Cleaned up Literature folder

Corpus/Information Security/Dealing with a reported application vulnerability.md

@@ -0,0 +1,48 @@
+# Dealing with a reported application vulnerability
+# Context
+A vulnerability in a widely used open source library is published.
+
+This is based on the Log4j vulnerability, december 2021, [CVE-2021-44228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228)
+
+Log4j is a Java library maintained by the Apache Foundation, and the most popular logging library for Java.
+
+The vulnerability is: user input containing JNDI Lookups is allowed, will be logged and evaluated, making an RCE attack possible. Disabling logging, while as a rule undesirable, plugs the hole.
+Source: https://logging.apache.org/log4j/2.x/
+
+This vulnerability allows an attacker to run commands from a web server, unauthenticated (i.e. without needing to login).
+
+# Steps
+
+## 1. Identifying exposure
+- search your source code repositories for the name of the library
+- use dependency tools (also called Software Composition Analysis or SCA) to identify indirect use of the affected library , like GitHub's dependencyGraph, Snyk,[OWASP Dependency-Check](https://owasp.org/www-project-dependency-check/), White source, etc.
+- not all versions may be affected, so check which version of the library you are using
+- find out if you are actually deploying the code that uses the vulnerability; if not, mark the code as "do not deploy". If it has, find out where.
+
+## 2. Stopping the gap
+- If the vulnerability is deployed behind a Web Application Firewall (WAF) or Content Delivery Network (CDN), or if you are using Runtime Application Self-Protection (RASP), add the rules your vendor provides to prevent RCE. 
+- If your vendor doesn't have rules available, search for them on the internet or write regex that blocks the attack. 
+- Monitor to make shure it's working.
+- Update/patch the library containing the vulnerability as soon as it becomes available. 
+
+## 3. If you can't stop the gap
+Do an impact analyses and identify a treatment:
+- Option 1: Accept the Risk, keep monitoring the situation, spend your efforts on releasing the upgraded version of your software a.s.a.p.
+- Option 2: Avoid the risk, by shutting down the vulnerable systems immediately — In this example (log4j), stop logging temporarily. 
+- Option 3: Mitigate the risk, by going through your code base, remove the dependency and comment out the code that calls it (uncomment it when the upgrade/patch has been applied). 
+
+
+## Relevant ISO 27001 controls
+The main control of interest here is [ISO 27001 A 12.6.1 Management of technical vulnerabilities](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2012.6.1%20Management%20of%20technical%20vulnerabilities.md), which ensures timely awareness of vulnerabilities through [ISO 27001 A 6.1.4 Contact with special interest groups](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%206.1.4%20Contact%20with%20special%20interest%20groups.md), evaluation of an organization’s exposure, and having set [ISO 27001 A 16.1.1 Responsibilities and procedures](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2016.1.1%20Responsibilities%20and%20procedures.md) to enable a quick and effective response.
+
+Stopping the gap:
+- [[ISO 27001 A 13.1.1 Network controls]]
+- [[ISO 27001 A 13.1.2 Security of network services]]
+- [ISO 27001 A 12.5.1 Installation of software on operational systems](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2012.5.1%20Installation%20of%20software%20on%20operational%20systems.md)
+
+Preventative measures:
+- [ISO 27001 A 12.6.2 Restrictions on software installation](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2012.6.2%20Restrictions%20on%20software%20installation.md)
+- [[ISO 27001 A 14.1.1 Information security requirements analysis and specification]]
+- [[ISO 27001 14.2.1 Secure development policy]]
+- [[ISO 27001 A 14.2.7 Outsourced development]]
+- [ISO 27001 A 18 Compliance](../Standards/ISO27x/legacy/ISO%2027001%202013/ISO%2027001%20A%2018%20Compliance.md) of systems