Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Vulnerable Dependencies - Going Beyond Discovery

Vulnerable Dependencies - Going Beyond Discovery

We are all already familiar with the risk of vulnerable dependencies. We’ve all heard at least one talk about why it is an issue, and have likely seen at least one demo of hacking using a vulnerable dependency.
This talk is going to be different. Instead of focusing on tools, or rehashing the issue, this talk will focus on how to actually mitigate these vulnerable dependencies. There are many tools out there for finding them.
But this is just the first step.

The real question is - how do we start remediating these vulnerabilities once we find them?
How do we get developers and product managers to care about them and prioritize fixing them? Should we fix all of them? How can we automate this process?

Join me to hear about some of the pains I had over the last few years while trying to answer some of these questions. I’ll share some of the things that worked for me, and hopefully may be applicable for you as well. This talk will be vendor-neutral as it will focus more on culture and processes - instead of specific tooling.

Omer Levi Hevroni

June 07, 2020
Tweet

More Decks by Omer Levi Hevroni

Other Decks in Technology

Transcript

  1. June 2020 Omer Levi Hevroni | AppSec Engineer | [email protected]

    Dependency Management - Going Beyond Discovery
  2. • Triage • Figure Upgrade statertegy • Open a fix

    PR • Wait for tests • Deploy • Pray Easy Peasy? @omerlh
  3. • Auto Merge • GitOps • Canary • Auto heal

    • Auto update dependencies What we need? @omerlh
  4. • Do we use the vulnerable method? • How long

    since this vulnerability disclosed? • How long since it was reported on this project? • Is there a known exploit? • Does this service handle PII? • Does this service exposed to the internet? Interesting Factors @omerlh
  5. • Average severity per service/team/group • Median time to remediate

    • # of vulnerabilities per service/team/group • Learning from SRE world Interesting Metrics @omerlh
  6. • Hall of Fame • Weekly/Monthly reports • Slack updates

    • Part of service/team/company SLA • Bottom up/top down strategy Using the metric @omerlh
  7. • “Hackers can steal user data” • “Hackers can cause

    denial of service” • Link to business requirements ◦ “As a user, I want to store my email” ◦ “As a user I want to buy apples” Good - business impact @omerlh
  8. • Docker containers? • Virtual machines? • Even more challenging

    areas • Use the same principles Wait, what about... @omerlh