Gestin de dependencias All rights reserved www keepcoding

Gestión de dependencias © All rights reserved. www. keepcoding. io

El problema © All rights reserved. www. keepcoding. io

% de código nuevo In their haste to create applications, developers use open source

Dependencias Vulnerables 1 de cada 8 componentes descargados en 2018 contenían alguna vulnerabilidad ©

Equifax breach ● Equifax says a 2017 data breach exposed the sensitive personal information

El problema © All rights reserved. www. keepcoding. io

Tiempos © All rights reserved. www. keepcoding. io

¿Somos vulnerables? ● No sabemos la versión de todas las dependencias ● Dependencias desactualizadas

© All rights reserved. www. keepcoding. io

NPM © All rights reserved. www. keepcoding. io

pip © All rights reserved. www. keepcoding. io

Ecosistemas © All rights reserved. www. keepcoding. io

Vulnerabilidades en cada ecosistema © All rights reserved. www. keepcoding. io

Soluciones planteadas por las comunidades 14 © All rights reserved. www. keepcoding. io

¿Somos vulnerables? ● Aviso deprecation nodemon © All rights reserved. www. keepcoding. io

¿Somos vulnerables? © All rights reserved. www. keepcoding. io

¿Somos vulnerables? ● Modificación de la librería buscando robar criptomonedas © All rights reserved.

¿Somos vulnerables? © All rights reserved. www. keepcoding. io

© All rights reserved. www. keepcoding. io

Prevención ● Eliminar dependencias no usadas ● Monitorizar las versiones usadas ● Monitorizar las

Tiempos La resolución de vulnerabilidades a causa de avisos de seguridad es menor al

Prevención ● Comprobar vulnerabilidades ○ NIST ○ CVE © All rights reserved. www. keepcoding.

CVE y CVSS ● CVE: Common Vulnerabilities and Exposures ● CVSS: Common Vulnerability Scoring

CVE Websites ● Alertas personalizadas ○ https: //www. saucs. com/ ● Clasificación ○ https:

CPE ● Common platform enumeration ● Método estándar para describir e identificar software y

CPE cpe: 2. 3: a: apache: maven: 3. 0: *: *: *: * Aplicación

Gestores de dependencias ● Npm ls ● Mvn ● Pip freeze © All rights

Soluciones comerciales © All rights reserved. www. keepcoding. io

Snyk © All rights reserved. www. keepcoding. io

© All rights reserved. www. keepcoding. io

Snyk CLI 1. npm install -g snyk 2. snyk auth 1. snyk test 2.

Snyk CLI © All rights reserved. www. keepcoding. io

Fossa © All rights reserved. www. keepcoding. io

Proyectos Open Source ● Deep. Tracy: Desarrollado por BBVA ● Dependency-Check: Desarrollado por Owasp

Dependency-Check ● Proyecto desarrollado por Owasp ● Soporta Java y. Net ● Puede ser

Uso de Dependency Check. /dependency-check. sh --project test --scan /root/Android. Gangame/ -out. /result ©

Uso de Pyup © All rights reserved. www. keepcoding. io

Pyup integración con Git. Hub © All rights reserved. www. keepcoding. io

Slides: 38

Download presentation

Gestión de dependencias © All rights reserved. www. keepcoding. io

Gestión de dependencias © All rights reserved. www. keepcoding. io

El problema © All rights reserved. www. keepcoding. io

El problema © All rights reserved. www. keepcoding. io

% de código nuevo In their haste to create applications, developers use open source

% de código nuevo In their haste to create applications, developers use open source components as their foundation, creating applications using only 10% to 20% new code The Forrester Wave™: Software Composition Analysis, Q 1 2017 © All rights reserved. www. keepcoding. io

Dependencias Vulnerables 1 de cada 8 componentes descargados en 2018 contenían alguna vulnerabilidad ©

Dependencias Vulnerables 1 de cada 8 componentes descargados en 2018 contenían alguna vulnerabilidad © All rights reserved. www. keepcoding. io

Equifax breach ● Equifax says a 2017 data breach exposed the sensitive personal information

Equifax breach ● Equifax says a 2017 data breach exposed the sensitive personal information of 143 million Americans ○ Apache Struts, CVE-2017 -5638 © All rights reserved. www. keepcoding. io

El problema © All rights reserved. www. keepcoding. io

El problema © All rights reserved. www. keepcoding. io

Tiempos © All rights reserved. www. keepcoding. io

Tiempos © All rights reserved. www. keepcoding. io

¿Somos vulnerables? ● No sabemos la versión de todas las dependencias ● Dependencias desactualizadas

¿Somos vulnerables? ● No sabemos la versión de todas las dependencias ● Dependencias desactualizadas ● No revisamos habitualmente © All rights reserved. www. keepcoding. io

© All rights reserved. www. keepcoding. io

© All rights reserved. www. keepcoding. io

NPM © All rights reserved. www. keepcoding. io

NPM © All rights reserved. www. keepcoding. io

pip © All rights reserved. www. keepcoding. io

pip © All rights reserved. www. keepcoding. io

Ecosistemas © All rights reserved. www. keepcoding. io

Ecosistemas © All rights reserved. www. keepcoding. io

Vulnerabilidades en cada ecosistema © All rights reserved. www. keepcoding. io

Vulnerabilidades en cada ecosistema © All rights reserved. www. keepcoding. io

Soluciones planteadas por las comunidades 14 © All rights reserved. www. keepcoding. io

Soluciones planteadas por las comunidades 14 © All rights reserved. www. keepcoding. io

¿Somos vulnerables? ● Aviso deprecation nodemon © All rights reserved. www. keepcoding. io

¿Somos vulnerables? ● Aviso deprecation nodemon © All rights reserved. www. keepcoding. io

¿Somos vulnerables? © All rights reserved. www. keepcoding. io

¿Somos vulnerables? © All rights reserved. www. keepcoding. io

¿Somos vulnerables? ● Modificación de la librería buscando robar criptomonedas © All rights reserved.

¿Somos vulnerables? ● Modificación de la librería buscando robar criptomonedas © All rights reserved. www. keepcoding. io

¿Somos vulnerables? © All rights reserved. www. keepcoding. io

¿Somos vulnerables? © All rights reserved. www. keepcoding. io

© All rights reserved. www. keepcoding. io

© All rights reserved. www. keepcoding. io

Prevención ● Eliminar dependencias no usadas ● Monitorizar las versiones usadas ● Monitorizar las

Prevención ● Eliminar dependencias no usadas ● Monitorizar las versiones usadas ● Monitorizar las vulnerabilidades de nuestras dependencias ● Solución: Actualizar las dependencias © All rights reserved. www. keepcoding. io

Tiempos La resolución de vulnerabilidades a causa de avisos de seguridad es menor al

Tiempos La resolución de vulnerabilidades a causa de avisos de seguridad es menor al 20% El tiempo de resolución varía entre 1 semana y 9 meses, dependiendo del proyecto © All rights reserved. www. keepcoding. io

Prevención ● Comprobar vulnerabilidades ○ NIST ○ CVE © All rights reserved. www. keepcoding.

Prevención ● Comprobar vulnerabilidades ○ NIST ○ CVE © All rights reserved. www. keepcoding. io

CVE y CVSS ● CVE: Common Vulnerabilities and Exposures ● CVSS: Common Vulnerability Scoring

CVE y CVSS ● CVE: Common Vulnerabilities and Exposures ● CVSS: Common Vulnerability Scoring System Calculator ○ https: //www. first. org/cvss/calculator/3. 0#CVSS: 3. 0/AV: N/AC: H/PR: L/UI: R/S: U/C: L/I: L/A: L ○ https: //nvd. nist. gov/vuln-metrics/cvss/v 3 -calculator © All rights reserved. www. keepcoding. io

CVE Websites ● Alertas personalizadas ○ https: //www. saucs. com/ ● Clasificación ○ https:

CVE Websites ● Alertas personalizadas ○ https: //www. saucs. com/ ● Clasificación ○ https: //www. cvedetails. com/ © All rights reserved. www. keepcoding. io

CPE ● Common platform enumeration ● Método estándar para describir e identificar software y

CPE ● Common platform enumeration ● Método estándar para describir e identificar software y hardware © All rights reserved. www. keepcoding. io

CPE cpe: 2. 3: a: apache: maven: 3. 0: *: *: *: * Aplicación

CPE cpe: 2. 3: a: apache: maven: 3. 0: *: *: *: * Aplicación Versión © All rights reserved. www. keepcoding. io Vendor Producto

Gestores de dependencias ● Npm ls ● Mvn ● Pip freeze © All rights

Gestores de dependencias ● Npm ls ● Mvn ● Pip freeze © All rights reserved. www. keepcoding. io

Soluciones comerciales © All rights reserved. www. keepcoding. io

Soluciones comerciales © All rights reserved. www. keepcoding. io

Snyk © All rights reserved. www. keepcoding. io

Snyk © All rights reserved. www. keepcoding. io

© All rights reserved. www. keepcoding. io

© All rights reserved. www. keepcoding. io

Snyk CLI 1. npm install -g snyk 2. snyk auth 1. snyk test 2.

Snyk CLI 1. npm install -g snyk 2. snyk auth 1. snyk test 2. snyk wizard 3. snyk monitor Cheat Sheet © All rights reserved. www. keepcoding. io

Snyk CLI © All rights reserved. www. keepcoding. io

Snyk CLI © All rights reserved. www. keepcoding. io

Fossa © All rights reserved. www. keepcoding. io

Fossa © All rights reserved. www. keepcoding. io

Proyectos Open Source ● Deep. Tracy: Desarrollado por BBVA ● Dependency-Check: Desarrollado por Owasp

Proyectos Open Source ● Deep. Tracy: Desarrollado por BBVA ● Dependency-Check: Desarrollado por Owasp © All rights reserved. www. keepcoding. io

Dependency-Check ● Proyecto desarrollado por Owasp ● Soporta Java y. Net ● Puede ser

Dependency-Check ● Proyecto desarrollado por Owasp ● Soporta Java y. Net ● Puede ser usado como: ○ Ant Task ○ Command Line Tool ○ Gradle Plugin ○ Jenkins Plugin ○ Maven Plugin - Maven 3. 1 or newer required ○ SBT Plugin © All rights reserved. www. keepcoding. io

Uso de Dependency Check. /dependency-check. sh --project test --scan /root/Android. Gangame/ -out. /result ©

Uso de Dependency Check. /dependency-check. sh --project test --scan /root/Android. Gangame/ -out. /result © All rights reserved. www. keepcoding. io

Uso de Pyup © All rights reserved. www. keepcoding. io

Uso de Pyup © All rights reserved. www. keepcoding. io

Pyup integración con Git. Hub © All rights reserved. www. keepcoding. io

Pyup integración con Git. Hub © All rights reserved. www. keepcoding. io