using third-party dependencies to open-source content, it's important we track it and we understand if something happens to them, how are we going to deal with that? And let's not go back this very very long, which is 2016. Just two months back, or three months back, there was an issue with Collar and Faker. These are two major libraries as part of the Node.js ecosystem. The maintainer was the same for both. Now, this maintainer removed the whole package from one of the libraries for one of the ecosystem and for the other dependency, the person added a loop condition. Now, what do you do in that case wherein I have a package because I want a new update now that has a loop condition and it's breaking my whole code? Isn't that scary? And that brings us that even these issues can come in any form, in any part as part of the registries. So what do these registries contain? Could be malicious issues, could be vulnerabilities, could be whatnot. And these issues are not only just for the ecosystems which are smaller, but they're impacting enterprises as well. Medium business units and everyone.

This brings us to the point wherein this lock for a shake. I'll tell you my own story. In December, I was on vacation in the first week. I was like, oh, I've not taken vacation for a very long time. We've been at home, so let's take a vacation. So we went to travel. Now, during the similar time, lock for shake happened. What is that? I didn't even know, but then I start seeing messages and everyone started talking about it. So I wanted to understand what it is. So lock for shake is basically a very popular logging platform. Apache-based logging platform written in Java.

5. Security Impact and Vulnerabilities

Short description:

People use these platforms very easily because they're easy to use. But what happens when it impacts organizations? How do you deal with that? Organizations were vulnerable due to the use of the JNDEI framework. The attack highlighted the importance of understanding third-party components and the risks they pose. OWASP's top 10 risks list reveals regulatory compliance and cloud security control failures. Dependency on third-party SaaS applications can lead to data breaches and other security issues. A demo showcasing a vulnerable Java exploit is presented.

And people use these platforms very easily because they're easy to use. But what happens when it impacts huge amounts of organizations from Cesar to Amazon to IBM to any company, even sneak, we'll be talking about it.

Now, when that happens, how do you deal with that? And what was the part of, what was the issue in there? So anyone who was using a lab server and was using JNDEI, they were vulnerable because it was a very highly or very useful framework a lot of organizations were using. And they were trying to figure out whether they were vulnerable or not.

Now, organizations, so people, everyone was talking about it, sharing their views on social media, Twitter, LinkedIn on their own blogs. And this whole attack made us realize that if this small, small issue, which is there in the code, it can be a big concern, even if one library. They were people, there were organizations who were actually not vulnerable, but they were using third-party components which were making them vulnerable. Would you like that? I wouldn't like that. So I would like to know what I have and what I don't have. What I have, what is the list of it? Whether I'm using third-party vendors or not? Which is very, very important.

Also, I'll tell you something interesting about OWASP. So OWASP top 10 releases top 10 list of risks every three years. So it came up with the top 10 risks and injection, which is supposed to be a 10, dropped down to third, and suddenly I saw these injection issues and they're becoming more and more prevalent. This is Lock4Shell, then many other vulnerabilities came and it just doesn't stop there. Why? Because it was actually the indication that there are regulatory compliance failures. We're talking about cloud. So there are cloud security control failures which are there. Sometimes intentional. Sometimes we don't even get to know. And these third party SaaS applications security failures because we are too much dependent on them, which also leads us that if something happens, anyone can deploy malwares and ransomwares, which can lead to data exfiltration, to integrity issues, to availability issues and whatnot. I wouldn't want that.

Now let me actually show you something very interesting. So here I have actually created a demo. Now what it says, I have it on my local system. I've not installed this vulnerable version of Java on my system, but it is in a system, is it a different folder? Now, what I have is I have created a Java group where I have this exploit. In the exploit, for you to see, I need to have a server running. If there's no vulnerable server, how would you get attacked? How would you get a vulnerable? So I have a log for shell server running. Now, this server is running on local host, which is HTTP server 8000. And there's an LDAP server, vulnerable Jindi server, which is running on port 9999. Now this whole thing is running.

6. Exploiting Vulnerabilities and Exfiltrating Data

Short description:

Now, I need a client so that I can make it vulnerable. I will try and connect it with the server. It actually downloaded a malicious file and made it vulnerable. So let's see if this file exists or not. Let me remove this file completely. So it does not exist. Now let me connect it to the vulnerable server. It is gonna connect to the server. This file now exists here. If I am a malicious person, I know that this server is vulnerable. Now, when there's a website and it's vulnerable, what I'm gonna do is I'm gonna connect to it and upload certain files. What happens when a hacker tries to exfiltrate confidential data? That can be scary for an organization.

Now, I need a client so that I can make it vulnerable. So here is the client. And simply what I'll do is, I will try and connect it with the server. So let me execute this in Java. Now, when I connect from client to server, there is a file which does not exist, temporary pawn. But when I ran it and I connected it to the server, it actually downloaded a malicious file and made it vulnerable, which is, let's see if this file exists or not. So let's see.

So if you see this file exists, now you must be thinking, how can that happen? So let me do this. Let me remove this file completely. So let's see if this file exists or not now. Oh, sorry, let me go ahead. If you see, oh, I need to remove first. Now I'm gonna go ahead and show you if it exists or not. So it does not exist. Now the file does not exist. Now let me connect it to the vulnerable server. Here I'm gonna execute Java, and it is gonna connect to the server. Now while it's running, it's trying to connect to that Djinni server, and this file now exists here, which it says that it's just a small file that I have downloaded in a temporary folder. If I am malicious person, I know that this server is vulnerable. For example, right now we're talking about React.js Summit. I'm sure they must have a website. Now, when there's a website and it's vulnerable, I know it's vulnerable, what I'm gonna do is I'm gonna connect to it and upload certain files. So anyone who connects to that server gets downloaded these malicious files. It could be a ransomware. Oh, nothing should happen because people are more aware, especially the development teams that are becoming more and more aware about security issues, at least more than us. What I can see, I have a lot of friends working in development teams and they are pro-security people because they understand security better than me because they know the ecosystem well, day in and day out.

Now, the simple issues. It took me a few seconds to exploit it. What happens when a hacker tries and exfiltrate the data, which is very, very confidential and nobody should know about it. That can be scary for an organization.

7. Understanding Security Issues and Impact

Short description:

Even though popular frameworks are used, there are still important security issues to understand and address. It is crucial to have a comprehensive list of these issues and be aware of the components used in our applications. As a security analyst, I used to encounter these issues regularly, but now it affects everyone. This highlights the significance of addressing security concerns and acknowledging their impact.

Now, what it takes us, that even though these popular frameworks are there, there are certain issues which need to understand. We need to have a list of all of these issues. And more on top of it, we should know what we have in our house. So we tried and hack the app. Generally, I do it after this, but I did it early to set the context. And on top of it, what we used to see, that this is the life of a security analyst. On Thursday night, Friday night, you would have these issues. Well, let me tell you, this is not the case anymore. When the zero rate drops, it impacts everyone from a security analyst to anyone and everyone. And that also tells us that these security issues are real.

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

Node Congress 2022Node Congress 2022
26 min
It's a Jungle Out There: What's Really Going on Inside Your Node_Modules Folder
Top Content
Do you know what’s really going on in your node_modules folder? Software supply chain attacks have exploded over the past 12 months and they’re only accelerating in 2022 and beyond. We’ll dive into examples of recent supply chain attacks and what concrete steps you can take to protect your team from this emerging threat.
You can check the slides for Feross' talk here.
JSNation 2023JSNation 2023
30 min
The State of Passwordless Auth on the Web
Can we get rid of passwords yet? They make for a poor user experience and users are notoriously bad with them. The advent of WebAuthn has brought a passwordless world closer, but where do we really stand?
In this talk we'll explore the current user experience of WebAuthn and the requirements a user has to fulfill for them to authenticate without a password. We'll also explore the fallbacks and safeguards we can use to make the password experience better and more secure. By the end of the session you'll have a vision for how authentication could look in the future and a blueprint for how to build the best auth experience today.
React Advanced Conference 2021React Advanced Conference 2021
22 min
Let Me Show You How React Applications Get Hacked in the Real-World
Top Content
Modern frontend frameworks like React are well thought-of in their application security design and that’s great. However, there is still plenty of room for developers to make mistakes and use insecure APIs, vulnerable components, or generally do the wrong thing that turns user input into a Cross-site Scripting vulnerability (XSS). Let me show you how React applications get hacked in the real-world.
JSNation 2023JSNation 2023
22 min
5 Ways You Could Have Hacked Node.js
All languages are or were vulnerable to some kind of threat. I’m part of the Node.js Security team and during the year 2022, we've performed many Security Releases and some of them were really hard to think about.
Did you know you can make money by finding critical vulnerabilities in Node.js? In this talk, I’ll show you 5 ways you can have hacked Node.js and how the Node.js team deals with vulnerabilities.
JSNation Live 2021JSNation Live 2021
9 min
Securing Node.js APIs with Decentralised Identity Tokens
Authentication and Authorization are serious problems. We often dedicate a lot of time to craft powerful APIs but overlook proper security measures. Let's solve it with Magic using a key-based identity solution built on top of DID standard, where users’ identities are self-sovereign leveraging blockchain public-private key pairs. In this talk, we’ll look at proper ways to secure our Node.js APIs with Decentralised Identity Tokens. We’ll go from learning what Decentralised Identity standards are, how the users’ identities are self-sovereign leveraging blockchain public-private key pairs, why they’re the future of API security, and to put theory into practice we will build a real-world implementation using Node.js where I’ll show common best practices.

Workshops on related topic

React Summit 2023React Summit 2023
56 min
0 to Auth in an hour with ReactJS
WorkshopFree
Passwordless authentication may seem complex, but it is simple to add it to any app using the right tool. There are multiple alternatives that are much better than passwords to identify and authenticate your users - including SSO, SAML, OAuth, Magic Links, One-Time Passwords, and Authenticator Apps.
While addressing security aspects and avoiding common pitfalls, we will enhance a full-stack JS application (Node.js backend + React frontend) to authenticate users with OAuth (social login) and One Time Passwords (email), including:- User authentication - Managing user interactions, returning session / refresh JWTs- Session management and validation - Storing the session securely for subsequent client requests, validating / refreshing sessions- Basic Authorization - extracting and validating claims from the session token JWT and handling authorization in backend flows
At the end of the workshop, we will also touch other approaches of authentication implementation with Descope - using frontend or backend SDKs.
JSNation 2022JSNation 2022
99 min
Finding, Hacking and fixing your NodeJS Vulnerabilities with Snyk
WorkshopFree
npm and security, how much do you know about your dependencies?Hack-along, live hacking of a vulnerable Node app https://github.com/snyk-labs/nodejs-goof, Vulnerabilities from both Open source and written code. Encouraged to download the application and hack along with us.Fixing the issues and an introduction to Snyk with a demo.Open questions.
DevOps.js Conf 2022DevOps.js Conf 2022
76 min
Bring Code Quality and Security to your CI/CD pipeline
WorkshopFree
In this workshop we will go through all the aspects and stages when integrating your project into Code Quality and Security Ecosystem. We will take a simple web-application as a starting point and create a CI pipeline triggering code quality monitoring for it. We will do a full development cycle starting from coding in the IDE and opening a Pull Request and I will show you how you can control the quality at those stages. At the end of the workshop you will be ready to enable such integration for your own projects.
TestJS Summit 2021TestJS Summit 2021
111 min
JS Security Testing Automation for Developers on Every Build
WorkshopFree
As a developer, you need to deliver fast, and you simply don't have the time to constantly think about security. Still, if something goes wrong it's your job to fix it, but security testing blocks your automation, creates bottlenecks and just delays releases...but it doesn't have to...

NeuraLegion's developer-first Dynamic Application Security Testing (DAST) scanner enables developers to detect, prioritise and remediate security issues EARLY, on every commit, with NO false positives/alerts, without slowing you down.

Join this workshop to learn different ways developers can access Nexploit & start scanning without leaving the terminal!

We will be going through the set up end-to-end, whilst setting up a pipeline, running security tests and looking at the results.

Table of contents:
- What developer-first DAST (Dynamic Application Security Testing) actually is and how it works
- See where and how a modern, accurate dev-first DAST fits in the CI/CD
- Integrate NeuraLegion's Nexploit scanner with GitHub Actions
- Understand how modern applications, APIs and authentication mechanisms can be tested
- Fork a repo, set up a pipeline, run security tests and look at the results
DevOps.js Conf 2022DevOps.js Conf 2022
32 min
Passwordless Auth to Servers: hands on with ASA
WorkshopFree
These days, you don't need a separate password for every website you log into. Yet thanks to tech debt and tradition, many DevOps professionals are still wrangling a host of SSH keys to access the servers where we sometimes need to be. With modern OAuth, a single login and second factor to prove your identity are enough to securely get you into every service that you're authorized to access. What if SSHing into servers was that easy? In this workshop, we'll use Okta's Advanced Server Access tool (formerly ScaleFT) to experience one way that the dream of sending SSH keys the way of the password has been realized.
- we'll discuss how ASA works and when it's the right tool for the job- we'll walk through setting up a free trial Okta account to use ASA from, and configuring the ASA gateway and server on Linux servers- we'll then SSH into our hosts with the ASA clients without needing to supply an SSH key from our laptops- we'll review the audit logs of our SSH sessions to examine what commands were run