1 of 16

Understanding and combating open source software vulnerabilities

2 of 16

> Who am i

Product Security Engineer at a Fintech company
Co-contributor to the SCAGoat Open source Project
Passionate about Software Supply Chain Security, with a 3+yrs in code review and penetration testing.
Speaker at DEF CON Demolabs and AppSec Village Arsenal, with upcoming presentations at BLACKHAT and C0C0N’24
Core Team Member of Seasides Goa Conference

2

@harekrishnarai

START

3 of 16

Agenda

What is Open source vulnerabilities? – Application
Types of Scanning OSS packages vuln
Role of EPSS in combating OSS vuln
Other than vulnerabilities
What’s next?

3

START

4 of 16

What is Open source vulnerabilities?

4

START

5 of 16

Open source vulnerabilities

Open source vulnerabilities are security flaws or weaknesses found in open-source software components, such as libraries, frameworks, or applications.

These vulnerabilities can occur due to coding errors, outdated versions, or misconfigurations and are publicly available for both developers and attackers to exploit.

5

START

6 of 16

Dependencies of an Open source project

7 of 16

Some stats about Open Source Vulnerabilities

Source - Internet

A

Statistics on Open Source Vulnerabilities

70% of applications use at least one vulnerable open-source component.

50% of all vulnerabilities found in applications come from open-source libraries.

43% of vulnerabilities are due to indirect dependencies in open-source code

85% of vulnerabilities in open source can be fixed with a library upgrade.

B

55%

35%

10%

Exploitability of open-source vulnerabilities

source: Internet

START

8 of 16

8

Demo Time

START

9 of 16

Types of Scanning OSS packages vuln

9

START

10 of 16

Example - Manifest Scanning�

10

START

11 of 16

Reachability Scanning

11

START

12 of 16

Role of EPSS in combating OSS vuln

The EPSS is a publicly- and freely-available data set that projects the likelihood of exploitation of all published Common Vulnerabilities and Exposures (CVEs). Hosted by the nonprofit Forum of Incident Response and Security Teams (FIRST), the EPSS is available for consumption both by downloadable spreadsheet and application programming interface (API).
The key output of the EPSS is a numerical value between 0 and 1 that predicts the likelihood of a given CVE’s exploitation in the next 30 days. Percentile scores are also available to give an idea of the relative exploitability of any given CVE.
No system is perfect, and we looked at some of the limitations of the EPSS in our previous post. But with that said, the EPSS can be an excellent part in the toolkit for organizations seeking to address the all-too-common problem of CVE overload.

https://theowni.github.io/EPSS-Calculator/

12

source: Internet

START

13 of 16

What’s next?

SCAGoat – A Damn Vulnerable SCA Application (https://docs.scagoat.dev)

13

START

14 of 16

References

SCAGoat – A Damn Vulnerable SCA Application (https://docs.scagoat.dev)
https://www.leanappsec.com/
https://learn.snyk.io/
https://www.first.org/epss/
https://www.mend.io/vulnerability-database/
https://security.snyk.io/
https://sca.analysiscenter.veracode.com/vulnerability-database/search#_

14

START

15 of 16

15

Mujhe break lena hai

START

16 of 16

Thank you

16

START