Hi All, 3rd party libs and frameworks are a good source of vulnerabilities in enterprise webapps, e.g. Struts had multiple code execution vulns this year which can potentially affect any Struts based webapps. The most basic support for patch management I can imagine inside a webapp is an autoupdate script which downloads the newest bugfix versions of the used libs, rebuilds the app and runs the automated tests. I have never seen any webapp with such support although in case of Java it is easy to implement it. (e.g. using Maven). My opinion is that the autoupdate ability should be a basic security requirement for webapps. What do you think about that? Maybe virtual patching is a better alternative where a WAF is in place? I am not familiar with patch management tools so my another question is if there is any tool available for 3rd party lib patch management. (e.g. collecting patches, alerting, workflow management etc.) Thanks, Krisztián -- the Cloudbreaker Company +36-209118542, ko@cloudbreaker.co place of business: azd.security Kft., Budapest 1146, Ajtósi Dürer sor 19-21, House of Professors bldg, fl 3 This message may contain confidential information - you should handle it accordingly. Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő

Adding autoupdate to web frameworks is a great way to automatically break major functionality. Any framework update normally mandates regression testing before a live push. Automated tools are very good at discovering if a web framework component is out of date. This should alert teams to "update-test-push" regardless of SDLC methology. -- Jim Manico @Manicode (808) 652-3805 On Nov 6, 2012, at 9:30 AM, "Krisztián Schäffer" <ko@cloudbreaker.co> wrote: Hi All, 3rd party libs and frameworks are a good source of vulnerabilities in enterprise webapps, e.g. Struts had multiple code execution vulns this year which can potentially affect any Struts based webapps. The most basic support for patch management I can imagine inside a webapp is an autoupdate script which downloads the newest bugfix versions of the used libs, rebuilds the app and runs the automated tests. I have never seen any webapp with such support although in case of Java it is easy to implement it. (e.g. using Maven). My opinion is that the autoupdate ability should be a basic security requirement for webapps. What do you think about that? Maybe virtual patching is a better alternative where a WAF is in place? I am not familiar with patch management tools so my another question is if there is any tool available for 3rd party lib patch management. (e.g. collecting patches, alerting, workflow management etc.) Thanks, Krisztián -- the Cloudbreaker Company +36-209118542, ko@cloudbreaker.co place of business: azd.security Kft., Budapest 1146, Ajtósi Dürer sor 19-21, House of Professors bldg, fl 3 This message may contain confidential information - you should handle it accordingly. Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő _______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates websecurity@lists.webappsec.org http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Hi Krisztián, There are some tools available that will check for vulnerable jar's within java apps, e.g.: https://github.com/gcmurphy/enforce-victims-rule and https://github.com/jeremylong/DependencyCheck#readme I agree with Jim that it's not feasible to auto-update in live. But what you could do is link one of these tools into a continuous integration tool like Jenkins, and have it do an auto-update, build and run regression tests in a staging or dev environment. Jenkins will also let you email out alerts based on build steps, so I'd imagine the workflow in Jenkins would be something like: - Run dependency checker every hour - If update is found, alert security operations - update dependency - build - run tests - publish report - alert dev/project manager regards, Stephen On 6 Nov 2012, at 09:29, Krisztián Schäffer wrote: > Hi All, > > 3rd party libs and frameworks are a good source of vulnerabilities in enterprise webapps, e.g. Struts had multiple code execution vulns this year which can potentially affect any Struts based webapps. > > The most basic support for patch management I can imagine inside a webapp is an autoupdate script which downloads the newest bugfix versions of the used libs, rebuilds the app and runs the automated tests. I have never seen any webapp with such support although in case of Java it is easy to implement it. (e.g. using Maven). > > My opinion is that the autoupdate ability should be a basic security requirement for webapps. What do you think about that? Maybe virtual patching is a better alternative where a WAF is in place? > > I am not familiar with patch management tools so my another question is if there is any tool available for 3rd party lib patch management. (e.g. collecting patches, alerting, workflow management etc.) > > Thanks, > Krisztián > > -- > the Cloudbreaker Company > +36-209118542, ko@cloudbreaker.co > place of business: azd.security Kft., Budapest > 1146, Ajtósi Dürer sor 19-21, House of Professors bldg, fl 3 > > This message may contain confidential information - you should handle it accordingly. > Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Because of the need of doing all the regressive tests when you update your vulnerable libraries, you can deploy a virtual patch (using WAF) while you and your team are working making the proper updates to those vulnerable libraries and do all the necessaries tests. The Dead On Tue, Nov 6, 2012 at 8:28 AM, Stephen de Vries <stephendv@gmail.com> wrote: > > Hi Krisztián, > > There are some tools available that will check for vulnerable jar's within java apps, e.g.: > > https://github.com/gcmurphy/enforce-victims-rule > and > https://github.com/jeremylong/DependencyCheck#readme > > I agree with Jim that it's not feasible to auto-update in live. But what you could do is link one of these tools into a continuous integration tool like Jenkins, and have it do an auto-update, build and run regression tests in a staging or dev environment. Jenkins will also let you email out alerts based on build steps, so I'd imagine the workflow in Jenkins would be something like: > > - Run dependency checker every hour > - If update is found, alert security operations > - update dependency > - build > - run tests > - publish report > - alert dev/project manager > > regards, > Stephen > > > > On 6 Nov 2012, at 09:29, Krisztián Schäffer wrote: > >> Hi All, >> >> 3rd party libs and frameworks are a good source of vulnerabilities in enterprise webapps, e.g. Struts had multiple code execution vulns this year which can potentially affect any Struts based webapps. >> >> The most basic support for patch management I can imagine inside a webapp is an autoupdate script which downloads the newest bugfix versions of the used libs, rebuilds the app and runs the automated tests. I have never seen any webapp with such support although in case of Java it is easy to implement it. (e.g. using Maven). >> >> My opinion is that the autoupdate ability should be a basic security requirement for webapps. What do you think about that? Maybe virtual patching is a better alternative where a WAF is in place? >> >> I am not familiar with patch management tools so my another question is if there is any tool available for 3rd party lib patch management. (e.g. collecting patches, alerting, workflow management etc.) >> >> Thanks, >> Krisztián >> >> -- >> the Cloudbreaker Company >> +36-209118542, ko@cloudbreaker.co >> place of business: azd.security Kft., Budapest >> 1146, Ajtósi Dürer sor 19-21, House of Professors bldg, fl 3 >> >> This message may contain confidential information - you should handle it accordingly. >> Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő >> >> _______________________________________________ >> The Web Security Mailing List >> >> WebSecurity RSS Feed >> http://www.webappsec.org/rss/websecurity.rss >> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> >> WASC on Twitter >> http://twitter.com/wascupdates >> >> websecurity@lists.webappsec.org >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

"I like", Stephen. I think regression testing should be a tactical combination of both manual and automated processes. I prefer automated *alerts* for framework updates, and even automated patching in dev, but I prefer to manual regression test the app with QA staff before going live. That is, unless your users are your QA staff, then go for it! :) Aloha, -- Jim Manico @Manicode (808) 652-3805 On Nov 6, 2012, at 11:28 AM, Stephen de Vries <stephendv@gmail.com> wrote: > > Hi Krisztián, > > There are some tools available that will check for vulnerable jar's within java apps, e.g.: > > https://github.com/gcmurphy/enforce-victims-rule > and > https://github.com/jeremylong/DependencyCheck#readme > > I agree with Jim that it's not feasible to auto-update in live. But what you could do is link one of these tools into a continuous integration tool like Jenkins, and have it do an auto-update, build and run regression tests in a staging or dev environment. Jenkins will also let you email out alerts based on build steps, so I'd imagine the workflow in Jenkins would be something like: > > - Run dependency checker every hour > - If update is found, alert security operations > - update dependency > - build > - run tests > - publish report > - alert dev/project manager > > regards, > Stephen > > > > On 6 Nov 2012, at 09:29, Krisztián Schäffer wrote: > >> Hi All, >> >> 3rd party libs and frameworks are a good source of vulnerabilities in enterprise webapps, e.g. Struts had multiple code execution vulns this year which can potentially affect any Struts based webapps. >> >> The most basic support for patch management I can imagine inside a webapp is an autoupdate script which downloads the newest bugfix versions of the used libs, rebuilds the app and runs the automated tests. I have never seen any webapp with such support although in case of Java it is easy to implement it. (e.g. using Maven). >> >> My opinion is that the autoupdate ability should be a basic security requirement for webapps. What do you think about that? Maybe virtual patching is a better alternative where a WAF is in place? >> >> I am not familiar with patch management tools so my another question is if there is any tool available for 3rd party lib patch management. (e.g. collecting patches, alerting, workflow management etc.) >> >> Thanks, >> Krisztián >> >> -- >> the Cloudbreaker Company >> +36-209118542, ko@cloudbreaker.co >> place of business: azd.security Kft., Budapest >> 1146, Ajtósi Dürer sor 19-21, House of Professors bldg, fl 3 >> >> This message may contain confidential information - you should handle it accordingly. >> Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő >> >> _______________________________________________ >> The Web Security Mailing List >> >> WebSecurity RSS Feed >> http://www.webappsec.org/rss/websecurity.rss >> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> >> WASC on Twitter >> http://twitter.com/wascupdates >> >> websecurity@lists.webappsec.org >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Thank you guys, when I wrote autoupdate, I thought autoupdate on a testing environment, sorry for that! Even Windows update breaks things sometimes so it is usually tested before going live too. Krisztián On Tue, Nov 6, 2012 at 12:14 PM, James Manico <jim@manico.net> wrote: > "I like", Stephen. > > I think regression testing should be a tactical combination of both > manual and automated processes. I prefer automated *alerts* for > framework updates, and even automated patching in dev, but I prefer to > manual regression test the app with QA staff before going live. > > That is, unless your users are your QA staff, then go for it! :) > > Aloha, > > -- > Jim Manico > @Manicode > (808) 652-3805 > > On Nov 6, 2012, at 11:28 AM, Stephen de Vries <stephendv@gmail.com> wrote: > > > > > Hi Krisztián, > > > > There are some tools available that will check for vulnerable jar's > within java apps, e.g.: > > > > https://github.com/gcmurphy/enforce-victims-rule > > and > > https://github.com/jeremylong/DependencyCheck#readme > > > > I agree with Jim that it's not feasible to auto-update in live. But > what you could do is link one of these tools into a continuous integration > tool like Jenkins, and have it do an auto-update, build and run regression > tests in a staging or dev environment. Jenkins will also let you email out > alerts based on build steps, so I'd imagine the workflow in Jenkins would > be something like: > > > > - Run dependency checker every hour > > - If update is found, alert security operations > > - update dependency > > - build > > - run tests > > - publish report > > - alert dev/project manager > > > > regards, > > Stephen > > > > > > > > On 6 Nov 2012, at 09:29, Krisztián Schäffer wrote: > > > >> Hi All, > >> > >> 3rd party libs and frameworks are a good source of vulnerabilities in > enterprise webapps, e.g. Struts had multiple code execution vulns this year > which can potentially affect any Struts based webapps. > >> > >> The most basic support for patch management I can imagine inside a > webapp is an autoupdate script which downloads the newest bugfix versions > of the used libs, rebuilds the app and runs the automated tests. I have > never seen any webapp with such support although in case of Java it is easy > to implement it. (e.g. using Maven). > >> > >> My opinion is that the autoupdate ability should be a basic security > requirement for webapps. What do you think about that? Maybe virtual > patching is a better alternative where a WAF is in place? > >> > >> I am not familiar with patch management tools so my another question is > if there is any tool available for 3rd party lib patch management. (e.g. > collecting patches, alerting, workflow management etc.) > >> > >> Thanks, > >> Krisztián > >> > >> -- > >> the Cloudbreaker Company > >> +36-209118542, ko@cloudbreaker.co > >> place of business: azd.security Kft., Budapest > >> 1146, Ajtósi Dürer sor 19-21, House of Professors bldg, fl 3 > >> > >> This message may contain confidential information - you should handle > it accordingly. > >> Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő > >> > >> _______________________________________________ > >> The Web Security Mailing List > >> > >> WebSecurity RSS Feed > >> http://www.webappsec.org/rss/websecurity.rss > >> > >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > >> > >> WASC on Twitter > >> http://twitter.com/wascupdates > >> > >> websecurity@lists.webappsec.org > >> > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > > > > > _______________________________________________ > > The Web Security Mailing List > > > > WebSecurity RSS Feed > > http://www.webappsec.org/rss/websecurity.rss > > > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > > > WASC on Twitter > > http://twitter.com/wascupdates > > > > websecurity@lists.webappsec.org > > > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > -- the Cloudbreaker Company +36-209118542, ko@cloudbreaker.co place of business: azd.security Kft., Budapest 1146, Ajtósi Dürer sor 19-21, House of Professors bldg, fl 3 This message may contain confidential information - you should handle it accordingly. Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő

Ruby on Rails already has most, if not all, of the functionality that has been discussed in this thread through their gem system. Updates can be controlled on a gem-by-gem basis or with the Ruby core itself (through RVM) in the Gemfile configuration. You can also specify version control for independent deployment configurations - dev, test, prod. You can update through minor revisions, instead of major releases, to control the "update and break" scenarios. Also, if you are following Test Driven Development (TDD) practices then you have already built all of your unit/functional/regression testing into your application, so gem updates will auto-fail when you run your automated tests via Rake. Both of these practices, TDD and the Gem model, have been around for awhile. So this is nothing new. -- Trey Keifer - President/CEO WireHarbor Security, Inc. http://www.wireharbor.com/ 4064 N. Lincoln Ave, #431 Chicago, IL. 60618 Office: 847.239.5626 ext. 101 Fax: 847.239.5624 -----Original Message----- From: websecurity [mailto:websecurity-bounces@lists.webappsec.org] On Behalf Of James Manico Sent: Tuesday, November 06, 2012 5:15 AM To: Stephen de Vries Cc: websecurity@lists.webappsec.org; Krisztián Schäffer Subject: Re: [WEB SECURITY] 3rd party lib patch management for webapps "I like", Stephen. I think regression testing should be a tactical combination of both manual and automated processes. I prefer automated *alerts* for framework updates, and even automated patching in dev, but I prefer to manual regression test the app with QA staff before going live. That is, unless your users are your QA staff, then go for it! :) Aloha, -- Jim Manico @Manicode (808) 652-3805 On Nov 6, 2012, at 11:28 AM, Stephen de Vries <stephendv@gmail.com> wrote: > > Hi Krisztián, > > There are some tools available that will check for vulnerable jar's within java apps, e.g.: > > https://github.com/gcmurphy/enforce-victims-rule > and > https://github.com/jeremylong/DependencyCheck#readme > > I agree with Jim that it's not feasible to auto-update in live. But what you could do is link one of these tools into a continuous integration tool like Jenkins, and have it do an auto-update, build and run regression tests in a staging or dev environment. Jenkins will also let you email out alerts based on build steps, so I'd imagine the workflow in Jenkins would be something like: > > - Run dependency checker every hour > - If update is found, alert security operations > - update dependency > - build > - run tests > - publish report > - alert dev/project manager > > regards, > Stephen > > > > On 6 Nov 2012, at 09:29, Krisztián Schäffer wrote: > >> Hi All, >> >> 3rd party libs and frameworks are a good source of vulnerabilities in enterprise webapps, e.g. Struts had multiple code execution vulns this year which can potentially affect any Struts based webapps. >> >> The most basic support for patch management I can imagine inside a webapp is an autoupdate script which downloads the newest bugfix versions of the used libs, rebuilds the app and runs the automated tests. I have never seen any webapp with such support although in case of Java it is easy to implement it. (e.g. using Maven). >> >> My opinion is that the autoupdate ability should be a basic security requirement for webapps. What do you think about that? Maybe virtual patching is a better alternative where a WAF is in place? >> >> I am not familiar with patch management tools so my another question >> is if there is any tool available for 3rd party lib patch management. >> (e.g. collecting patches, alerting, workflow management etc.) >> >> Thanks, >> Krisztián >> >> -- >> the Cloudbreaker Company >> +36-209118542, ko@cloudbreaker.co >> place of business: azd.security Kft., Budapest 1146, Ajtósi Dürer sor >> 19-21, House of Professors bldg, fl 3 >> >> This message may contain confidential information - you should handle it accordingly. >> Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő >> >> _______________________________________________ >> The Web Security Mailing List >> >> WebSecurity RSS Feed >> http://www.webappsec.org/rss/websecurity.rss >> >> Join WASC on LinkedIn >> http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> >> WASC on Twitter >> http://twitter.com/wascupdates >> >> websecurity@lists.webappsec.org >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webapps >> ec.org > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappse > c.org _______________________________________________ The Web Security Mailing List WebSecurity RSS Feed http://www.webappsec.org/rss/websecurity.rss Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates websecurity@lists.webappsec.org http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Krisztián, This was recently touched upon within "security in open source components" thread on the SC-L mailing list i.e. http://krvw.com/pipermail/sc-l/2012/002786.html . On Tue, Nov 6, 2012 at 7:29 PM, Krisztián Schäffer <ko@cloudbreaker.co> wrote: > I am not familiar with patch management tools so my another question is if > there is any tool available for 3rd party lib patch management. (e.g. > collecting patches, alerting, workflow management etc.) -- Regards, Christian Heinrich http://cmlh.id.au/contact