Handling Security Vulnerabilities

Exploring Ways to Manage Security Vulnerabilities

Gregory M. Kapfhammer

November 18, 2024

We need to identify computer security vulnerabilities and effectively manage them! Best practices?

Security Vulnerability Management

  • Asset: A resource that is valuable to an organization
  • Vulnerability: A weakness in a computer system
  • Vulnerability management: A process for identifying, classifying, and handling a vulnerability in a computer system
  • Threat: A potential danger to an asset in a computer system
  • Risk: The likelihood of a threat exploiting a vulnerability
  • Countermeasure: A way to reduce the computer security risk
  • In-Class Discussion: What is a complete example of these concepts?
    • Identify the asset and its importance to computer security
    • Identify the threat to this asset and ways to mitigate it

Storing Secrets Inside of GitHub Repositories

Effective Secret Storage

  • Vulnerability:
    • Secrets unlock access to sensitive information
    • Programmers often store secrets in GitHub repositories
    • Attackers can find secrets and easily exploit them
  • Countermeasure:
    • How can we detect secrets in GitHub repositories?
    • What tools can we use to prevent secrets from being stored?

Secret Scanning

import re

def detect_api_keys(file_path: str):
    api_key_patterns = [
        r'AIza[0-9A-Za-z-_]{35}',
        r'AKIA[0-9A-Z]{16}',
        r'SK.[0-9a-zA-Z]{32}',
        r'[0-9a-fA-F]{32}',
        r'[0-9a-fA-F]{40}',
        r'[A-Za-z0-9-_]{32}',
        r'[A-Za-z0-9-_]{40}',
    ]
    with open(file_path, 'r') as file:
        content = file.read()
    matches = []
    for pattern in api_key_patterns:
        matches.extend(re.findall(pattern, content))
    if matches:
        print("\tPotential API keys found:")
        for match in matches:
            print(f"\t\t{match}")
    else:
        print("\tNo API keys found.")

Using a Secret Scanner

# scan three different files for API keys
print("Scanning src/subject_contains_key.py")
detect_api_keys("src/subject_contains_key.py")
print("\nScanning src/subject_contains_no_key.py")
detect_api_keys("src/subject_contains_no_key.py")
print("\nScanning src/subject_contains_false_positive.py")
detect_api_keys("src/subject_contains_false_positive.py")
Scanning src/subject_contains_key.py
    Potential API keys found:
        AIzaSyA-1234567890abcdefgHIJKLMNOPQRSTU
        AIzaSyA-1234567890abcdefgHIJKLMN
        AIzaSyA-1234567890abcdefgHIJKLMNOPQRSTUV

Scanning src/subject_contains_no_key.py
    No API keys found.

Scanning src/subject_contains_false_positive.py
    Potential API keys found:
        A1B2C3D4E5F6G7H8I9J0K1L2M3N4O5P6

Inputs to Security Scanner

"""Example of a file that contains a secret key."""

if __name__ == "main":
    api_key = "AIzaSyA-1234567890abcdefgHIJKLMNOPQRSTUV"
    print("This is a file with a secret API key.")
"""Example of a file that contains no secret key."""

if __name__ == "main":
    print("This is a file without a secret API key.")
"""Example of a file that contains a false positive secret key."""

if __name__ == "main":
   dummy_key = "A1B2C3D4E5F6G7H8I9J0K1L2M3N4O5P6"
   print("This is a file with a string that looks like an API key but is not.")

Secret Scanning Lessons Learned

Scanning for API Keys in GitHub Repositories

  • Important Questions:
    • Efficiency: Can we scan repositories quickly?
    • Effectiveness: Can we detect all secrets?
    • Accuracy: Can we avoid false positives?
    • Adaptability: Can we update for new secrets?
    • Security: Can we protect secrets from attackers?

Secret Scanning is an Important Business!

Collecting Information

  • Hardware: CPU, RAM, hard drives, network cards
  • Software: Operating systems, applications, libraries
  • Networks: Routers, switches, firewalls, servers
  • Data: Repositories, logs, databases, backups
  • People: Users, administrators, developers, attackers
  • Key Questions:
    • What is an automated strategy for collecting information?
    • Once a system is deployed, how can we collect information about it?

What are some automated strategies for collecting and maintaining computer system information?

Detecting CPU Details

def get_cpu() -> Dict[str, str]:
    """Return information about the current CPU in the system."""
    # detect the name of the function in
    # which this source code exists
    function_name = inspect.stack()[0][3]
    # parse out the second part of the name after
    # the underscore character
    function_name = function_name.split("_")[1]
    # create a dictionary with the function's
    # purpose as the key and the value as
    # the return of the function that collects it
    return {function_name: str(platform.machine())}
  • Use the inspect package to detect the name of the function
  • Use the platform package to detect the CPU architecture
  • Ensure that the function works in all execution environments!

Detecting Disk Details

def get_disk() -> Dict[str, str]:
    """Return disk space usage."""
    function_name = inspect.stack()[0][3]
    function_name = function_name.split("_")[1]
    if platform.system() == constants.system.Windows:
        total_disk = psutil.disk_usage("C:\\").total
        used_disk = psutil.disk_usage("C:\\").used
    else:
        total_disk = psutil.disk_usage("/").total
        used_disk = psutil.disk_usage("/").used
    total_disk_gb = total_disk / (1024**3)
    used_disk_gb = used_disk / (1024**3)
    disk = f"Using {used_disk_gb:.2f} GB of {total_disk_gb:.2f} GB"
    return {function_name: disk}
  • Use the psutil package to detect disk usage details
  • Customize this function for different operating systems

Key Insights About Information Collection

  • Feasibility: How much information can we collect?
  • Automation: Can we automate information collection?
  • Accuracy: Can we ensure that the information is accurate?
  • Security: Can we manage it without security compromises?

Even though system data can be automatically collected through scans, proper data collection and management is critically important!

Once a system’s vulnerability is known, how do we share details and prevent attacks?

  • CVEs: Common Vulnerabilities and Exposures
  • CVSS: Common Vulnerability Scoring System
  • Responsible disclosure of security vulnerabilities

Understanding CVEs

  • CVE: Common Vulnerabilities and Exposures
  • Purpose: Identify and catalog vulnerabilities in software and firmware
  • Format: CVE-YYYY-NNNN (e.g., CVE-2023-12345)
  • Database: Managed by MITRE Corporation
  • Usage: Helps organizations prioritize and address vulnerabilities
  • Important Questions:
    • MITRE and the disclosing company may decide to embargo a CVE! Why is this important in the computer security field?
    • What are the overall benefits of recording and disclosing CVEs?

Understanding CVSS

  • CVSS: Common Vulnerability Scoring System
  • Purpose: Standardized method for rating vulnerability severity
  • Range: Values range from 0.0 to 10.0
  • Interpretation: None, Low, Medium, High, Critical
  • Important Questions:
    • How can organizations use CVSS to prioritize their work?
    • What are the overall benefits of scoring a vulnerability?
    • How can we ensure that the CVSS score is accurate?

Vulnerability Management Review

Key Concepts

Managing Security

  • Asset identification
  • Vulnerability detection
  • Risk evaluation

Evaluation Metrics

  • Efficiency of scans
  • Accuracy of results
  • Security of stored secrets

Best Practices

Implementation

  • Use secret scanning tools
  • Update detection patterns
  • Automated data collection

Exploration

  • Evaluate scanning tool options
  • Ensure scanning effectiveness
  • Adapt to new types of secrets

Security Synapse