Upload
matthew-wilkes
View
590
Download
0
Embed Size (px)
DESCRIPTION
This talk aims to let interested users in on the work of being a responsible vendor in the open source security world. It will have a particular focus on Plone, but will be applicable to anyone issuing public fixes for open source code.
Citation preview
Open Source Security – a vendor'sperspective
Matthew Wilkes
Who am I
Zope/Plone since 2004Plone security team leaderFormer FWT member2013 board membersprints, conferences, etcPython security at The Code Distillery
Concepts
Vulnerability report
User emails [email protected]"Doctor, it hurts when I raise my arm likethis…"
Vulnerability
Security team confirmsFind the original causeFind variants of the same bug
Severity
Is this bug an emergency?Who knows how to exploit it so far?What damage can an attacker cause?
Workaround
Develop a hotfixTest on supported versionsRelease hotfix
Fix
Apply changes from the hotfix to coreCreate new releases for packages
Workflow
Workflow
1. Receive notification2. Add to issue tracker and reply3. Confirm bug exists4. Find related problems5. Request CVE6. Write hotfix
Workflow
7. Test on supported versions8. Release hotfix9. Provide notes to oss-security
10. Receive allocated CVE11. Update plone.org with CVE ids12. Vulnerability shows on NVD
on CVEs
The MITRE Corporation
CVE
“ CVE's common identifiers enable dataexchange between security products and provide abaseline index point for evaluating coverage of toolsand services.
Steve Christey, MITRE
CVE
‘ In reality, all of the large vulnerability databasesmay have missed published vulnerabilities in theproduct …. We routinely see this.
National Vulnerability Database
CVE
‘ Summary for CVE-2011-0720: Unspecifiedvulnerability in Plone 2.5 through 4.0, allows remoteattackers to obtain administrative access.
Not all equal
Can MERGE under certain circumstancesHave to fight for moreMany vulns never have one assigned
Why use CVE?
We're expected toLets us influence what people say about usYou can google the number
CVSSv2
What is CVSSv2?
A systematic way of assigning severityThree sections: Base, Temporal,EnvironmentalOur job to provide Base scoresUsers can apply the Temporal andEnvironmental scores
Comparing CVSSv2s
Sometimes vendors release temporal scoresnot baseVery few vendors publish the vectorsVendors often disagree with researchersNot all options always apply
CVSSv2 for companies
Temporal scores let us scale scores over thelifecycle of the bugEnvironmental scores let you weight scoresaccording to your business goals
Why use CVSSv2?
Lets us influence what people say about usEasier to form policies about what things areurgentWe can make stats!
CWE
What is CWE?
OWASP Top-10 2010A5 Cross-Site-Request ForgerySANS Top-25 2013 Rank #12OWASP Top-10 2013A8 Cross-Site-Request ForgeryCWE-352: Cross-Site Request Forgery(CSRF)
Problems with CWE
940 CWEs currently listedVery granular
Granularity
CWE-759: Use of a One-Way Hash withouta SaltCWE-916: Use of Password Hash WithInsufficient Computational Effort
Why use CWE?
Lets us influence what people say about usWe can make stats
Databases
Databases
Manually maintainedPull public information and tabulateSome companies have write accessAlmost all vendors do not
Latest Plone update
NVD: November 2011OSVDB: June 2010CVE Details: November 2011
Statistics
Statistics
CVE-2013-4196
No gain information?
‘ Multiple information exposure flaws werefound in the way object manager implementation ofPlone, a user friendly and powerful contentmanagement system, protected access to its internalmethods.
CVE-2012-5505
No gain information?
‘ On some content types an anonymous viewlookup returns a private data structure, which undercertain circumstances may be used to read outconfidential data.
Fix it!
Kurt Seifried, RedHat
Collaborativedatabases?
‘ Sadly it probably won't work, most projectsbarely care about security, even fewer care aboutdoing advisories correctly.
Open Source Vulnerability Database
Collaborativedatabases?
‘ Use of the OSVDB, and/or API in a commercialatmosphere requires a license from OSF or acommercial partner of our designation. Failure toobtain a license for such use will result in accounttermination and legal action as necessary.
Kurt Seifried, RedHat
SPOF
‘ Remember this is supposed to be basically asmall side part of my job at Red Hat and I sometimesget slammed and grumpy =)
Recommendations
1. A wiki type vulnerability database2. Freely available vulnerability ids3. Direct editing access for vendors4. Open data
Recommendations
1. Extend CVSSv2 for webapps2. Allow the public to tag CWE3. Decouple vulnerability instances and causes
Questions?