Episode 260 with Darren Meyer

Dependency Management

Before we get into the episode breakdown this week, we wanted to highlight next week’s Practical Secure Code Review virtual training session. This course digs deeper into the use of Generative AI/LLMs for enhancing the code review process. If you have been looking for an opportunity to enhance your code review skills, now is the time. Register at https://training.redpointsecurity.com/.

This week, on episode #260 of Absolute AppSec, Ken (@cktricky) and Seth (@sethlaw) are joined by Darren Meyer from Endor Labs for an in-depth look at Endor’s new 2024 Dependency Management Report. Darren has over 20 years of experience in the AppSec space, starting as a software developer before transitioning into security. Since then, Darren has worn many hats: security researcher, team lead, and advocate for better vulnerability management practices. His passion lies in socio-technical systems— a blend of the human and technical factors in security— and his current work at Endor Labs focuses on building innovative solutions for software composition analysis (SCA). Darren is drawn to projects that merge technical problem-solving with a commitment to the broader security community. You can see the whole episode at https://www.youtube.com/watch?v=fAgVLXxOl3U

The 2024 Dependency Management Report, authored by Darren and his colleagues at Endor Labs, dives into the challenges of handling third-party dependencies— open-source libraries and components that form the backbone of most modern software applications. With the proliferation of open-source software, managing these dependencies has become a significant part of ensuring software security and stability. The report analyzes both open-source trends and customer data, providing a unique blend of theoretical and practical perspectives on the state of dependency management. As Darren explains, software development today heavily relies on open-source components, often making up 70-90% of an application’s codebase. These dependencies pose particular challenges when it comes to vulnerability management since the increasing complexity of the software ecosystem makes it difficult for developers and security teams to prioritize real risks in floods of security alerts. When the overwhelming number of vulnerability alerts causes developers to become overwhelmed and neglect critical security fixes, new strategies need to be adopted. The report dispels the common misconception that using an SCA tool is enough to secure an application, instead, understanding the context of vulnerabilities— how they’re used in the application and whether they are reachable— is vital for accurate risk assessment. 

“Why would you spend time working on stuff that we can prove [has no] path to exploit?”

Darren

Darren advocates for a shift in focus from raw vulnerability data to contextualized vulnerability management. In this model, rather than treating every vulnerability as a critical issue, the focus is on how each vulnerability actually affects a given application. This approach combines two key ideas: reachability analysis and risk-based prioritization. Many vulnerabilities exist in code that is not used by the application. Tools like those at Endor Labs perform detailed static analysis to determine whether a vulnerability is reachable by the application code, ensuring developers focus on vulnerabilities that pose exploitable risks. From there, instead of using generic scoring systems like CVSS that often over- or understate the risk, contextualized SCA tools prioritize vulnerabilities based on the organization’s specific environment and risk tolerance. For example, if a vulnerability is buried in a third-party library but doesn’t affect any functionality in your application, it does not need immediate attention. However, a critical vulnerability in a widely used function would require immediate remediation. In the past, teams would become overwhelmed trying to fix every vulnerability flagged by SCA tools, but with a contextualized vulnerability management technique, organizations can shift their focus from “fix everything” to “fix what’s actually important.” 

“You get 1,000 applications or 1,500 applications, and now you have 30,000 alerts, and you’re sending a report to developers, and they look at and go, trash can, right? And then nothing gets fixed […], and you’re not meeting your compliance objectives […] because you’re trying to either fix the world or fix nothing. What a good SCA does is really help you make good decisions about managing vulnerabilities based on what your organization’s risk tolerance is.” 

Darren

According to Darren, the future of SCA lies in smarter tools that combine breadth (scanning all dependencies) with depth (understanding how those dependencies are actually used.  Endor Labs, for instance, doesn’t just identify vulnerabilities but also provides detailed analysis of which parts of the code are affected and how difficult it would be to patch them. This is critical for modern software development, where updates and patches can introduce breaking changes that affect applications. One of the tools being utilized is a call graph— a static analysis map of how the first-party code interacts with third-party libraries. Darren’s team also goes beyond simple version updates by providing back-porting patches, allowing developers to fix vulnerabilities in older versions of dependencies without the risk of breaking patches. This continuous movement within the SCA space is creating tools that hope to integrate seamlessly into the DevSecOps pipeline, helping developers catch and fix vulnerabilities earlier in the development lifecycle. 

This episode is sponsored by Cloud Security Partners - your partner in dealing with modern risk. Cloud Security Partners works with customers to ensure that their cloud solutions are architected with security in mind. Talk to them today and mention Absolute AppSec for a complimentary cloud maturity review. While you're at it, check out their podcasts: Cocktails and Cloud and Relating to DevSecOps.

Be sure to catch this interview and discussion on your preferred platform, and support the podcast by repping some merch, such as the featured Crocs & Socks t-shirt. While you are at it, join us in Slack.

Stay Secure,

Seth & Ken

https://youtu.be/wH4Ss5Ou5XI - Episode #135 - GoSDL, Language Choice, Kenna, Dependency Confusion - Discussion on dependency confusion attacks, clarifications that are relevant to the discussion with Darren.

https://youtu.be/xPFyDdTFEN0 - Episode #123 - Client-Side Controls, Dependency Confusion - More dependency analysis, this time related to client-side JavaScript.

https://youtu.be/EQ9cZFyJ_xA - Episode #65 - Adam Baldwin, 3rd Party Dependencies and Supply Chain Security - Adam Baldwin of Node Security Project fame talks through his experience.

Absolute AppSec Happenings

https://www.cloudsek.com/blog/unmasking-the-danger-lumma-stealer-malware-exploits-fake-captcha-pages - Fake Google Captcha used to execute Powershell scripts as a part of Lumma Stealer Malware-as-a-Service.

https://blog.includesecurity.com/2024/09/vulnerabilities-in-open-source-c2-frameworks/ - In Slack, Erik Cabetas of Include Security makes a (well yes, we knew that) bold statement that Security software is just as insecure as non-security software. Specifically, open source C2 frameworks have weaknesses. Good reflection of most security tooling that comes from a community where the main developers are not software engineers.

https://aws.amazon.com/blogs/security/new-whitepaper-available-building-security-from-the-ground-up-with-secure-by-design - Whitepaper using Secure by Design to build a security program. Previous podcast host and SANS instructor Eric Johnson is one of the authors on this resource.

Upcoming Events

Where in the world are Seth & Ken? Some of these are training courses, speaking engagements, or just conferences we will be attending. Join Slack for more info.

September 26-27, 2024 - OWASP Global AppSec San Francisco - San Francisco, CA

October 2-3, 2024 - Practical Secure Code Review - AI Enhanced - Virtual Training

October 22-25, 2024 - SaintCon - Provo, UT - Seth will be helping run the AppSec Community