2016-11 jarrett object lessons final

Object lessonsDeserialization after Apache Commons Collections

T i m J a r r e t t , N o v e m b e r 2 0 1 6

• @tojarrett• Over 20 years in the

software business• At Veracode since 2008• Grammy award winner• Bacon number of 3

Who am I?

Deseriali-what?

SERIALIZING

“marshalling,” “pickling,” “freezing,” “flattening”

Serialize: to snapshot a ”live” in-memory object into a flat, serial stream of data that can be stored or transmitted for reconstitution

What is deserialization?

Deserialize: reverse the process

Timeline of the deserialization vulnerability

Nov 2005: ACC 3.0

Apr 2008: ACC 3.2.1

Nov 2013: ACC 4.0

Jan 2015: "Marshalling

Pickles"

Nov 6, 2015: RCE exploits

Nov 12, 2015: ACC

3.2.2

Nov 25, 2015: ACC

4.1

How big a deal was this vuln?

Veracode 2016 State of Software Security

• Largest quantitative study of application security risk

• Based on over 330,000 actual application testing results

• 34 different industries represented• Large and small organizations,

commercial software providers, open source projects, software outsourcers

• Static analysis, dynamic analysis, software composition analysis

Sources of application risk

Configuration and deployment issues

First party code

Risky components

Most prevalent Java components

Most prevalent vulnerable Java components

Developers don’t update out-of-date libraries

Apache Commons Collections: a case study

ACC by industry

INDUSTRY VERTICAL % OF JAVA APPS WITH ACC 3.2.1

Tech 67.9%

Healthcare 42.1%

Other 26.7%

Financial services 22.4%

Manufacturing 20.4%

Retail & Hospitality 16.2%

Government 16.0%

Component family tree

Apache Commons Collections 3.2.1

(1290)

Apache Commons BeanUtils (1348)

Spring Web (1779)

Spring Framework (501)

...

Core Hibernate ORM Functionality (1185)

Spring TestContextFramework (3007)

Spring Web MVC (1314)

...

Apache Commons Configuration (803)

Hadoop Core (399)

SonarQube Plugin API (262)

...

Apache Velocity (748)

Spring Context Support (916)

SnakeYAM (519)

...

Not just in Open Source

Addressing component risk

Addressing component risks in the SDLC

1 Policy first

2 Build an inventory

3 Developer education

4 Integrate testing

Policy

Build an inventory

Developer education

Developer education

Integrate

No free lunch

THANK YOU

Twitter: @tojarrettState of Software Security: https://www.veracode.com/soss