NewsBites Drilldown for the Week Ending 29 May 2020

John Pescatore
— SANS Director of Emerging Security Trends

This week’s Drilldown focuses on two items (included below) from NewsBites Issue 42, the only NewsBites issue during the shortened holiday week.

The first item summarizes a paper by Veracode. This paper looks at vulnerabilities in open source software libraries and includes the quote “70 percent of apps in use today have at least one vulnerability that exists because of an open source library.”

Of course, 100% of apps in use today have vulnerabilities in the proprietary/closed source part of their code! The high volume of patches coming out each month from Microsoft, Adobe and every other closed-source software vendor indicates that keeping source code private does not make software more secure. However, because business pays for that software, commercial software is usually included in IT update and patching plans, which is often not
the case for open source software or library modules used in homegrown and privately developed code. Enterprises must ensure that asset inventory, vulnerability management and patching processes include open source library modules.

The second item is yet another item about Zoom’s security push. Zoom is about halfway through its 90-day security plan, and Zoom CEO Eric Yuan has been doing a weekly “Ask Eric Anything” webinar. Zoom also has weekly blog updates on progress. While Zoom has done a good job in adding needed security features and strengthening security controls within Zoom, it hasn’t yet provided many scalable security management features and has a limited set of third-party security integrations in the Zoom Security and Compliance marketplace. Enterprises should heavily weight comprehensive and scalable security management features when comparing online conferencing applications.

______________________________________________________________________________

Majority of Apps Contain Flaws via Open-Source Libraries

(May 25, 2020)

Open source libraries are ubiquitous; they help developers create apps more quickly. According to the “State of Software Security Open Source Edition” report from Veracode, 70% of apps in use today have at least one vulnerability that exists because of an open source library. The four most common types of vulnerabilities found in open source libraries are access control issues, cross-site scripting, sensitive data exposure and injection.

[Editor Comments][Neely] The Veracode paper breaks down flaws by language type, with PHP having the most flaws including, at least, a proof of concept (Poc) exploit. This introduces the burden of not only monitoring and updating your open source libraries, but also integrating these releases with current software lifecycle update processes. The good news is the majority of identified open source flaws are addressed in small updates unlikely to break applications, thereby reducing the risk and difficulty of remaining current.

[Pescatore] Good reminder that open source software is just as likely to have vulnerabilities in it as commercial software. A key takeaway from the Veracode report: “Fixing most library-introduced flaws in most applications can be accomplished with only a minor version update. Major library upgrades are not usually required!”

Zoom E2E Encryption Whitepaper

(May 22, 2020)

Zoom has published a whitepaper that “proposes major security and privacy upgrades for” the company through an “incrementally-deployable four-phase roadmap.” The paper details how the four phases–Client Key Management, Identity, Transparency Tree and Real-Time Security–will be implemented.

[Editor Comments][Neely] This paper also lays out the current meeting security mechanisms and differentiates between meeting access control features, such as a meeting password, and securing the meeting content, which may use a symmetric key. Take note of where connectors are required to extend encryption to certain devices and the limitations of those connections.

[Pescatore] I did a webinar with Zoom Head of Product Security Randy Barr, and he gave details on what Zoom has done to date to address needed security improvements and what is on the roadmap for the rest of its first 90-day plan. Encryption gets the press attention, but the increase in focus on application security and proactive pen testing and getting input from industry CISOs are the more important initiatives. The webinar recording is available at https://www.sans.org/webcasts/zooming-safely-securely-interviews-zooms-head-product-security-115500.

[Murray] “Zoom bombing” notwithstanding, most users have more risk in their operating systems, browsers, readers, etc. than in any application. Zoom remains more vulnerable to meeting host decisions than to attacks on its crypto. Zoom is rapidly approaching “enterprise grade.” However, for most system code, that still involves a reservoir of known and unknown vulnerabilities. When using any conferencing application, I prefer device-specific purpose-built clients to historically porous browsers.