[Owasp-leaders] NuGet and OWASP Top10 2013 A9

Erlend Oftedal Erlend.Oftedal at BEKK.no
Tue Jun 18 04:52:50 UTC 2013


Thank you, Jeremy! This is certainly valuable input. I have had a peek at DependencyCheck already, allthough not in-depth. At least I think the amount of possible java packages is many many times larger than the amount of NuGet packages, so we may be able to use different approaches. While irresponsible I can see how devs will leave out security remarks from their release notes etc. I'm sort of hoping this will be more lightweight than creating a CVE, and thus the chance of reporting is increased.

I would be interesting to have a look at populating the SafeNuGet feed usibg your approach. Maybe if you explain what's needed we can take a look at it.

Best regards,
Erlend

________________________________
Fra: Jeremy Long<mailto:jeremy.long at owasp.org>
Sendt: ‎18.‎06.‎2013 02:20
Til: Erlend Oftedal<mailto:Erlend.Oftedal at BEKK.no>
Kopi: Michael Hidalgo<mailto:michael.hidalgo at owasp.org>; Jason Johnson<mailto:jason.johnson at owasp.org>; OWASP Leaders<mailto:owasp-leaders at lists.owasp.org>
Emne: Re: [Owasp-leaders] NuGet and OWASP Top10 2013 A9

On the Java side I have built dependency-check (https://github.com/jeremylong/DependencyCheck). The way this tool works is that it collects "evidence" from the JAR files it scans. The evidence would be things such as information from the pom.xml or manifest, package names, the file name itself, etc. It then uses this information to query a local copy of the CPE data from the NVD CVE data feeds. If it identifies a library (such as Apache Struts 1.2.8 -> cpe:/a:apache:struts:1.2.8) it would generate a report of the known CVE entries.

I've been considering how to scan .NET DLLs, and while I have a plan - I haven't had the time to work on the JNI calls that would be required to make this happen. If anyone is interested in helping out, it might be possible to use dependency-check to scan the entire Nuget repo and use any identified issues to populate the SafeNuGet database (if there are any DLLs with published CVE entries).

When looking at the scanning Java dependencies I decided against keeping a stored list of libraries based off of things like Hash codes because open source projects will often get re-compiled and the hash codes will no longer match (however, Victims<https://github.com/victims> uses an interesting approach to hash matching). I went with attempting to detect what the CPE for a JAR file is and then looking up the vulnerabilities from that.

The reason I didn't go the route of trying to get project owners to disclose the vulnerabilities is because - as a developer if I find a vulnerability in code I am maintaining - what am I most likely to do? Fix the code and report it out to the world with a new CVE? Probably not, the most likely scenario is that I'm going to fix the code, commit it, and continue coding.

The reason I didn't go the route of reading the commit logs/release notes of projects is - well there are a ton of them. In my opinion unless you have a company supporting this effort this becomes a somewhat unsustainable effort (IMHO).

I would love to help with anything I can do to help get detection of vulnerable libraries for .NET.

--Jeremy

PS - there will be a very big release of dependency-check at the BlackHat Arsenal in Vegas at the end of July.


On Mon, Jun 17, 2013 at 2:57 PM, Erlend Oftedal <Erlend.Oftedal at bekk.no<mailto:Erlend.Oftedal at bekk.no>> wrote:
The repo has now been moved to https://github.com/OWASP/SafeNuGet

The most important quality aspect of this project is to keep the feed up to date. This means two things:

  *   Looking through (googling) NuGet package descriptions and web sites for security issues.
  *   Reaching out to maintainers of NuGet packages and ask them to help us by letting us know when vulnerabilities have been discovered and patched in their packages.

Other than that improving on the MSBuild plugin, is next on the list. I will migrate the suggested enhancements (under "issues") from the old repo. You can both submit code and suggest improvements there.

I will also talk to Samantha about setting this up as an OWASP project.

Jason and Michael: Welcome aboard

Best regards,
Erlend


From: Michael Hidalgo <michael.hidalgo at owasp.org<mailto:michael.hidalgo at owasp.org>>
Date: Monday, 17 June, 2013 17:44
To: Jason Johnson <jason.johnson at owasp.org<mailto:jason.johnson at owasp.org>>
Cc: Erlend Oftedal <erlend.oftedal at bekk.no<mailto:erlend.oftedal at bekk.no>>, "owasp-leaders at lists.owasp.org<mailto:owasp-leaders at lists.owasp.org>" <owasp-leaders at lists.owasp.org<mailto:owasp-leaders at lists.owasp.org>>
Subject: Re: [Owasp-leaders] NuGet and OWASP Top10 2013 A9

Hi guys,
That is an interesting approach and I would like to get involved too.



On Mon, Jun 17, 2013 at 8:10 AM, Jason Johnson <jason.johnson at owasp.org<mailto:jason.johnson at owasp.org>> wrote:

Can I please help with this? Are you planning on building a repo? Forgive me for not reading your posts but this is big. I am willing to help you anyway I can if you need server space or anything.

Jason

On Jun 17, 2013 9:37 AM, "Jason Johnson" <jason.johnson at owasp.org<mailto:jason.johnson at owasp.org>> wrote:

Im interested in this also. I think its a big deal if we use bad packages.

On Jun 17, 2013 9:30 AM, "Erlend Oftedal" <Erlend.Oftedal at bekk.no<mailto:Erlend.Oftedal at bekk.no>> wrote:
Great stuff, Dinis. I'll move the it over to the OWASP repo.

Erlend

Sendt fra min telefon
________________________________
Fra: Dinis Cruz<mailto:dinis.cruz at owasp.org>
Sendt: 17.06.2013 10:52
Til: owasp-leaders at lists.owasp.org<mailto:owasp-leaders at lists.owasp.org>
Emne: Re: [Owasp-leaders] NuGet and OWASP Top10 2013 A9

Absolutely, this type of NuGet packages security mapping is something that is really needed, and I really worry about lack of security info that is available for NuGet packages.

Btw, we should move the https://github.com/eoftedal/SafeNuGet into the OWASP GitHub repo, just like we did for https://github.com/OWASP/WebGoat.NET  (I added an issue about it<https://github.com/eoftedal/SafeNuGet/issues/7>)

Also, have you seen my posts on NuGet? Namely how I downloaded the entire NuGet database? (which we could use to create the mappings to add to the SafeNuGet database):

  *   Offline copy of the entire NuGet.org gallery. What should I do with these 4.05 Gbs of amazing .Net Apps/APIs?<http://blog.diniscruz.com/2013/05/offline-copy-of-entire-nugetorg-gallery.html>
  *   Consuming NuGet programmatically outside VisualStudio (downloading the list of packages)<http://blog.diniscruz.com/2013/05/consuming-nuget-programmatically.html>
  *   Retrieving NuGet package programatically using NuGet.exe classes (not command line)<http://blog.diniscruz.com/2013/05/retrieving-nuget-package.html>
  *   Saving the entire list of NuGet Packages<http://blog.diniscruz.com/2013/05/saving-entire-list-of-nuget-packages.html>
  *   Downloading the entire NuGet package database<http://blog.diniscruz.com/2013/05/downloading-entire-nuget-package.html>

Dinis Cruz


Dinis Cruz

Blog: http://diniscruz.blogspot.com<http://diniscruz.blogspot.com/>
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2


On 17 June 2013 09:00, Erlend Oftedal <Erlend.Oftedal at bekk.no<mailto:Erlend.Oftedal at bekk.no>> wrote:
Hi

I recently published a tool to warn about the use of insecure NuGet libraries (in the .NET world).
You can find the info at: http://erlend.oftedal.no/blog/?blogid=138

If successful, maybe it could be a new OWASP project.

Best regards
Erlend Oftedal
OWASP Norway Chapter lead

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-leaders



_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-leaders


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-leaders




--

Michael Hidalgo.
OWASP Chapter Leader & Researcher

Blog: http://michaelhidalgocr.blogspot.com<http://michaelhidalgocr.blogspot.com/>


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org<mailto:OWASP-Leaders at lists.owasp.org>
https://lists.owasp.org/mailman/listinfo/owasp-leaders


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130618/bc6211a7/attachment-0001.html>


More information about the OWASP-Leaders mailing list