AppSecCali 2019 - Behind the Scenes: Securing In-House Execution of Unsafe Third-Party Executables

ZdITCa9uzfo/default.jpg

So you want to run FFMpeg or ImageMagick or any other third-party processing library inside your Production environment, and still hope for a good night's sleep?

In-house third-party code execution has its unique set of security challenges. One cannot help but wonder how the "ImageTragick" bug got so infamously popular in affecting the production state of security for so many enterprises worldwide.

Historically speaking, such third-party libraries have been subject to several critical security impacting vulnerabilities, including but not limited to, remote code execution attacks. When coupled with untrusted user-provided inputs, execution of such dangerous executables can become a nightmare for security teams to thoroughly secure.

As in-house execution of untrusted code becomes more prevalent, a secure-by-design framework is necessary to help guide organizations to better safeguard their production state of security. In this talk, I would like to present a framework that was incepted on the basis of security best practices and defense-in-depth principles, and can be leveraged to secure third-party code execution environments.




Mukul Khullar
Staff Security Engineer, LinkedIn
Mukul Khullar is a security researcher with over 9 years of industry experience, primarily focused on application security and penetration testing. At Linkedin, Mukul holds the Staff security engineer title, and is responsible in identifying vulnerabilities and security design flaws.

-

Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP...

ZdITCa9uzfo/default.jpg
AppSecCali 2019 - Behind the Scenes: Securing In-House Execution of Unsafe Third-Party Executables AppSecCali 2019 - Behind the Scenes: Securing In-House Execution of Unsafe Third-Party Executables Reviewed by Unknown on March 28, 2019 Rating: 5