2024-08-07 –, Florentine F
Every time you bring code you didn't write into your application, you're possibly introducing behavior you weren't expecting. Even using well-known and battle-tested dependency libraries, your application might be opening files and making network connections without your knowledge. Come hear about some crazy hidden things we've seen applications doing, and how you can learn what yours are doing as well.
The days of a company writing every single line of code in an application are over. Developers frequently will bring in dependency modules to fulfill non-core business tasks; for example, why write a logging subsystem from scratch when you can choose from a hundred or more drop-in implementations? Importing third-party modules comes with risk, however. How many teams take the time to review each imported module for security risks? How many teams take the time to ascertain if the module has basically correct functionality?
Analyzing a dependency's behavior by monitoring what the application does at runtime can reveal things you may not realize are occurring. For example, we’ve witnessed a popular dashboarding/graphing component connecting to over 40 IP addresses at startup, and yet nothing in the application’s documentation mentions this behavior. We’ve also seen dependencies performing recursive readdir() operations across the entire filesystem at startup. Why would applications need to do this?
This talk will cover some of the crazy things we’ve seen applications doing and how we came to be aware they were doing these things. We’ll talk about tools you can use to learn what your applications are doing behind the scenes, too.
Takeaways:
At the end of this talk, the audience will have a better understanding of the types of “hidden” behavior that applications commonly exhibit, how to discover which of these behaviors are present, and how to find the module/dependency causing the behavior.
Outline:
- Examples of third-party code modules that can easily and covertly introduce risk into an app
- Why it’s important to review each imported module for risks and ascertain if each module has basically correct functionality.
- What is runtime analysis and why is it important?
- Real-world examples of the crazy things we’ve seen applications doing and how we only became aware during runtime. For example::
- A popular dashboarding/graphing component is connecting to over 40 IP addresses at startup, and yet nothing in the application’s documentation mentions this behavior.
- Dependencies performing recursive readdir() operations across the entire filesystem at startup. Why would applications need to do this?
Mike Larkin is CTO and co-founder of Deepfactor, Inc. Mike is also a contributor to OpenBSD, working on hypervisors, low-level platform code, and security. Mike is also an adjunct faculty member at San Jose State University, where he teaches application security technologies and virtualization.