Guide to Creating Object Lessons Using the Object of History ...
2016-11 jarrett object lessons final
24
Object lessons Deserialization after Apache Commons Collections Tim Jarrett, November 2016
-
Upload
dangkhuong -
Category
Documents
-
view
217 -
download
3
Transcript of 2016-11 jarrett object lessons final
Object lessonsDeserialization after Apache Commons Collections
T i m J a r r e t t , N o v e m b e r 2 0 1 6
• @tojarrett• Over 20 years in the
software business• At Veracode since 2008• Grammy award winner• Bacon number of 3
Who am I?
Deseriali-what?
SERIALIZING
“marshalling,” “pickling,” “freezing,” “flattening”
Serialize: to snapshot a ”live” in-memory object into a flat, serial stream of data that can be stored or transmitted for reconstitution
What is deserialization?
Deserialize: reverse the process
Timeline of the deserialization vulnerability
Nov 2005: ACC 3.0
Apr 2008: ACC 3.2.1
Nov 2013: ACC 4.0
Jan 2015: "Marshalling
Pickles"
Nov 6, 2015: RCE exploits
Nov 12, 2015: ACC
3.2.2
Nov 25, 2015: ACC
4.1
How big a deal was this vuln?
Veracode 2016 State of Software Security
• Largest quantitative study of application security risk
• Based on over 330,000 actual application testing results
• 34 different industries represented• Large and small organizations,
commercial software providers, open source projects, software outsourcers
• Static analysis, dynamic analysis, software composition analysis
Sources of application risk
Configuration and deployment issues
First party code
Risky components
Most prevalent Java components
Most prevalent vulnerable Java components
Developers don’t update out-of-date libraries
Apache Commons Collections: a case study
ACC by industry
INDUSTRY VERTICAL % OF JAVA APPS WITH ACC 3.2.1
Tech 67.9%
Healthcare 42.1%
Other 26.7%
Financial services 22.4%
Manufacturing 20.4%
Retail & Hospitality 16.2%
Government 16.0%
Component family tree
Apache Commons Collections 3.2.1
(1290)
Apache Commons BeanUtils (1348)
Spring Web (1779)
Spring Framework (501)
...
Core Hibernate ORM Functionality (1185)
Spring TestContextFramework (3007)
Spring Web MVC (1314)
...
Apache Commons Configuration (803)
Hadoop Core (399)
SonarQube Plugin API (262)
...
Apache Velocity (748)
Spring Context Support (916)
SnakeYAM (519)
...
Not just in Open Source
Addressing component risk
Addressing component risks in the SDLC
1 Policy first
2 Build an inventory
3 Developer education
4 Integrate testing
Policy
Build an inventory
Developer education
Developer education
Integrate
No free lunch
THANK YOU
Twitter: @tojarrettState of Software Security: https://www.veracode.com/soss
