Episode #264 with Jeremy Long

This week we call back a few weeks to episode #264 of Absolute AppSec, when Seth Law (@sethlaw) and Ken Johnson (@cktricky) were joined by Jeremy Long (@ctxt), Principal security engineer at Service Now and project founder and lead for the OWASP Dependency Check. Together, they discuss improving security systems through dependency analysis and managing industry projects. Watch the full episode at https://www.youtube.com/watch?v=Pkk-1KFtCz0 or listen wherever you get your podcasts. 

With over a decade of experience, Jeremy is a prominent figure in application security and software composition analysis (SCA). He developed the OWASP Dependency Check tool while working on a security code review team at Wells Fargo, a product that shaped the SCA industry. Jeremy continues to invest in the broader security community through his work at OWASP and his ongoing effort to improve developer security tooling by creating robust software security processes and improving real-time application protection (RTAP) systems. Although he has shifted towards commercial tooling in recent years, his open-source contributions continue to be used globally by developers and security professionals. 

In the past, manual vulnerability checks involved line-by-line code review, which was both time-consuming and inefficient. With no tools to assist in identifying security flaws, it became nearly impossible to scale the manual approach as software projects became larger and more complex. The transition to automated solutions allowed for much faster identification of vulnerabilities in third-party libraries, meaning developers could integrate security into their workflow and catch vulnerabilities earlier in the cycle. However, blind reliance on automation comes with risks, with vulnerabilities sometimes slipping through the cracks of automated tools. There needs to be a balance struck between automation and manual oversight— while the automated systems can take on much of the manual work, security teams now need to focus on strategic initiatives and innovation that allow them to prioritize higher-risk vulnerabilities and work on developing more advanced security measures. 

Modern software development is burdened with the problem of managing third-party dependencies. Jeremy highlights the difficulties developers face when keeping libraries and frameworks up to date, especially in large-scale applications or monolithic systems. Using outdated libraries, even if they still technically function, introduces significant security risks as they often contain vulnerabilities that can be exploited.

He also touched on the complexities of dealing with transitive dependencies— libraries that are not directly imported by the application but come bundled with other dependencies. These transitive dependencies can introduce vulnerabilities that are hard to track and manage, especially if developers aren’t aware of their presence. A key challenge is that developers may not even use the vulnerable parts of a transitive library, yet they are still required to address the vulnerability to maintain security compliance. Jeremy emphasized the necessity of automated dependency management tools like Renovate, Dependabot, and Greenkeeper while still encouraging users to understand the potential risks involved. 

As the software industry evolves, so do the tools and techniques for managing security vulnerabilities in dependencies. Jeremy shared his thoughts on the future of SCA, pointing to recent advancements in data sources and methodologies that will help organizations better prioritize security efforts. One of the key innovations he mentioned is OSV (Open Source Vulnerabilities), a database that aggregates vulnerability information from multiple sources, including GitHub Security Advisories (GHSA) and the National Vulnerability Database (NVD). Long expressed optimism about OSV’s potential to provide more accurate and comprehensive vulnerability data, which could replace or complement the NVD as a go-to source for security teams. He also mentioned the possibility of package URL (purl) standards becoming more widely adopted, which would help bridge the gap between how developers and security teams identify and track vulnerabilities in their codebases. Jeremy also praised the work of the Exploit Prediction Scoring System (EPSS), a project by first.org that uses machine learning to predict the likelihood that a vulnerability will be exploited in the wild. This system helps security teams prioritize which vulnerabilities to patch first, focusing on those most likely to be actively exploited. He noted that tools like EPSS could help developers move away from the overwhelming task of patching every vulnerability indiscriminately and focus on the ones that truly matter. In addition to EPSS, Jeremy pointed to the KNown Exploited Vulnerabilities (KEV) Catalog from CISA, which lists vulnerabilities that are confirmed to have been exploited in real-world attacks. While EPSS and KEV may not always correlate due to factors like local versus remote exploitability, both resources are valuable for security teams trying to make informed patching decisions. Finally, there’s the emerging role of reachability analysis in SCA, which attempts to determine whether vulnerable code in a dependency is actually being invoked in a given application. While this type of analysis is still a resource-intensive and manual process, tools and techniques are being developed to automate and streamline it. Jeremy noted that commercial tools like those from Semgrep and Endor Labs are making strides in this area, but the process is still evolving. 

If you haven’t yet, show your support of Absolute AppSec by visiting the merch store and picking up our limited edition holiday-themed items. Stay spooky! As always, join Seth and Ken in Slack.

Stay Secure,

Seth & Ken

Related Episodes

https://youtu.be/4LwH8tN--B0 - Episode #151 - Secure Code Review, Software Interdependency. The duo discusses issues caused by software dependencies, including libraries.

https://youtu.be/4dxfKBaKp2M - Episode #164 - Supply Chain Security, Cyber Attacks, 2FA, AutoWarp. Protecting yourself as a package maintainer within the software supply chain.

https://youtube.com/live/nzNNuerM3pM - Episode #238 - AppSec vs. Enterprise Sec, Supply Chain Tool Analysis. DoyenSec releases research comparing the different supply chain tools, including Dependency Check.

Absolute AppSec Happenings

https://youtu.be/tAQb9i3R0FI - Paul McCarthy (@6mile in Slack) presents a new attack called “Repo Swatting” as further research into attacks against software supply chains. Worth a watch and then jump into the discussion with him.

https://thehackernews.com/2024/11/critical-flaws-in-ollama-ai-framework.html - As much as we all love running local LLMs for code analysis, a reminder that the toolchain for AI frameworks are brittle and prone to security flaws. Make sure you keep Ollama up to date and monitor the entire LLM software supply chain for issues.

https://snyk.io/news/snyk-acquires-developer-first-dast-provider-probely/ - Snyk (along with Semgrep) continue their startup acquisition streak by acquiring Probely. This sort of consolidation is to be expected as the “larger” startups look to improve their coverage and platform. Any bets on who comes out on top?

Upcoming Events

Seth and Ken can be found across the globe and virtually.

November 21-22, 2024 - DeepSec, Vienna, Austria - Seth will be presenting “Modern vs. 0ld 5k00l” where everything old is new again.

December 2-3, 2024 - Harnessing LLMs for Application Security/Generative AI for Software Security - Virtual Training - A newly developed course that focuses on strategies for using more than just the chat interface of an LLM to secure software.