BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage News Celebrity Vulnerabilities: Effective Response to Critical Production Threats

Celebrity Vulnerabilities: Effective Response to Critical Production Threats

Bookmarks

Alyssa Miller, chief information security officer of EpiqGlobal, presented at QCon London about the lessons learned from three major open-source security events, the Equifax breach via Struts, the Log4j vulnerabilities, and the Spring4Shell exploit

After introducing herself, Miller explained how she became an official pilot and plane owner and learned much about aviation and what the aviation community does to handle a crisis. She pointed out that all the FAA’s processes somehow apply to how we address cybersecurity.

For example, Miller talked about the Boeing 737 Max-8 and its problems that led to crashes leading to the grounding of all those airplanes. Finding out the problem and handling that crisis combined with how a plane works is a metaphor for Miller to compare with some well-known explicit vulnerabilities in software (predominantly open-source) CVE-2017-5638 Struts vulnerability, CVE-2021-44228, CVE-2021-45046, and CVE-2021-45105 Log4J, CVE-2022-22965, CVE-2022-22963, and CVE-2022-22950 Spring. Finally, she also points out the OpenSSL vulnerability.

Regarding celebrity vulnerability, Miller states:

When it comes to celebrity vulnerability, we need to avoid the "all hands on deck" approach. Drop all the things you are working on and fix this. Because it is not necessary, it is inefficient and does not make us more secure, and ultimately, as I pointed out, it conditions us for incorrect behavior.

She subsequently explains a real process based on her experience working with these vulnerabilities by sharing lessons learned in her organization and how to avoid all hands on deck. She continued, explaining the process and comparing how processes in aviation work, such as a checklist of planes.

With identifying vulnerabilities, she mentions dependency trees. Modern software has dependencies that have more dependencies, and so on - a dependency tree. Things can be missed somewhere in those trees, like an open-source dependency likely a candidate for an attack. Fortunately, some tools can help prevent that, like snyk, blackduck, and WhiteSource (now mend.io).

An action plan and understanding what you will do for each classification (risk, exploit, ease) is essential for the mitigation and remediation, which can be sequential or parallel. 

Next, she continued by explaining the process of prioritization. She said:

What we talk about in the aviation community: slow down, address it methodically, look at the situation, understand what you are being faced with, prioritize appropriately, and then lay out the plan for how you get to remediation.

Regarding mitigation Miller points out security solutions like Akamai, Microsoft Defender for Endpoint, and Cloudflare. Valuable, according to her, when it comes to those celebrity vulnerabilities. Furthermore, the OWASP mod security rule set is another helpful resource for mitigation. Miller stated:

When we talk about mitigations we want to block where ever possible. If we block the attack or we can block access to certain functions we want to do that. That is the key, that is our best mitigation and if we cannot do that, then focus on isolation. And then finally, we want to log everything.

Lastly, Miller touched upon remediation when fixing the application, like code fixes or replacing vulnerable libraries. She feels it’s important to make a distinction between what needs to be fixed straight away and what can wait. For the latter, Miller suggests putting certain fixes that can wait on the backlog, track them, and report them back to the business around progress. 

About the Author

Rate this Article

Adoption
Style

BT