Hello and welcome to the cyber very secure coding course. My name is Sonny Wear and this is a WASP top 10 for 2013
a nine using components with known vulnerabilities,
medications, countermeasures and defenses.
Now, for our defenses over few,
we talked about two areas where third party software can come into play. There is commercial vendor products
and then open source software. So with commercial vendor products,
most of the major vendors, including IBM, Google, Oracle, usually have a formal security bulletin and you can sign up for these notifications.
They also perform the workflow for submitting C v E CBss information to the National Vulnerability Database. Now, in regards to open source software,
you can search against the open source vulnerability database. The groups that right and maintain O. S s also will submit C V, E or C V S s information to the National Vulnerability Database. Or it could be that security researchers will
provide this information
Sometimes they have notification sign ups. You would just have to check with the specific O s s vendor to determine if they do or not
now a solution that could mitigate risk for either commercial or open source software is an automated notification.
Now this is available through a product called Black Duck, and I'm providing the U R L there.
What do you have to do in order to use black duck is to first gather an inventory
of all of the components libraries modules that you currently are using within your application. What Black Duck provides is essential repositories to then low that information into black duck so that it can then automate searches against
the National Vulnerability Database and basically find the C, V E and CBSS information
now a little bit more about the black Duck code center. This is that central repositories that I mentioned.
Once you load your inventory, what it will do is actually create
a visual chart for you off the top 20 components that are used in your applications.
This is represented visually, and it's to help development managers and development teams to see where they need to focus their attention as faras patching and upgrading of their jar files or modules.
So realize also that in this coat center, you're going to have a listing of all of your applications.
Now this is your in house software,
and it'll have the current releases in versions of those applications. I do wanna caution you, though there are some limits and caveats to using the product. It's not going to apply the patches or do the upgrades for you. It's only going to automate the process of searching for this information and notify you.
It'll be up to your development team to actually download the proper jar, jar, file or module or library
and then apply it into your application bundle.
The other caveat is you're going to need to write some sort of automation script to continuously look in your inventory to make sure that new libraries air not introduced that haven't been placed into black ***.
So commonly developers, particularly on big development teams,
half maybe an offshore developer that ads in a new library or a new jar file,
and so that could become a blind spot. And so you're gonna need to automate that process of ensuring that your inventory is current.
Now we're gonna move to the lab portion of our module