際際滷

際際滷Share a Scribd company logo

Owasp dependency checker

Download as PPTX, PDF
HYS Enterprise
HYS Enterprise

This document discusses the OWASP Dependency Checker tool. It begins with the presenter's background and experience before summarizing the OWASP Foundation, the most common types of vulnerabilities according to the OWASP Top 10, and several OWASP projects including the Dependency Checker. It then provides more details on how Dependency Checker works and demonstrates its use through a Maven plugin. Finally, it lists several useful links for learning more about OWASP and how to prevent common vulnerability types.

1 of 12
Download to read offline
OWASP Dependency Checker By Dmitriy Mustafin JavaMeetup
My experience - I started with machine code and punched cards. I used to write on Assembler, then on C and Pascal, 弌++, Delphi, C#, Javascript, and some other scripting languages. Now I mostly write on Java, and Im pretty much happy with that. - DOS (it was a wonderful to have 21h interrupt), OS/2, QNX, Windows (my favorite so far), Linux (and Yocto as well), MacOS/iOS. - I studied at university but I still haven't defended my thesis (and I'm not planning on doing this anytime soon). I keep learning new things during my work. - I was writing, designing, engineering, managing and solving problems. - Married, children, cat.
HYS Enterprise is a Dutch software development company with more than 200 talented engineers from all over the world hys-enterprise.com
Agenda - The OWASP Foundation - Types of Vulnerabilities - OWASP Projects - OWASP Dependency Check - Live Demo - Useful Links
The OWASP Foundation The OWASP Foundation came online on December 1st 2001, it was established as a not-for-profit charitable organization in the USA. OWASP is an international organization. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. www.owasp.org
Types of Vulnerabilities OWASP Top 10 of 2017 (how to prevent -> look to Useful Links slide) Injection Broken Authentication Sensitive Data Exposure XML External Entities (XXE) [NEW] Broken Access Control Security Misconfiguration Cross-Site Scripting (XSS) Insecure Deserialization [NEW] Using Components with Known Vulnerabilities Insufficient Logging & Monitoring [NEW]
OWASP Projects More than 130 subcategories of projects: https://www.owasp.org/index.php/Category:OWASP_Project All OWASP tools, document, and code library projects are organized into the following categories: Flagship Projects: The OWASP Flagship designation is given to projects that have demonstrated strategic value to OWASP and application security as a whole. Lab Projects: OWASP Labs projects represent projects that have produced an OWASP reviewed deliverable of value. Incubator Projects: OWASP Incubator projects represent the experimental playground where projects are still being fleshed out, ideas are still being proven, and development is still underway.
OWASP Dependency-Check Dependency-Check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. Currently, Java and .NET are supported; additional experimental support has been added for Ruby, Node.js, Python, and limited support for C/C++ build systems (autoconf and cmake). The tool can be part of a solution to the OWASP Top 10.
OWASP Dependency-Check - cont. Start Page: https://www.owasp.org/index.php/OWASP_Dependency_Check#tab=Main (!) How to use: https://jeremylong.github.io/DependencyCheck/dependency-check- maven/index.html Shortly: Maven Plugin Config in POM-file Can fail build
Live Demo GitLab project: http://gitlab.hysdev.com/MeetUp/owaspdependencycheck POM-file change (in <project> .. <build> .. <plugins>): <plugin> <groupId>org.owasp</groupId> <artifactId>dependency-check-maven</artifactId> <version>4.0.0</version> <configuration> <failBuildOnCVSS>1</failBuildOnCVSS> </configuration> <executions> <execution> <goals> <goal>check</goal> </goals> </execution> </executions> </plugin>
Useful Links About OWASP: #1 https://docs.google.com/presentation/d/10wi1EWFCPZwCpkB6qZaBNN8mR2XfQs8sLxcj9SCsP6c/edit?pref=2&pli=1#slide=id.g1b6b483913_0_0 #2 https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project OWASP Top 10 issues (and how to prevent): https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf Projects: https://www.owasp.org/index.php/Category:OWASP_Project About vulnerabilities: https://blog.sucuri.net/2018/10/owasp-top-10-security-risks-part-i.html
Thank you for your attention! Any Questions?

More Related Content

Owasp dependency checker

  • 2. My experience - I started with machine code and punched cards. I used to write on Assembler, then on C and Pascal, 弌++, Delphi, C#, Javascript, and some other scripting languages. Now I mostly write on Java, and Im pretty much happy with that. - DOS (it was a wonderful to have 21h interrupt), OS/2, QNX, Windows (my favorite so far), Linux (and Yocto as well), MacOS/iOS. - I studied at university but I still haven't defended my thesis (and I'm not planning on doing this anytime soon). I keep learning new things during my work. - I was writing, designing, engineering, managing and solving problems. - Married, children, cat.
  • 3. HYS Enterprise is a Dutch software development company with more than 200 talented engineers from all over the world hys-enterprise.com
  • 4. Agenda - The OWASP Foundation - Types of Vulnerabilities - OWASP Projects - OWASP Dependency Check - Live Demo - Useful Links
  • 5. The OWASP Foundation The OWASP Foundation came online on December 1st 2001, it was established as a not-for-profit charitable organization in the USA. OWASP is an international organization. All of the OWASP tools, documents, forums, and chapters are free and open to anyone interested in improving application security. www.owasp.org
  • 6. Types of Vulnerabilities OWASP Top 10 of 2017 (how to prevent -> look to Useful Links slide) Injection Broken Authentication Sensitive Data Exposure XML External Entities (XXE) [NEW] Broken Access Control Security Misconfiguration Cross-Site Scripting (XSS) Insecure Deserialization [NEW] Using Components with Known Vulnerabilities Insufficient Logging & Monitoring [NEW]
  • 7. OWASP Projects More than 130 subcategories of projects: https://www.owasp.org/index.php/Category:OWASP_Project All OWASP tools, document, and code library projects are organized into the following categories: Flagship Projects: The OWASP Flagship designation is given to projects that have demonstrated strategic value to OWASP and application security as a whole. Lab Projects: OWASP Labs projects represent projects that have produced an OWASP reviewed deliverable of value. Incubator Projects: OWASP Incubator projects represent the experimental playground where projects are still being fleshed out, ideas are still being proven, and development is still underway.
  • 8. OWASP Dependency-Check Dependency-Check is a utility that identifies project dependencies and checks if there are any known, publicly disclosed, vulnerabilities. Currently, Java and .NET are supported; additional experimental support has been added for Ruby, Node.js, Python, and limited support for C/C++ build systems (autoconf and cmake). The tool can be part of a solution to the OWASP Top 10.
  • 9. OWASP Dependency-Check - cont. Start Page: https://www.owasp.org/index.php/OWASP_Dependency_Check#tab=Main (!) How to use: https://jeremylong.github.io/DependencyCheck/dependency-check- maven/index.html Shortly: Maven Plugin Config in POM-file Can fail build
  • 10. Live Demo GitLab project: http://gitlab.hysdev.com/MeetUp/owaspdependencycheck POM-file change (in <project> .. <build> .. <plugins>): <plugin> <groupId>org.owasp</groupId> <artifactId>dependency-check-maven</artifactId> <version>4.0.0</version> <configuration> <failBuildOnCVSS>1</failBuildOnCVSS> </configuration> <executions> <execution> <goals> <goal>check</goal> </goals> </execution> </executions> </plugin>
  • 11. Useful Links About OWASP: #1 https://docs.google.com/presentation/d/10wi1EWFCPZwCpkB6qZaBNN8mR2XfQs8sLxcj9SCsP6c/edit?pref=2&pli=1#slide=id.g1b6b483913_0_0 #2 https://www.owasp.org/index.php/About_The_Open_Web_Application_Security_Project OWASP Top 10 issues (and how to prevent): https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf Projects: https://www.owasp.org/index.php/Category:OWASP_Project About vulnerabilities: https://blog.sucuri.net/2018/10/owasp-top-10-security-risks-part-i.html
  • 12. Thank you for your attention! Any Questions?