# Vulnerability Reachability Analysis Using OSS Tools
NOTE: The following will be in effect and mandatory for this meeting venue.
- RSVPs will close at 11:59 PM PT on April 22nd, so kindly submit your RSVP by then. Walk-ins will not be permitted.
- Google Security mandates that RSVPs include your full name (in Meetup settings) and that you bring your ID, which will be checked at the entrance to match your RSVP.
- If your first and last name do not appear in our admin view, we will contact you.
- Alternatively, feel free to reach out directly or email us at orange-county-leaders@owasp.org to provide that information.
Parking
Park in the public garage structure next to the building. We will be providing paid tickets for exiting the garage.
Live Stream
Stream us live on Twitch: http://twitch.tv/owaspoc
Please change your RSVP to "No" if you can't make it and will join via livestream instead.
Abstract
New vulnerabilities are disclosed every day in dependencies that you or your team may be using. But how do you know if you are actually using the vulnerable code? This talk will show you how to use two different types of tools to analyze reachability – deciding if the vulnerability needs to be prioritized based on your own code usage.
Workshop Overview:
The workshop will be broken into several modules; introductory modules will cover the workshop organization and administrative matters (installing and configuring the tools used in the workshop). Subsequent modules will give an outline of what vulnerability reachability is and why it is important and compare/contrast the two main ways of understanding reachability (static call graphs and runtime analysis).
Next, the workshop will present two short exercises, intended for the attendees to gain hands-on experience using both types of tools against real applications with real vulnerabilities. Interpreted languages (Java) and compiled languages (C/C++/Go) will be covered. Subsequently, the following module will walk through how to interpret the results obtained from the exercises and draw conclusions. The languages chosen are merely representative; the skills learned in the workshop are equally applicable to other languages.
The workshop will conclude with two modules which will present a short overview of commercial tools and a conclusion/wrap-up/Q&A session.
Workshop Outline:
I. Overview (10 minutes)
A. Workshop organization
B. About the tools and sample applications
- What are the tools and applications we are going to use?
C. Obtaining/installing the tools and sample applications
2. Cloning from the github repo
D. Goals of the workshop (what you will learn)
3. Be able to understand the importance of vulnerability
reachability and how it helps prioritize remediation strategy
4. Become familiar with some of the tools available to help with
vulnerability reachability
5. Learn where you can reach out to for more help in these areas
after the completion of the workshop
II. Types of reachability analysis (10 minutes)
A. Static analysis / call graphs
6. What is a call graph?
7. What information does a call graph provide to you
B. Runtime analysis
C. Language and environment considerations
8. Things to consider when choosing a reachability analysis
solution
a. Types of applications being analyzed (COTS vs self-written)
b. Availability of source code
c. Robustness of test environment
III. Static call graph analysis exercise (20 minutes)
A. Using static call graph analysis in IntelliJ/Eclipse to analyze a
Java application
B. Using Go callgraph to analyze a Go application
C. How to correlate a call graph with an SBOM
IV. Dynamic/runtime analysis exercise (20 minutes)
A. Using a Java agent to analyze runtime reachability in a running
Java application
B. Using valgrind/KCacheGrind to analyze a running C/C++ application
C. How to correlate runtime analysis with an SBOM
V. Results comparison (10 minutes)
A. Using the results of each exercise to determine if vulnerable
code was used
- How to use the output of each tool to understand what
vulnerabilities need to be prioritized
B. Benefits and limitations of each approach
VI. Conclusion & Q&A (20 minutes)
Schedule:
6:00pm - 6:30pm Networking, Food & Drinks
6:30pm - 8:00pm Presentation