New vulnerabilities in jackson-databind

The jackson-databind saga continues and today 4 new vulnerabilities have made their way into the NVD database. Still not “officially” confirmed, they are there to stay, as you can probably guess looking at the project bug report:

  • CVE-2018-14718: remote code execution via slf4j-ext
  • CVE-2018-14719: remote code execution via blaze-ds-opt
  • CVE-2018-14720: exfiltration/XXE with only JDK classes (some JDK versions)
  • CVE-2018-14721: exfiltration/SSRF with axis2-jaxws

Things are becoming quite tricky as the project is trying to keep up with four different main codebases (2.6.x, 2.7.x, 2.8.x, 2.9.x) plus the new development in progress. This is all about the ability to use the deserialisation mechanism of Jackson in order to perform mischiefs using, in a very creative way, some standard classes (see an example exploit documented a while ago on my personal blog) and all due to a blacklisting mechanism that continues to require updates.

You can also read a full account of the problem here, but for the time being, I would suggest using Gson instead, at least until a 3.x version of Jackson is out.

New vulnerabilities in jackson-databind

Meterian is part of Cylon cohort 8!

We are excited to announce that CyLon, a London based cybersecurity accelerator, and seed investment programme, selected Meterian as part of cohort 8! CyLon has already successfully accelerated 59 companies across hubs in London and Singapore since its launch in April 2015 and has a portfolio of international companies now valued at more than £200m.

We will be part of a selected group of startups covering a mix of security areas. We are joining CyLon for three months and we will receive an intensive programme of training and workshops delivered by industry specialists and experienced entrepreneurs, all in associations with CyLon’s unrivaled network of investors, buyers, and mentors across EMEA and the US.

On top of that, we will also have access to a fully-furnished office space, and for the next three months, we are looking forward to meeting you here at CyLon: please do not hesitate to book a meeting, we will be happy to share a proper coffee together!

 

 

Meterian is part of Cylon cohort 8!

SAST, DAST, RASP, IAST explained

If you are working in application security you certainly heard one or more of these terms, but what’s the real meaning behind the acronym? In this article, I will try to clarify this tongue twister list.

SAST: Static Application Security Testing

This family groups all the technologies dedicate to test the security of code at rest and will try to detect possible security issues, based on some strategies or policies.

This category can be further divided into three others:

  • SCA – Static Code Analyzers
    They scan the code, in source or binary format, looking for patterns that can lead to security issues, they can also enforce guidelines and policies. There’s a lot of choice of tools in this area, but I think you should always include Error Prone, praised by Doug Lea.
  • SDA – Static Dependency Analyzers (also known as SCAN)
    They scan the external component pulled along your code build looking for known vulnerabilities that can potentially expose the code to exploits later. It’s worth mentioning here that on average 80% of the code you ship it’s not your code but is somebody else’s code! Meterian, our host here, is, in fact, a SAST/SDA tool.
  • SIS – Sensitive Information Scanners
    They scan the repositories where the code is stored in search of sensitive information inadvertently stored in them that can subsequently be leaked. It might sound a trivial thing to check, but it’s just good security hygiene to have one of such scanners in place. The effective to use greatly depend on your SDLC process, but I would strongly suggest using one of them, such as for example GitLeaks.

DAST: Dynamic Application Security Testing

This family groups tools used to test an application in an operating state (but not in production) using automated black box testing. They also frequently include specific security tests where the system tries to feed the application with malign data to simulate common patterns of attack. They interact with exposed interfaces such as APIs, network protocols, web pages. One opensource incarnation of such system is the Ebay DAST Proxy, released to the opensource community in late 2016.

RASP: Run-time Application Self-Protection

This is a very interesting category of tools where an agent is embedded into the application so that it protects the system at runtime and it’s typically deployed directly in production. The most common scenario sees the RASP agent “melted” with the application code through code instrumentation so that it can directly analyze the application behavior, providing active protection. A RASP, after detecting and blocking the attack, can shut down a user session, stop executing the application, and sometimes it also offers the ability to deploy code fixes at runtime. It also provides detailed reports that can be fed to monitoring systems. Baidu, the Chinese multinational technology company specializing in Internet-related services and product, is actively maintaining OpenRASP, an opensource RASP solution that works on Java and PHP web platforms.

IAST: Interactive Application Security Testing

These family of tools usually combine the RASP and DAST approaches: when testing an agent is embedded in the application while the test system executes attacks. This is a fully automated process so that it can be embedded in a continuous delivery system and ensure that a certain level of checking is done at frequently, even at every release, and with no human intervention.

Conclusions

What shall we do? As repeated endlessly again and again in the literature, you will need a complete approach to security testing, so considering using any of these tools is a step in the right direction. As we saw, there’re also opensource solutions available, so we do not really have any excuse to avoid putting this together.

 

 

 

SAST, DAST, RASP, IAST explained