Vulnerabilities / Threats // Vulnerability Management
02:30 PM
Connect Directly

Black Hat USA 2014: Third-Party Vulns Spread Like Diseases

Understanding the impact of vulnerabilities in libraries and other components

As security professionals grapple with how to classify and triage vulnerabilities in third-party libraries and components their software depends upon, it may help to think about the spread of these vulnerabilities the way a public health professional views the spread of infectious disease. Two researchers at Black Hat USA next month plan to present data that shows how the spread of attack surface from something like a Heartbleed vulnerability instance looks very similar to an epidemiological event, like a widespread flu outbreak.

The idea came from Kymberlee Price, director of ecosystem strategy at Synack, who had a background in public health before her time as a security pro focusing on red team management and vulnerability metrics analysis. She teamed up with Jake Kouns, CEO of the Open Security Foundation and one of the executives who help to oversee OSF's Open Sourced Vulnerability Database ( to examine OSVDB data and see how well her hunch held up. The numbers showed that, while libraries and other third-party components offer a huge leg up in speed and efficiency of development, the practice greatly amplifies the impact of a single vulnerability in any one of these components.

"We're not suggesting that people shouldn't use third-party libraries, because they have a valid purpose in the development," Price says. "We're going to talk about what you as a developer or an IT manager need to be doing or thinking to protect your customers or your profits because you're ultimately accountable for all of the code you ship -- whether you wrote it or not."

The greater the success of the library, the greater the threat posed by a vulnerability in it. That's because the more software third-party components touch, the more potential they have to spread the pestilence when vulnerabilities are present.

"We're going to look at a number of widely used third-party libraries in terms of how many vulns they have, how many products they're used in, and what the relative severity is of those," Price says. "So it's not just a lot of low-level hygiene fixes that you'll have to worry about if you use this library, but these are the big advisory-class problems and how much you should be worried about them."

Price and Kouns will unveil some of the hard numbers in their talk to unveil which libraries are some of the biggest offenders in expanding attack surfaces. But as they preview their talk, they're not afraid to give an early peek at their biggest message. That is the persistent truth that the kind of epidemiological spread presented by third-party vulnerabilities means that organizations can't simply depend on CVSS to guide their prioritization of risk when it comes to these bugs. Even when a bug in a third-party component is not necessarily a high CVSS vulnerability, it could present quite a bit of threat, due to pervasiveness and how code is deployed.

"I think it's fair to talk about Heartbleed as a case study because everyone's pretty familiar with that at this point," Price says. "If you look at the CVE associated with the Heartbleed vulnerability, you'll find over 200 advisories tied just to that one CVE, different products by different vendors. While that CVSS score on that vuln is only a 5.0, once you start looking at what's being accessed in some of these products it starts looking significantly more impactful. It may not be a 10.0, but it's incredibly damaging."

This lesson is especially important for software vendors to digest as they reexamine their incident response and maintenance practices, a topic which Price hopes to expand on during the talk. "So one of the highlights of the talk is, you need a robust incident response plan, but you also need a proactive maintenance plan, so you're not only updating on the emergency events," she says, explaining that if a vendor has no maintenance plan in place and a library has an impactful vulnerability, it will be significantly more difficult to make a fix if that vendor has missed four or five updates prior to the patch in question. "The problem when a catastrophic vulnerability occurs and you're four versions old is that there have been so many incremental changes to the library that it'll take major architectural changes in the product to jump to the right version."

Meanwhile, enterprises should also be paying close attention to these vulnerabilities -- even the low-CVSS-scored bugs -- so they can turn up the heat on vendors to make fixes quickly and ask for workarounds until patches are available.

"One of the things I think is important for IT admins to do is, first off, know what's in their environment. Not just what products are in there, but what third-party code is in those products," she says, explaining that this will allow customers to put the screws to vendors when news of big third-party vulnerabilities surface. "Believe it or not, vendors care what customers have to say -- and if customers are saying 'Security is a priority to me,' then security becomes a priority for the vendor."


Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/10/2014 | 1:29:16 PM
Black Hat USA 2014
I agree with Mack's post, but will add 1 caveat.  Many of these companies using the 3rd Party tools are using outdated tools which the vendor has since updated or abandoned entirely.  Part of the reason is the tool does something convenient at the time and is free and new features require buying a new version which may not be enough reason to justify its purchase. 

While it might be beneficial to rewrite or refine the library, many code shops can't do this because the cost of doing so is more than management is willing to accept.
User Rank: Ninja
7/8/2014 | 7:52:18 AM
excellent essay and a timely point
this is an excellent essay and a very timely point.     security in 3d party components should be addressed using zero-defects methodology: I am responsible for zero defects in what I produce.

one of the things i need to do in this regard is to vet the tools i use.   if i download and install a compiler and library it becomes incumbent on me to check the MD5 hash or PGP signature on that product to make sure it is a correct copy from the vendor I am using.  my supplier in turn is responsible for doing the same.

ultimately when I write the source code I am responsible for making sure it is correct.   just as prescribled by Edsger Dijkstra in his Notes on Structured Programming.   
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.