April 27, 2024

BSides Seattle, April 27, 2024

The Deepfactor team is looking forward to the show, Saturday, April 27. If you would like to meet with us, you can schedule a meeting here

In addition to stopping by our booth to enter to win a prize, our CTO, Mike Larkin, will also be speaking on two topics:

TOPIC 1: 101 Things Your Application is Doing Without Your Knowledge

Abstract: 
Every time you bring code you didn’t write into your application, you’re possibly introducing behavior you weren’t expecting. Even using well-known and battle-tested dependency libraries, your application might be opening files and making network connections without your knowledge. Come hear about some crazy hidden things we’ve seen applications doing, and how you can learn what yours are doing as well.

Overview:
The days of a company writing every single line of code in an application are over. Developers frequently will bring in dependency modules to fulfill non-core business tasks; for example, why write a logging subsystem from scratch when you can choose from a hundred or more drop-in implementations? Importing third-party modules comes with risk, however. How many teams take the time to review each imported module for security risks? How many teams take the time to ascertain if the module has basically correct functionality?

Analyzing a dependency’s behavior by monitoring what the application does at runtime can reveal things you may not realize are occurring. For example, we’ve witnessed a popular dashboarding/graphing component connecting to over 40 IP addresses at startup, and yet nothing in the application’s documentation mentions this behavior. We’ve also seen dependencies performing recursive readdir() operations across the entire filesystem at startup. Why would applications need to do this?

This talk will cover some of the crazy things we’ve seen applications doing and how we came to be aware they were doing these things. We’ll talk about tools you can use to learn what your applications are doing behind the scenes, too.

Learnings:
At the end of this talk, the audience will have a better understanding of the types of “hidden” behavior that applications commonly exhibit, how to discover which of these behaviors are present, and how to find the module/dependency causing the behavior.

 

TOPIC 2: No More Holiday Rush! Use Risk-Based AppSec Vulnerability Prioritization!

Abstract: 
Scenario: The newest zero-day, Log5j, has hit and it’s a holiday weekend. A mad scramble ensues, long hours, ruined celebrations, to quickly determine if this vulnerability exists in your environment and presents a risk to your business. You run a static code/container scan that surfaces over 200 vulnerable artifacts that could be affected, but time constraints and limited developer resources demand a strategic focus on identifying and addressing the most critical instances of this zero-day vulnerability.

In this session, we will outline how AppSec teams can swiftly pinpoint and prioritize those vulnerabilities requiring immediate attention. The key is to understand which occurrences of the vulnerability pose the highest risk—those that are not only severe, but reachable and used at runtime, and exploitable. By adopting this targeted prioritization strategy, teams can avoid the overwhelming task of addressing over 200 potential vulnerabilities, narrowing their focus to a more manageable number. Kiran will include a demonstration of a typical SCA static container scan of a sample open-source test application that returns a large number of possible vulnerabilities. And then, by combining static container scan data with runtime reachability analysis of applications, narrow down those results by up to 90%, to those that represent true risk to the business—based on reachability, runtime usage, and deployment context, as well as exploit maturity.

Learnings:

  • Understand limitations of current code and container scanning tools and approaches
  • Learn about a new approach to vulnerability prioritization to focus on those that are not only severe, but also reachable and used at runtime, and exploitable
  • Narrowing down a large quantity of vulnerabilities by up to 90% allows limited resources to focus first on those vulnerabilities that present the greatest risk to the business.

Subscribe to our monthly eNewsletter and stay up-to-date on everything Deepfactor has to offer!