Today there is likely no software project without some form of external libraries, dependencies, open source or whatever you want to call it. But how do you make sure you import healthy dependencies, which do not introduce vulnerabilities and risk into your software? The explosion of open source The amount of open source or other third party code used in a software project is often estimated as 60-90% of the total codebase. The total number of public repositories exceed 100M in 2018 according to GitHub. According to our own findings, practically all companies developing software use open source, third party components or dependencies to varying degrees. Let’s call them dependencies from now. More often than not, hundreds of dependencies are used. This adds a new dimension to software development in that security issues in such code will affect the products in similar ways as issues in the in-house developed code.…

The terms threat, vulnerability and weakness are often used in cybersecurity. Understanding the difference between these terms is important. It allows organizations to correctly implement, document and assess their cybersecurity activities and controls. Here, we take a closer look at security weaknesses. While threat and vulnerability have rather clear definitions in cybersecurity, this is not the case for a weakness. Commonly used glossaries, such as RFC 4949 and the NIST glossary do not define the term weakness. On the other hand, it is very often used as part of the vulnerability definition. A vulnerability is a weakness that can be exploited by an attacker. Thus, a weakness is an error, typically in the software code, that might lead to a vulnerability. This happens when it can be exploited. Software weaknesses are often discussed and defined in the context of the Common Weaknesses Enumeration (CWE). This is a “community-developed list of…

The terms threat, vulnerability and weakness are often used in cybersecurity. Understanding the difference between these terms is important. It allows organizations to correctly implement, document and assess their cybersecurity activities and controls. Here, we take a closer look at security threats. Defining a security threat Looking in the literature, we can find several definitions of the term. Two rather short and concise can be found in documents from IETF and NIST. In RFC 4949, IETF defines a threat as A potential for violation of security, which exists when there is an entity, circumstance, capability, action, or event that could cause harm.RFC 4949 NIST, in SP800-160, defines it as An event or condition that has the potential for causing asset loss and the undesirable consequences or impact from such loss.NIST SP800-160 Cyber threats are sometimes incorrectly confused with vulnerabilities. Looking at the definitions, the keyword is “potential”. The threat is…

The terms threat, vulnerability and weakness are often used in cybersecurity. Understanding the difference between these terms is important. It allows organizations to correctly implement, document and assess their cybersecurity activities and controls. Here, we take a closer look at vulnerabilities. Defining a vulnerability The United Nations, defines a vulnerability as “…the inability to resist a hazard or to respond when a disaster has occurred”. United Nations This is a very general definition and is not restricted to cybersecurity. We can see it as a property of an asset that makes it susceptible to damage. This property can be inherent in the design. It can also be a result of tradeoffs that have to be made, or it can be the result of actual design mistakes. Let us look at the more specific case of (cyber)security vulnerabilities. There are several different, but often similar, definitions in the literature. We look…

Random number generation Random numbers are used in a plethora of cryptographic applications. A random number generator (RNG) is a device that generates a sequence of numbers such that they can not be predicted better than guessing. There are two different types of random number generators — pseudo-random number generators (PRNGs) and true random number generators (TRNGs). A PRNG is a deterministic algorithm that produces seemingly random numbers. It needs a seed as an initial value, and will produce the same “random” sequence for a fixed seed. Applications such as games, simulations, and cryptography use such generators. A TRNG is a device that generates truly random numbers. In contrast to a deterministic algorithm, a TRNG utilizes physical processes, such as thermal noise (utilized in the RPG100 circuit), quantum phenomena, and so on. A PRNG is much faster than a TRNG, hence it is common to generate a seed using a…

Vulnerabilities in JWT libraries JSON Web Tokens (JWTs) are commonly used for authorization purposes, since they provide a structured way to describe a token which can be used for access control. However, JWT libraries may contain flaws, and must be used in the correct way. The Capture the Flag event co-organized by Debricked at Lund University included examples of this problem. JWTs are protected with either a digital signature or an HMAC, such that their contents cannot be manipulated. This makes them very useful in distributed or state-less scenarios, where the token may be issued by one entity, and then verified by another. Because of the integrity protection, the verifying party can be sure that the token has not been manipulated since it was issued. A JWT consists of three parts: header, payload, and signature. The header and payload are both JSON objects, while the format of the signature part…

The problems with repeated keystream in stream ciphers Repeated keystream can sometimes be devastating when using stream ciphers. The Capture the Flag event co-organized by Debricked at Lund University included examples of this problem. Stream ciphers try to mimic the One Time Pad (OTP), but without the inherent drawbacks of a cipher that requires a key the size of the plaintext. Instead, the stream cipher expands a short key (80-256 bits) to a long sequence through the use of a keystream generator. The keystream generator outputs keystream bits (or words) based on the value of an internal state, a key and an initialization vector (IV). The exact definition of this function varies between stream ciphers and often the key and IV is only used to initialize the internal state. The output then only depends on the current internal state. The goal of an attack could be to either compute the…

CTF-Event with Lund University Debricked, in cooperation with the Department of Electrical and Information Technology, Lund University, hosted a Capture the Flag (CTF) competition for students at the university. The event attracted more than 50 students from 8 different programs, forming in total 17 teams. The evening consisted of food, beverages, snacks, but most importantly cybersecurity related challenges for the students to dive into and solve. The challenges were tailored to be suitable for both beginners and for more experienced people and all teams managed to solve at least some problems. The CTF was given in jeopardy style, where the groups could choose from a collection of different challenges. The challenges covered well known CTF topics, including cryptography, reverse engineering, pwning, web security and a miscellaneous category. The latter had challenges such as lockpicking, password attacks and hardware security. After a short presentation and walkthrough of rules and hints, the…

Debricked has received 800.000 SEK from Vinnova for building a prototype that will improve management and understanding of vulnerabilities in third party code. The prototype will use Debricked’s vulnerability database, extend it and provide value creation in several important aspects. Some examples include visualization and comparison of a large number of products and releases, analysis of device configuration, and APIs for collecting device information. In addition to this, Debricked will also participate in HATCH, a Lund University project that aims to better understand how vulnerability information is communicated in the value chain.

Debricked AB is a spin off company from a research project coordinated by Lund University, Sweden. The project’s main goal was to develop, implement and evaluate processes and tools for handling vulnerabilities in third party software components. This is related to the well known area of software component analysis (SCA). Debricked takes some of the research results, extends and improves them, and offers them to the market. Security is not a tool or a practice that can be applied once with the hope of solving all past, current, and future problems. Debricked strongly believes that secure products can only be acheived by increasing awareness in all parts of an organizations, have well defined policies and activites for working with security, and on top of that have tools that are used to make the security process more efficient, accurate, and complete. Many companies are today left with the option to use…