Scribd
Upload
4 views

Chapt-6Components With Known Vulnerabilities

Uploaded by

omwaje2024
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
4 views

Chapt-6Components With Known Vulnerabilities

Uploaded by

omwaje2024
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

- USING COMPONENTS WITH KNOWN VULNERABILITIES

-INSUFFICIENT LOGGING & MONITORING Dr. P S Lokhande


USING COMPONENTS WITH KNOWN
VULNERABILITIES
Components with known vulnerabilities refer to software components that have
security flaws or weaknesses that have been identified and publicly disclosed.
These vulnerabilities can be the result of coding errors, design flaws, or outdated
libraries or framework.
Components, such as libraries, frameworks, and other software modules, run with the
same privileges as the application. If a vulnerable component is exploited, such an
attack can facilitate serious data loss or server takeover.
IS THE APPLICATION VULNERABLE?
You are likely vulnerable:

* If you do not know the versions of all components you use (both client-side and server-side). This includes
components you directly use as well as nested dependencies.

* If software is vulnerable, unsupported, or out of date. This includes the OS, web/application server, database
management system (DBMS), applications, APIs and all components, runtime environments, and libraries.

* If you do not scan for vulnerabilities regularly and subscribe to security bulletins related to the components
you use.

* If you do not fix or upgrade the underlying platform, frameworks, and dependencies in a risk-based, timely
fashion. This commonly happens in environments when patching is a monthly or quarterly task under change
control, which leaves organizations open to many days or months of unnecessary exposure to fixed
vulnerabilities.

* If software developers do not test the compatibility of updated, upgraded, or patched libraries.
WHY IS USING COMPONENTS WITH KNOWN VULNERABILITIES
RISKY?
Attackers actively seek out vulnerable systems and components to exploit. They can
use automated tools to look for vulnerable components and launch attacks.
Vulnerable components can allow attackers to bypass security controls such as
firewalls and intrusion detection systems and gain access to sensitive data or systems.
Vulnerable components can provide attackers with a launching pad for further
attacks or allow them to move within a network.
EXAMPLE
Attackers can invoke any web service with full permission by failing to provide an
identity token.
Remote-code execution with Expression Language injection vulnerability is introduced
through the Spring Framework for Java based apps.
Components typically run with the same privileges as the application itself, so flaws
in any component can result in serious impact. Such flaws can be accidental (e.g.
coding error) or intentional (e.g. backdoor in component). Some example exploitable
component vulnerabilities discovered are:
 Struts 2 remote code execution vulnerability that enables execution of arbitrary
code on the server,
 Shodan IoT search engine can help you find devices that still suffer
from Heartbleed vulnerability
WHY SHOULD WE CARE?

• Apache POI Information Disclosure via External Entity Expansion


(XXE)
• Adobe XMP Toolkit for Java Information Disclosure via External
Entity Expansion (XXE)
• Remote code execution vulnerability in Apache Struts when
dynamic method invocation is enabled
• Remote code execution vulnerability in Jenkins remoting; related
to the Apache commons-collections
HOW TO PREVENT ?
Remove unused dependencies, unnecessary features, components, files, and
documentation.
Be up-to-date on security alerts
Use vulnerability scanner
Use secure coding practices
Patch and update
Use third-party libraries wisely

Continuously inventory the versions of both client-side and server-side components


(e.g. frameworks, libraries) and their dependencies using tools
like versions, DependencyCheck, retire.js, etc.
VERSIONS TOOL
DEPENDENCY-CHECK TOOL
Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to
detect publicly disclosed vulnerabilities contained within a project’s dependencies.
INSUFFICIENT LOGGING & MONITORING

Insufficient logging and monitoring, allows attackers to further attack systems, maintain persistence,
pivot to more systems, and tamper, extract, or destroy data.
Insufficient logging and monitoring, it is almost impossible to track suspicious activities and respond to
them in a timely fashion
Without sufficient logging and visibility, security incidents such as unauthorized access, code injection,
or data breaches may go undetected.
WHAT IS LOGGING IN MONITORING?
Log monitoring is a process by which developers and administrators continuously
observe logs as they're recorded. With log monitoring software, teams can collect
information and trigger alerts if something affects system performance and health.
LOG MONITORING TOOLS

• Graylog
• Elasticsearch ELK Stack (Elastic Stack)
• Fluentd
• Prometheus
• Apache Kafka
LOG MONITORING USE CASES
Anything connected to a network that generates a log of activity is a candidate for
log monitoring.
These include the following:
Infrastructure monitoring automatically tracks modern cloud infrastructure, including
the following:
 Hosts and virtual machines;
 Platform as a service, such as AWS, Azure, and GCP;
 Container platforms, such as Kubernetes, OpenShift, and Cloud Foundry;
 Network devices, process detection, resource utilization, and network usage and performance;
 Third-party data and event integration; and
 Open source software.
IS THE APPLICATION VULNERABLE?
Insufficient logging, detection, monitoring and active response occurs any time:

* Auditable events, such as logins, failed logins, and high-value transactions are not
logged.

* Warnings and errors generate no, inadequate, or unclear log messages.

* Logs of applications and APIs are not monitored for suspicious activity.

* Logs are only stored locally.

* Appropriate alerting thresholds and response escalation processes are not in place or
effective.
.
* The application is unable to detect, escalate, or alert for active attacks in real time or near
real time.
HOW TO PREVENT
As per the risk of the data stored or processed by the application:

* Ensure all login, access control failures, and server-side input validation failures can be logged
with sufficient user context to identify suspicious or malicious accounts, and held for sufficient time to
allow delayed forensic analysis.

* Ensure that logs are generated in a format that can be easily consumed by a centralized log
management solutions.

* Ensure high-value transactions have an audit trail with integrity controls to prevent tampering or
deletion, such as append-only database tables or similar.

* Establish effective monitoring and alerting such that suspicious activities are detected and
responded to in a timely fashion.

You might also like