How to Report a Vulnerability

A presentation at JCON EUROPE in June 2023 in Cologne, Germany by Brian Demers

Slide 1

Slide 1

Security Vulnerabilities for Java Developers Brian Demers Open Source Developer BrianDemers bdemers

Slide 2

Slide 2

🐛 🦟 “All software has bugs.” 🐜 @BrianDemers | bdemers 🐞

Slide 3

Slide 3

Topics • What is a Vulnerability • What is Responsible Disclosure • How they are Reported • Learnings from Log4Shell • What you can do for your Projects • Code • Dependencies • Reporting Security Issues @BrianDemers | bdemers IANAL: I Am Not A Lawyer TINLA: This Is Not Legal Advice

Slide 4

Slide 4

Who is this guy? @BrianDemers | bdemers

Slide 5

Slide 5

Developer Productivity Engineering @BrianDemers | bdemers

Slide 6

Slide 6

What is a Vulnerability @BrianDemers | bdemers

Slide 7

Slide 7

Quick Example audible.com/typ/promo?couponValue=1000000.0 @BrianDemers | bdemers

Slide 8

Slide 8

@BrianDemers | bdemers

Slide 9

Slide 9

CVE vs Vulnerability Common Vulnerabilities and Exposures • An ID for Vulnerabilities CVE-2021-44228 <year>-<number> xkcd.com/1957 @BrianDemers | bdemers

Slide 10

Slide 10

(Data from nvd.nist.gov) @BrianDemers | bdemers

Slide 11

Slide 11

Common Vulnerability Scoring System (CVSS) nvd.nist.gov/vuln-metrics/cvss/v3-calculator @BrianDemers | bdemers

Slide 12

Slide 12

Common Weakness Enumeration (CWE) CWE-400: Uncontrolled Resource Consumption CWE-502: Deserialization of Untrusted Data CWE-20: Improper Input Validation Common Platform Enumeration (CPE) cpe:2.3:o:microsoft:windows_xp:-:sp3:::::x86:* cpe:2.3:a:apache:log4j:::::::: org.apache.logging.log4j:log4j-core:2.17.1 @BrianDemers | bdemers

Slide 13

Slide 13

CVEs are Bad? @BrianDemers | bdemers

Slide 14

Slide 14

https://cve.org/ https://nvd.nist.gov/ @BrianDemers | bdemers

Slide 15

Slide 15

The Bad… @BrianDemers | bdemers

Slide 16

Slide 16

Vulnerability Report Timeline Report Fix Disclose Privately Report Issue Patch and Fix Issue Announce the Fix @BrianDemers | bdemers

Slide 17

Slide 17

Responsible Disclosure • Give vendor time to x vulnerability before telling public Full Disclosure Tell public ASAP fi •

Slide 18

Slide 18

(Privately) • NOT on StackOver ow • NOT on an Email list • NOT on an open forum (Slack) • Look for a security mailing list • Check Bugcrowd or HackerOne • If you are worried use an anonymous email account fl @BrianDemers | bdemers

Slide 19

Slide 19

Don’t use a public bug tracker @BrianDemers | bdemers

Slide 20

Slide 20

Don’t use a public bug tracker @BrianDemers | bdemers

Slide 21

Slide 21

• It’s up to the project to x the issue • Open Source project get involved! • Project publishes a patch/ x publicly • The project should give you a timeline of the x fi fi fi @BrianDemers | bdemers

Slide 22

Slide 22

How long to wait? • Google Project Zero - 90 days • Linux Kernel - 2 weeks • HackerOne - 30 days • CERT - 45 days @BrianDemers | bdemers

Slide 23

Slide 23

@BrianDemers | bdemers

Slide 24

Slide 24

• After the x you can disclose the issue. • Blog about it. • Tell your friends you are a security researcher now Or not (some companies reward you $$ for not talking) xkcd.com/1871/ fi •

Slide 25

Slide 25

The ASF Process • A detailed 19 step process • apache.org/security/committers.html

Slide 26

Slide 26

@BrianDemers | bdemers

Slide 27

Slide 27

Log4Shell Timeline Report Disclose Exploit Fix 2021-11-24 2021-11-29 2021-12-01 2021-12-09 Privately Reported Public Commits Exploit out in the wild Public Release Alibaba Cloud Security Team GitHub, Mailing lists, Bug Report, etc. Cloud are’s earliest evidence Maven Central fl @BrianDemers | bdemers

Slide 28

Slide 28

@BrianDemers | bdemers

Slide 29

Slide 29

Dependencies @BrianDemers | bdemers

Slide 30

Slide 30

Your Application Dependencies Your code @BrianDemers | bdemers

Slide 31

Slide 31

Dependencies • Other libraries (Maven Dependencies) • Java JVM • Docker? • Operation System • Virtual Machine? https://xkcd.com/2347/

Slide 32

Slide 32

Automate your Dependency Updates @BrianDemers | bdemers

Slide 33

Slide 33

@BrianDemers | bdemers

Slide 34

Slide 34

Are your dependencies healthy? @BrianDemers | bdemers

Slide 35

Slide 35

End of Life @BrianDemers | bdemers

Slide 36

Slide 36

Rotate your Keys 🗝 ♻ @BrianDemers | bdemers

Slide 37

Slide 37

SBOM @BrianDemers | bdemers

Slide 38

Slide 38

Write less code. @BrianDemers | bdemers

Slide 39

Slide 39

“Friends Don’t Let Friends Build Auth” –Your Friend @BrianDemers | bdemers

Slide 40

Slide 40

Code • Continuous • Static • Audits Integration Analysis / Security Reviews

Slide 41

Slide 41

zaproxy.org @BrianDemers | bdemers

Slide 42

Slide 42

Code Scanning Tools @BrianDemers | bdemers

Slide 43

Slide 43

Vulnerabilities are a fact of life. @BrianDemers | bdemers

Slide 44

Slide 44

Create a GitHub Issues Template

Slide 45

Slide 45

.github/SECURITY.md @BrianDemers | bdemers

Slide 46

Slide 46

securitytxt.org Add a .well-known/security.txt @BrianDemers | bdemers

Slide 47

Slide 47

Bug Bounty Sites @BrianDemers | bdemers

Slide 48

Slide 48

@BrianDemers | bdemers

Slide 49

Slide 49

Thank You! @BrianDemers @BrianDemers | bdemers

Slide 50

Slide 50

Attribution • “xkcd 1938, 1957” are licensed under CC BY-NC 2.5 • Internet Of Shit sticker image from: https://twitter.com/internetofshit • https://intezer.com/wp-content/uploads/2017/08/GoodBAd-1000x475.b197b0.webp • Intel -insider trading image: https://i.kym-cdn.com/photos/images/newsfeed/001/329/141/44f.png • Three people secret image: http://www.notable-quotes.com/f/benjamin_franklin_quote_2.jpg • Secret stamp: cc-by-sa Willscrlt: https://commons.wikimedia.org/wiki/File:Top_secret.png • Questions image: https://veryfunnypics.eu/wp-content/uploads/2014/09/funny-pictures-how-to-avoid-questions.jpg • PGP encryption image: https://static.goanywhere.com/images/products/mft/GoAnywhereMFT_OpenPGPDiagram_web2018.png • CVSS score image: https://www. rst.org/cvss/v3-1/media/dcbbdaef38f7d415ef9ccbd936d48d4e.png • JFK meme: https://img ip.com/i/3si67b • Private sign: https://veryfunnypics.eu/a-private-sign-2/ fi fl @BrianDemers | bdemers