Secure your application in less than 10 minutes with OWASP dependency checker

Bjørn Hamre

Lightning talk - in English

In 2017 several Fortune 100 companies received unwanted media attention when a vulnerability in the Struts framework caused their system to be practically wide open (https://www.zdnet.com/article/critical-security-bug-threatens-fortune-100-companies/). The best-known victim Equifax may have leaked personal information for as many as 100.000 Canadian customers (https://globalnews.ca/news/3755234/equifax-breach-canada/).

 

The security vulnerability in Struts was quickly fixed, but millions of applications using older versions of Struts were still live. Fixing this requires building, testing, release and deploy, all of which takes time. Assuming you even KNOW your dependencies are vulnerable. Time matters. Each hour your application is running in production with a known vulnerability increases the risk of exploitation. So what can you as a developer do to prevent your company from becoming the next Equifax?

 

In this lightning talk I demonstrate how to use OWASP's little known plugins for Maven and SBT to check your third party libraries for known vulnerabilities. By comparing the version of your dependencies against a public database, it will generate a nice report with some explanations and links to the full vulnerability disclosures.

 

This is an important tool for you when deciding whether to upgrade dependencies in your project or not, and is probably the single most cost-effective way for developers to make their applications more secure.