Speaker: Theresa Mammarella

Twitter: @t_mammarella

For more, see the table of contents.

---

Notes

• Annual cost of cyber crime predicting to top 8 trillion. Only US and China have more than that as GDP

Terminology

• Vulnerability – weakness/flaw in system
• Threat – attack vector, potential action
• Risk – probably frequency of that loss.
• Goal of cybersecurity is to minimize risk. Can’t control intent to do harm so focus on vunlerability

CVEs

• CVE – Common Vulnerabilities and Exposures
• Format CVE-xxxx-yyyyy. xxxx = year came out. yyyy = identifier
• CVSS scoring – how bad is it on a scale of 0-10. Ten is worst
• CVSS score has three parts – basic (exploitability, impact), temporal, environmental. Good description here
• Basic is the one we see on the CVE
• CVE can be rejected. The number is used and cannot be reused. Example. Something thought found a vulnerability. Investigation was flawed and not an actual issue. Story about it here.

How to talk about

• Private disclosure – organization can choose when/whether to fix/share
• Coordinated/responsible disclosure – best practice – agreed upon time frame
• Full/public disclosure – share everything
• Best to report via company website, security.md file, security files on server, github private vulnerability reporting

Zero day vulnerability

• Either unknown to company or not yet fixed
• MOVEit file transfer issue for US government agencies
• In early 2010’s had about a month to patch before a lot of exploits. Now it can be as little as 15 minutes for bots to start seeking out vulnerable apps.

Examples

• log4jshell – remote code loading. Was reported responsibility but incomplete fix so zero days on those CVEs
• Could be as simple as a bounds check. For OpenSSL. Announced something big coming and get ready. When announced learned it only affected OpenSSL 3 (not 2) and high, not critical so boy who cried wolf situation.

Security Practices for Developers

• Insider threat includes poor training
• A lot more developers than info security. Increasingly harder for security teams to keep up.
• Cost of finding and fixing bugs increases over time
• Does this touch the internet? take untrusted input/ handle sensitive data?
• OWASP Top 10. Updated in 2021 to add insecure design, software/data integrity failures and server side request forgery (SSRF). Some merged such as injection.
• Starting OWASP Top 10 for Large Language Model Applications. A draft version is available
• mitre/hipcheck – scorecard for supply chain risk. Similarly, Sonatype security rating and OpenSSF Scorecard
• Open source dependency management. Embedded in many projects. 90% of app is open source on average. North Korea attacked many apps including Putty

Attack types

• Typosquatting – look alike domain with one or two wrong characters
• Open source repo attackes – attempt to get maleware/weakness added into depednecy source
• Build tool attacks
• Dependency confusion – different version that shows up as latest

Trust?

• Sometimes third party projects. ex: OpenSSF Scorecard
• NPM and PyPI often have supply chain attacks. Maven Central more so
• Scanning tools to find issues can be helpful
• You are responsible when things go wrong

My take

Good talk. Covered concepts and good real life examples. I learned a few things like the OWASP Top 10 for LLMs. Appreciated the shout out to “the Java people in the front row” when talking about log4j. I added a few links in my blog that weren’t in the original presentation for things I wanted to learn more about.