Object lessons Deserialization after Apache Commons Collections T i - - PowerPoint PPT Presentation

object lessons
SMART_READER_LITE
LIVE PREVIEW

Object lessons Deserialization after Apache Commons Collections T i - - PowerPoint PPT Presentation

Jul 11, 2023 440 likes •694 views

Object lessons Deserialization after Apache Commons Collections T i m J a r r e t t , N o v e m b e r 2 0 1 6 Who am I? @tojarrett Over 20 years in the software business At Veracode since 2008 Grammy award winner Bacon

slide-1
SLIDE 1

Object lessons

Deserialization after Apache Commons Collections

T i m J a r r e t t , N o v e m b e r 2 0 1 6

slide-2
SLIDE 2
  • @tojarrett
  • Over 20 years in the

software business

  • At Veracode since 2008
  • Grammy award winner
  • Bacon number of 3

Who am I?

slide-3
SLIDE 3

Deseriali- what?

slide-4
SLIDE 4

SERIALIZING

“marshalling,” “pickling,” “freezing,” “flattening”

Serialize: to snapshot a ”live” in-memory

  • bject into a flat, serial

stream of data that can be stored or transmitted for reconstitution

What is deserialization?

Deserialize: reverse the process

slide-5
SLIDE 5

Timeline of the deserialization vulnerability

Nov 2005: ACC 3.0 Apr 2008: ACC 3.2.1 Nov 2013: ACC 4.0 Jan 2015: "Marshalling Pickles" Nov 6, 2015: RCE exploits Nov 12, 2015: ACC 3.2.2 Nov 25, 2015: ACC 4.1

slide-6
SLIDE 6

How big a deal was this vuln?

slide-7
SLIDE 7

Veracode 2016 State of Software Security

  • Largest quantitative study of

application security risk

  • Based on over 330,000 actual

application testing results

  • 34 different industries represented
  • Large and small organizations,

commercial software providers, open source projects, software outsourcers

  • Static analysis, dynamic analysis,

software composition analysis

slide-8
SLIDE 8

Sources of application risk Configuration and deployment issues First party code Risky components

slide-9
SLIDE 9

Most prevalent Java components

slide-10
SLIDE 10

Most prevalent vulnerable Java components

slide-11
SLIDE 11

Developers don’t update out-of-date libraries

slide-12
SLIDE 12

Apache Commons Collections: a case study

slide-13
SLIDE 13

ACC by industry

INDUSTRY VERTICAL % OF JAVA APPS WITH ACC 3.2.1 Tech 67.9% Healthcare 42.1% Other 26.7% Financial services 22.4% Manufacturing 20.4% Retail & Hospitality 16.2% Government 16.0%

slide-14
SLIDE 14

Component family tree

Apache Commons Collections 3.2.1 (1290) Apache Commons BeanUtils (1348) Spring Web (1779) Spring Framework (501) ... Core Hibernate ORM Functionality (1185) Spring TestContext Framework (3007) Spring Web MVC (1314) ... Apache Commons Configuration (803) Hadoop Core (399) SonarQube Plugin API (262) ... Apache Velocity (748) Spring Context Support (916) SnakeYAM (519) ...

slide-15
SLIDE 15

Not just in Open Source

slide-16
SLIDE 16

Addressing component risk

slide-17
SLIDE 17

Addressing component risks in the SDLC

1

Policy first

2

Build an inventory

3

Developer education

4

Integrate testing

slide-18
SLIDE 18

Policy

slide-19
SLIDE 19

Build an inventory

slide-20
SLIDE 20

Developer education

slide-21
SLIDE 21

Developer education

slide-22
SLIDE 22

Integrate

slide-23
SLIDE 23

No free lunch

slide-24
SLIDE 24

THANK YOU

Twitter: @tojarrett State of Software Security: https://www.veracode.com/soss