Time
9 hours 31 minutes
Difficulty
Intermediate
CEU/CPE
10

Video Description

This lesson starts out with an overview of defenses, which can include: • Commercial vendor products • Open source software • Automated notification for both commercial and OSS

Video Transcription

00:04
Hello and welcome to the cyber very secure coding course. My name is Sonny Wear and this is a WASP top 10 for 2013
00:13
a nine using components with known vulnerabilities,
00:17
medications, countermeasures and defenses.
00:20
Now, for our defenses over few,
00:23
we talked about two areas where third party software can come into play. There is commercial vendor products
00:32
and then open source software. So with commercial vendor products,
00:38
most of the major vendors, including IBM, Google, Oracle, usually have a formal security bulletin and you can sign up for these notifications.
00:51
They also perform the workflow for submitting C v E CBss information to the National Vulnerability Database. Now, in regards to open source software,
01:03
you can search against the open source vulnerability database. The groups that right and maintain O. S s also will submit C V, E or C V S s information to the National Vulnerability Database. Or it could be that security researchers will
01:23
provide this information
01:25
for them.
01:26
Sometimes they have notification sign ups. You would just have to check with the specific O s s vendor to determine if they do or not
01:38
now a solution that could mitigate risk for either commercial or open source software is an automated notification.
01:49
Now this is available through a product called Black Duck, and I'm providing the U R L there.
01:57
What do you have to do in order to use black duck is to first gather an inventory
02:02
of all of the components libraries modules that you currently are using within your application. What Black Duck provides is essential repositories to then low that information into black duck so that it can then automate searches against
02:21
the National Vulnerability Database and basically find the C, V E and CBSS information
02:27
now a little bit more about the black Duck code center. This is that central repositories that I mentioned.
02:35
Once you load your inventory, what it will do is actually create
02:39
a visual chart for you off the top 20 components that are used in your applications.
02:46
This is represented visually, and it's to help development managers and development teams to see where they need to focus their attention as faras patching and upgrading of their jar files or modules.
03:02
So realize also that in this coat center, you're going to have a listing of all of your applications.
03:08
Now this is your in house software,
03:12
and it'll have the current releases in versions of those applications. I do wanna caution you, though there are some limits and caveats to using the product. It's not going to apply the patches or do the upgrades for you. It's only going to automate the process of searching for this information and notify you.
03:32
It'll be up to your development team to actually download the proper jar, jar, file or module or library
03:42
and then apply it into your application bundle.
03:46
The other caveat is you're going to need to write some sort of automation script to continuously look in your inventory to make sure that new libraries air not introduced that haven't been placed into black ***.
04:02
So commonly developers, particularly on big development teams,
04:08
I will
04:09
half maybe an offshore developer that ads in a new library or a new jar file,
04:15
and so that could become a blind spot. And so you're gonna need to automate that process of ensuring that your inventory is current.
04:23
Now we're gonna move to the lab portion of our module

Up Next

Secure Coding

In the Secure Coding training course, Sunny Wear will show you how secure coding is important when it comes to lowering risk and vulnerabilities. Learn about XSS, Direct Object Reference, Data Exposure, Buffer Overflows, & Resource Management.

Instructed By

Instructor Profile Image
Sunny Wear
Instructor