object lessons
play

Object lessons Deserialization after Apache Commons Collections T i - PowerPoint PPT Presentation

Jul 11, 2023 •440 likes •692 views

Object lessons Deserialization after Apache Commons Collections T i m J a r r e t t , N o v e m b e r 2 0 1 6 Who am I? @tojarrett Over 20 years in the software business At Veracode since 2008 Grammy award winner Bacon

  1. Object lessons Deserialization after Apache Commons Collections T i m J a r r e t t , N o v e m b e r 2 0 1 6

  2. Who am I? • @tojarrett • Over 20 years in the software business • At Veracode since 2008 • Grammy award winner • Bacon number of 3

  3. Deseriali- what?

  4. What is deserialization? Serialize: to snapshot a ”live” in-memory SERIALIZING object into a flat, serial stream of data that “marshalling,” can be stored or transmitted for “pickling,” reconstitution “freezing,” “flattening” Deserialize: reverse the process

  5. Timeline of the deserialization vulnerability Nov 25, Nov 2005: Nov 2013: Nov 6, 2015: 2015: ACC ACC 3.0 ACC 4.0 RCE exploits 4.1 Apr 2008: Jan 2015: Nov 12, ACC 3.2.1 "Marshalling 2015: ACC Pickles" 3.2.2

  6. How big a deal was this vuln?

  7. Veracode 2016 State of Software Security • Largest quantitative study of application security risk • Based on over 330,000 actual application testing results • 34 different industries represented • Large and small organizations, commercial software providers, open source projects, software outsourcers • Static analysis, dynamic analysis, software composition analysis

  8. Sources of application risk Configuration and deployment issues First party code Risky components

  9. Most prevalent Java components

  10. Most prevalent vulnerable Java components

  11. Developers don’t update out-of-date libraries

  12. Apache Commons Collections: a case study

  13. ACC by industry INDUSTRY VERTICAL % OF JAVA APPS WITH ACC 3.2.1 Tech 67.9% Healthcare 42.1% Other 26.7% Financial services 22.4% Manufacturing 20.4% Retail & Hospitality 16.2% Government 16.0%

  14. Component family tree Spring Web (1779) Apache Commons Spring Framework BeanUtils (1348) (501) ... Spring TestContext Framework (3007) Core Hibernate ORM Spring Web MVC Functionality (1185) (1314) ... Hadoop Core (399) Apache Commons Collections 3.2.1 (1290) Apache Commons SonarQube Plugin API Configuration (803) (262) ... Spring Context Support (916) Apache Velocity (748) SnakeYAM (519) ...

  15. Not just in Open Source

  16. Addressing component risk

  17. Addressing component risks in the SDLC 1 Policy first 2 Build an inventory 3 Developer education 4 Integrate testing

  18. Policy

  19. Build an inventory

  20. Developer education

  21. Developer education

  22. Integrate

  23. No free lunch

  24. THANK YOU Twitter: @tojarrett State of Software Security: https://www.veracode.com/soss

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Object Oriented Object 3 Programming Object 1 Object 2 Object 4 For : COP 3330. Object

Object Oriented Object 3 Programming Object 1 Object 2 Object 4 For : COP 3330. Object

4/13/2017 OOP Object Oriented Object 3 Programming Object 1 Object 2 Object 4 For : COP 3330. Object oriented Programming (Using C++) ht t p: / / www. com pgeom . com / ~pi yush/ t each/ 3330 Objects: State (fields), Behavior (member

632 views • 6 slides
Transition Fundamentals and Success Principles as Object Lessons Mary Stuart Hunter Associate

Transition Fundamentals and Success Principles as Object Lessons Mary Stuart Hunter Associate

Looking Back and Looking Around: Transition Fundamentals and Success Principles as Object Lessons Mary Stuart Hunter Associate Vice President and Executive Director National Resource Center for The First-Year Experience and Students in

1.03k views • 70 slides
Geronimos Cadillac Lessons for Learning Object Repositories Sergeant, sergeant, dont you

Geronimos Cadillac Lessons for Learning Object Repositories Sergeant, sergeant, dont you

Geronimos Cadillac Lessons for Learning Object Repositories Sergeant, sergeant, dont you feel Theres something wrong with your automobile Governor, governor, aint it strange They didnt have no cars on the Indian range

174 views • 14 slides
Specifying Interfaces Object Design: Chapter 9, Object Design ! Object design is the process of

Specifying Interfaces Object Design: Chapter 9, Object Design ! Object design is the process of

Object-Oriented Software Engineering Using UML, Patterns, and Java Specifying Interfaces Object Design: Chapter 9, Object Design ! Object design is the process of adding details to the requirements analysis and making implementation decisions

500 views • 28 slides
Object-Oriented Databases Object Oriented Databases ODMG Standard Object Model, Object

Object-Oriented Databases Object Oriented Databases ODMG Standard Object Model, Object

Object-Oriented Databases Object Oriented Databases ODMG Standard Object Model, Object Definition Language, Object Query Language Programming Language Bindings Outlook October 17, 2008 Michael Grossniklaus Department of

786 views • 27 slides
Object-Oriented Paradigm http://cs.mst.edu The Concept Bundled together in one object

Object-Oriented Paradigm http://cs.mst.edu The Concept Bundled together in one object

Object-Oriented Paradigm http://cs.mst.edu The Concept Bundled together in one object Data Types Functionality Encapsulation State variables used to describe the object Functions dictating how the object interacts and

230 views • 18 slides
Chapter 8, Object Design: Object design is the process of adding details to the requirements

Chapter 8, Object Design: Object design is the process of adding details to the requirements

Object Design Object-Oriented Software Engineering Chapter 8, Object Design: Object design is the process of adding details to the requirements analysis and making implementation decisions Reuse and Patterns I The object designer must

301 views • 15 slides
Lessons Learned Lessons Learned From From Lessons Learned Lessons Learned From From

Lessons Learned Lessons Learned From From Lessons Learned Lessons Learned From From

Protg 2006, July 26th, Stanford I R I S A C 1 R E C Saint-Cyr Lessons Learned Lessons Learned From From Lessons Learned Lessons Learned From From Ontology Ontology Design Design Ontology Ontology Design Design Jean Andr B

371 views • 12 slides
Outline Object-orientation and databases CS 235: Object-oriented model: ODL Object

Outline Object-orientation and databases CS 235: Object-oriented model: ODL Object

Outline Object-orientation and databases CS 235: Object-oriented model: ODL Object Query Language Introduction to Databases Svetlozar Nestorov Lecture Notes #15 CS 235: Introduction to Databases 2 Object-Oriented DBMSs ODMG

550 views • 8 slides
Mul$-Object Synchroniza$on Mul$-Object Programs What happens

Mul$-Object Synchroniza$on Mul$-Object Programs What happens

Mul$-Object Synchroniza$on Mul$-Object Programs What happens when we try to synchronize across mul$ple objects in a large program? Each object

607 views • 31 slides
Mul$-Object Synchroniza$on Mul$-Object Programs What happens

Mul$-Object Synchroniza$on Mul$-Object Programs What happens

Mul$-Object Synchroniza$on Mul$-Object Programs What happens when we try to synchronize across mul$ple objects in a large program? Each object

1.14k views • 47 slides
Object Oriented Programming in C# February 13, 2008 The C# object model 1 Implementing an

Object Oriented Programming in C# February 13, 2008 The C# object model 1 Implementing an

Object Oriented Programming in C# February 13, 2008 The C# object model 1 Implementing an object oriented language 2 1/27 Goals of the C# object system. polymorphism the ability to write code which operates on many typesrealized by

439 views • 30 slides
Multi-Object Tracking Challenge CV3DST Lecture Exercises Multi-Object Tracking Multi-Object

Multi-Object Tracking Challenge CV3DST Lecture Exercises Multi-Object Tracking Multi-Object

Multi-Object Tracking Challenge CV3DST Lecture Exercises Multi-Object Tracking Multi-Object Tracking Origins SONAR, RADAR Given a raw stream of sensory data: Localize objects Estimate object identities over time

340 views • 16 slides
Developing Objects Segregation capabilities and the notion of Object Containment from unlabeled

Developing Objects Segregation capabilities and the notion of Object Containment from unlabeled

Developing Objects Segregation capabilities and the notion of Object Containment from unlabeled natural videos Daniel Harari Joint work with Nimrod Dorfman and Shimon Ullman Object Segregation Object 2 Object 1 Background Object

447 views • 40 slides
Chapter 5, Object Modeling From use cases to class diagrams Model and reality

Chapter 5, Object Modeling From use cases to class diagrams Model and reality

Object-Oriented Software Engineering Outline Chapter 5, Object Modeling From use cases to class diagrams Model and reality Activities during object modeling Using UML, Patterns, and Java Object identification Object types !

365 views • 7 slides
Lessons learned Techniques Limitations of formal specifications Cost of technical staff

Lessons learned Techniques Limitations of formal specifications Cost of technical staff

CRIM Lessons learned Techniques Limitations of formal specifications Cost of technical staff training Ease of communication between different system stakeholders by using object- oriented modeling techniques and OMT as notational

302 views • 9 slides
STATS 701 Data Analysis using Python Lecture 6: Files Persistent data So far, we only know how

STATS 701 Data Analysis using Python Lecture 6: Files Persistent data So far, we only know how

STATS 701 Data Analysis using Python Lecture 6: Files Persistent data So far, we only know how to write transient programs Data disappears once the program stops running Files allow for persistence Work done by a program can be saved to

577 views • 23 slides
Persistent Temporal Streams David Hilley Umakishore Ramachandran { davidhi, rama } @cc.gatech.edu

Persistent Temporal Streams David Hilley Umakishore Ramachandran { davidhi, rama } @cc.gatech.edu

Persistent Temporal Streams David Hilley Umakishore Ramachandran { davidhi, rama } @cc.gatech.edu School of Computer Science College of Computing, Georgia Institute of Technology Middleware 09 Outline Intro Premise Temporal

1.42k views • 106 slides
ECE 3574: Applied Software Design Message Serialization Today we are going to see various

ECE 3574: Applied Software Design Message Serialization Today we are going to see various

ECE 3574: Applied Software Design Message Serialization Today we are going to see various techniques for serializing objects, converting them to/from byte streams. The ability to exchange objects over files, pipes, sockets, and shared memory is

355 views • 14 slides
CharmPy: Parallel Programming with Python Objects Juan Galvez April 11, 2018 16th Annual

CharmPy: Parallel Programming with Python Objects Juan Galvez April 11, 2018 16th Annual

CharmPy: Parallel Programming with Python Objects Juan Galvez April 11, 2018 16th Annual Workshop on Charm++ and its Applicatons What is CharmPy? Parallel/distributed programming framework for Python Charm++ programming model (Charm++

364 views • 23 slides
INTEGRATING IDE INTEGRATING IDEs WITH DOTTY WITH DOTTY Guillaume Martres - EPFL 1 WHAT IS

INTEGRATING IDE INTEGRATING IDEs WITH DOTTY WITH DOTTY Guillaume Martres - EPFL 1 WHAT IS

INTEGRATING IDE INTEGRATING IDEs WITH DOTTY WITH DOTTY Guillaume Martres - EPFL 1 WHAT IS DOTTY? WHAT IS DOTTY? Research compiler that will become Scala 3 Type system internals redesigned, inspired by DOT, but externally very similar

552 views • 53 slides
Distributed Applications Networking Basics What is a Network? Depends on what level

Distributed Applications Networking Basics What is a Network? Depends on what level

Distributed Applications Networking Basics What is a Network? Depends on what level youre at One persons network is another persons application OSI Seven Layer Model FTP, HTTP, 7. Application The physical

723 views • 51 slides
Bootstrapping the Scala.js Ecosystem Li Haoyi, Scala eXchange 7 Dec 2014 What is Scala.js

Bootstrapping the Scala.js Ecosystem Li Haoyi, Scala eXchange 7 Dec 2014 What is Scala.js

Bootstrapping the Scala.js Ecosystem Li Haoyi, Scala eXchange 7 Dec 2014 What is Scala.js Scala.js is a Scala -> Javascript compiler Write code in Scala, run in the browser No more wallowing around in Javascript! No more

1.32k views • 92 slides
Protective Coating L6- Surface preparation & Paint application MM650/2 Prof. A.S. Khanna

Protective Coating L6- Surface preparation & Paint application MM650/2 Prof. A.S. Khanna

Protective Coating L6- Surface preparation & Paint application MM650/2 Prof. A.S. Khanna Corrosion Science & Eng. IIT Bombay & Prof Siva Bohm Honorary visiting scientist - IIT Bombay Principal scientist - Tata Steel Ltd

1.63k views • 78 slides

More recommend