Introducing 

Prezi AI.

Your new presentation assistant.

Refine, enhance, and tailor your content, source relevant images, and edit visuals quicker than ever before.

Loading…
Transcript

there are bugs in all

kinds of software

many written by enthusiasts

in their spare time as non-profit

lack of proper management

and funds in community-driven

products

still insufficient intrest of

security researchers

<form method="post" enctype="multipart/form-data" action="https://www.bank.com/login">

<input type="hidden"

name="multipartRequestHandler.servlet.servletContext.attribute(org.apache.struts.action.MODULE)"

value="exe" />

<input type="submit" value="DIE !!!">

</form>

POST https://www.bank.com:443/login HTTP/1.1

Host: www.bank.com

Content-Type: multipart/form-data; boundary=---------------------------437802734279294578219753573

Content-length: 255

-----------------------------437802734279294578219753573

Content-Disposition: form-data; name="multipartRequestHandler.servlet.servletContext.attribute(org.apache.struts.action.MODULE)"

exe

-----------------------------437802734279294578219753573--

Why do the developers like Expression Languages?

before:

<%=HTMLEncoder.encode(((Person)person).getAddress().getStreet())%>

after:

<c:out value=”person.address.street”/>

Timeline

May 31st - email to security@struts.apache.org with vulnerability report.

June 4th - no response received, contacted developers again.

June 5th - had to find an XWork developer on IRC to look at this.

June 16th - Atlassian fixes vulnerability in its products. Atlassian and Struts developers worked together in coming up with the fix.

June 20th - 1-line fix commited

June 29th - Struts 2.2.0 release voting process started and is still going...

Fri Aug 20 2010: Struts2 team finally released 2.2.1 on Aug 16th (2.5 months to release fixed version!).

http://blog.o0o.nu/2010/07/cve-2010-1870-struts2xwork-remote.html

At last - whitelist for allowed chars:

// Allowed names of parameters

private String acceptedParamNames = "[a-zA-Z0-9\\.\\]\\[\\(\\)_'\\s]+";

framework

security

app

development

server upgrades

Balance the risk right

Note: not all vulnerabilities' details are known public, even after the fix release.

  • What is the scope of assessment? Note that configuration review or penetration test in most cases will miss the thing. Even source code analysis could miss it.

  • Is there a manpower involved, or is it just an automatic scanner? Even commercial static code analysis with sophisticated tools may not cover the problem.

  • Blackbox approach is not advisable

From my experience: it may take YEARS.

Do not hesitate to ask your developers about it.

https://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex

VULNERABILITY EXPOSURE TIME INTERVAL

Acceptance tests

Assessments

Server upgrades are not enough.

You do have to care about your application,

even if there are no changes in its code.

Remember, that keeping track of external libraries' security

is a task very prone to human error, and often unfairly forgotten.

BUT HOW CAN WE ASSURE THIRD PARTY CODE…

Almost all software projects use a significant amount of third party code, such as libraries, frameworks, and products. This code is just as important from a security perspective as custom code developed specifically for your project. We believe that the responsibility for ensuring the security of this [external] code is best borne by Developer, although they may not have the full capability themselves to guarantee this security. However, security must be a part of the "build or buy" decision, and this seems like the best way to encourage that.

Developer, of course, has the option of passing this responsibility through to the providers of third party software. Developer can also analyze the third party code themselves, or hire security experts to analyze it for them.

Fix released

Go Live!

Fix applied by

developers

App developers notified

about the problem

Public disclosure

of security vulnerability

in framework

they all do take care of security, don't they?

But, is the 3rd party libraries security directly mentioned and properly dealt with?

Risk?

OWASP Secure Software Contract Annex

Maintaining applications

Compliance, procedures...

App Owners

to improve the security?

And what would

YOU do

<Agenda>

Web Application Frameworks

Summary

What are they?

How do they help?

Why are so common?

No Man's Land

To know there is a problem, is the first step to resolve it.

Vulnerabilities

Why are they here?

Some interesting examples.

Fix timelines.

Real life

No Man's Land

Critical applications are written in J2EE with a broad help of frameworks, which do take care

of most crucial security components.

Frameworks are complex piece code, not always written with industry standards, and thus prone to errors.

There are many vulnerabities, from simple XSS to remote code execution.

Dealing with these vulnerabilities may be easily overlooked or simply beyond duties of all

involved in application maintenance. So fix timeline from public disclosure to production release

of application may take very long. During this time the application is exposed to serious risk of attack.

All involved in application maintenance can do something to improve the situation.

But the most suitable group to deal with the problem at its roots are Developers.

But they have to overcome their limits, and perhaps cooperate with some security professionals.

Developers

Admins

Pentesters

Application owners

What can we do?

Vulnerabilites in J2EE frameworks

How can we probe for

specific vulnerabilities?

BTW, note that not all vulnerabilities are in CVE, BID or other databases.

Even if they are, sometimes they do get there delayed.

Consult Jira entries on specific vulnerabilities,

search the net...

You can try some Expression Language Injections:

${1+1}

%{1+1}

Remember to check manually external libraries for known vulnerabilities!

if you have complete filesystem listing, in some cases there are also deployed applications' contents.

Configuration review

Source code analysis

Penetration tests

Try to suggest whitebox. If not possible,

there are some tricks for blackbox

  • Specific URL paths, for example

".do" extension in old Struts 1 applications

.action

!action

  • Specific parameter names, for example org.apache.struts.taglib.HTML.token

  • Application behaviour.

  • ... and a lot more. It would take another presentation ;)

How can we know if there is

given framework used?

Sławomir Jasek

Their job is to maintain servers

Security: they do upgrade & harden operating system components, web application servers, http servers, database servers...

slawomir.jasek@securing.pl

web application is just a war/ear bundle to deploy

peeping at the application entrails is just beyond their competence

and the framework code is bundled within the application package, as jar library

OWASP Poland Local Chapter Meeting, 18.01.2012, Kraków

ASVS does cover it in L2.2, 3.2...

L2.2 The scope of the verification includes the code for all third-party framework, library, and service security functionality that is invoked by or supports the security of the application. This is a new requirement at Level 2.

Communicate to your client clearly

what is in the scope of the contract.

And in bold communicate what is not.

Scope of the assessment

Admins

J2EE frameworks

in

Vulnerabilities

Pentesters

Why we will focus on J2EE?

Java 2 Enterprise Edition is the most common platform for

high-availability business applications

Why

source: Veracode State of Software Security Report Volume 4, Dec 2011

examples

The chart illustrates software which owners are willing to pay for static code analysis.

We can safely assume high importance of these applications.

And most probably it is not just compliance-driven.

jar tvf roller-5.0.0-tomcat.war WEB-INF/lib

0 Sun May 08 15:05:40 CEST 2011 WEB-INF/lib/

118483 Wed Apr 28 23:42:28 CEST 2010 WEB-INF/lib/commons-beanutils-1.6.jar

69300 Wed Apr 28 23:42:44 CEST 2010 WEB-INF/lib/spring-security-core-2.0.5.RELEASE.jar

136446 Wed Apr 28 23:42:22 CEST 2010 WEB-INF/lib/tiles-core-2.1.4.jar

772997 Sun Jan 30 14:06:02 CET 2011 WEB-INF/lib/struts2-core-2.2.1.jar

65261 Wed Apr 28 23:33:10 CEST 2010 WEB-INF/lib/oro-2.0.8.jar

220277 Wed Apr 28 23:36:12 CEST 2010 WEB-INF/lib/rome-1.0.0.jar

4075943 Mon Feb 21 20:17:50 CET 2011 WEB-INF/lib/openjpa-2.0.1.jar

284773 Wed Apr 28 23:43:18 CEST 2010 WEB-INF/lib/xmlsec-1.3.0.jar

144541 Wed Apr 28 23:43:06 CEST 2010 WEB-INF/lib/openxri-client-1.2.0.jar

488282 Wed Apr 28 23:42:36 CEST 2010 WEB-INF/lib/spring-beans-2.5.6.jar

361107 Wed Apr 28 23:43:26 CEST 2010 WEB-INF/lib/openid4java-nodeps-0.9.5.jar

12851 Sun May 08 15:02:58 CEST 2011 WEB-INF/lib/roller-core-5.0.0.jar

34407 Wed Apr 28 23:37:46 CEST 2010 WEB-INF/lib/ws-commons-util-1.0.2.jar

984708 Sun May 08 15:05:32 CEST 2011 WEB-INF/lib/roller-weblogger-web-5.0.0.jar

285491 Wed Apr 28 23:42:40 CEST 2010 WEB-INF/lib/spring-core-2.5.6.jar

31825 Wed Apr 28 23:42:18 CEST 2010 WEB-INF/lib/commons-fileupload-1.1.jar

129775 Wed Apr 28 23:43:20 CEST 2010 WEB-INF/lib/spring-dao-2.0.6.jar

3233439 Wed Apr 28 23:43:06 CEST 2010 WEB-INF/lib/icu4j-3.4.4.jar

are there vulnerabilities

in frameworks

it is not hard - war/ear is just a zip file,

and libraries' versions are in filenames

?

XSS

A few popular web application

frameworks

Maybe we could manage security updates just like

any other, system libraries?

complexity

focus on features

Struts

Insecure object

reference

Is it possible to export external libraries from application bundle into server environment?

It is partly possible with frameworks being part of official EE specification (e.g. JSF).

But in most cases, unfortunatelly, no.

  • it is usually not possible to simply upgrade external library without breaking the application
  • some functionality may be hardcoded in application
  • I have heard rumors of one such solution, but it was an "exception that proves the rule"
  • maybe it would be possible to dispatch some libraries, but with whole framework it is more complicated
  • who would take responsibility for upgrade testing? Admins?
  • who knows, frameworks may include such feature in the next years? But will the developer guarantee it will always work, anyway?

CVE-2005-3745

Cross-site scripting (XSS) vulnerability in Apache Struts 1.2.7, and possibly other versions

CVE-2006-1548

Cross-site scripting (XSS) vulnerability in (1) LookupDispatchAction and possibly (2) DispatchAction and (3) ActionDispatcher in Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to inject arbitrary web script or HTML via the parameter name, which is not filtered in the resulting error message.

CVE-2008-2025

Cross-site scripting (XSS) vulnerability in Apache Struts.

CVE-2008-6682

Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts 2.

The issue was finally resolved only in 2010 (we will cover it later on).

CVE-2011-1772

Multiple cross-site scripting (XSS) vulnerabilities in XWork in Apache Struts 2.x before 2.2.3, and OpenSymphony XWork in OpenSymphony WebWork, allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) an action name, (2) the action attribute of an s:submit element, or (3) the method attribute of an s:submit element.

CVE-2011-2087

Multiple cross-site scripting (XSS) vulnerabilities in component handlers in the javatemplates (aka Java Templates) plugin in Apache Struts

Not quite strict security-minded

developers & procedures

closed internal structure

Directory traversal

DoS

They do a lots of "dirty work"

for the programmers.

They have to be complex.

CVE-2011-1368

Summary: The JavaServer Faces (JSF) application functionality in IBM WebSphere Application Server 8.x before 8.0.0.1 does not properly handle requests, which allows remote attackers to read unspecified files via unknown vectors.

Struts, BID 32104 (no CVE), 2008

FilterDispatcher (in 2.0) and DefaultStaticContentLoader (in 2.1) have a security vulnerability that allows an attacker to traverse the directory structure and download files outside the "static" content folder, using double-encoded urls and relative paths, like:

http://localhost:8080/struts2-blank-2.0.11.1/struts..

http://localhost:8080/struts2-blank-2.0.11.1/struts/..%252f

http://exampletomcat.com:8080/struts2-blank-2.0.11.1/struts/..%252f..%252f..%252fWEB-INF/classess/example/Login.class/

https://issues.apache.org/jira/browse/WW-2779

backward compatibility

Struts cancel

CVE-2006-1546

The Struts <html:cancel> tag sets a request parameter (org.apache.struts.taglib.html.Constants.CANCEL) which causes validation to be skipped.

Spoofing this request parameter however, could be used maliciously in order to circumvent an applications validation.

What is framework?

simply adding parameter

org.apache.struts.taglib.html.Constants.CANCEL=true

turned off whole validation ;)

Struts action

Default behaviour allows to execute methods, which were

not meant to be public

http://localhost:8080/mywebapp/recoverpassword!getUserPassword.action

More info:

http://www.brucephillips.name/blog/index.cfm/2011/2/19/Struts-2-Security-Vulnerability--Dynamic-Method-Invocation

Similar problem with Session

http://www.example.com/SomeAction.action?session.somekey=someValue

https://issues.apache.org/jira/browse/WW-2264

https://issues.apache.org/jira/browse/WW-3631

"XML Bomb"

Example: Struts < 1.2.9

It is rather misconfiguration problem, but mentioned

here because is very common.

In fact, 100% tested applications which included some

XML parsing of user-supplied data were vulnerable.

The core problem is XML nested entity processing, which

can be triggered by user to exponentially use CPU power.

CVE-2006-1547

Very old (2006), but still "in the wild".

Single POST multipart type will crash the entire application.

After that it will render 500 Internal Server Error to all subsequent requests.

Frameworks are just some piece of software,

but a bit more complex and thus susceptible to errors

A framework is a library of classes and files that solves a set of well known and commonly occuring problems.

EL injection

Improper cryptography

Spring

Struts

JBoss Seam

...

Example - Struts CVE-2007-4556

Full PWND

check out more features of OGNL

http://commons.apache.org/ognl/language-guide.html

But Expression Languages, like OGNL, evaluating where nobody expected,

are the root cause of many vulnerabilities.

"Having any sort of custom expression language in a web framework is always a sign of potential vulnerabilities (...), since framework developers will try to add support for that expression language to various components, and some of those components may in turn handle user-controlled inputs without developers realizing it."

http://blog.o0o.nu/2010/07/cve-2010-1871-jboss-seam-framework.html

CVE-2010-4007

Oracle Mojarra (Java Server Faces implementation) uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracle attack.

more info:

http://www.mindedsecurity.com/fileshare/ExpressionLanguageInjection.pdf

Struts - remote code execution

More will follow.

Security misconfiguration

Also vulnerable:

very similar problems

Spring Framework

CVE-2010-1622, Jun 2010

CVE-2011-2894, Sep 2011

http://www.springsource.com/security/cve-2010-1622

http://www.springsource.com/security/cve-2011-2894

JBoss Seam Framework

CVE-2010-1871, Jul 2010

http://blog.o0o.nu/2010/07/cve-2010-1871-jboss-seam-framework.html

There are many features in frameworks

that allow developers to restrict some user-controlled data

by proper configuration.

But the defaults are seldom touched.

framework = framing construction for the application

Many critical vulnerabilities could be avoided

with a little bit of hardening - for example the

Struts remote execution bugs could not be exploited

if the special configuration parameter excludeParams

would be set (default: empty).

JBoss Seam

To my best knowledge, tools do not have any built-in database of known external libraries' security.

And code review usually does not cover external sources.

Broad topic for another presentation:

struts.xml validators

Disclaimer: vulnerable version included in WEB-INF/lib does not necessarily mean the app is also vulnerable.

many others...

Fix timelines

During penetration test from the outside we do not see internal application structure

  • programmer can choose how and to what extent use given framework. It may be surprising even for framework developers ;)
  • it is possible to write additional plugins/interceptors/chains...
  • quite common mixing of various frameworks
  • library may be an old, hard to clean dependency in long-developed application
  • the vulnerable functionality is simply not used in application

Configuration review usually does not cover libraries bundled in application

Example 1 - remote code execution

Benefits

Fix #4

Fix #5

Fix #1

Fix #2,3

OpenSymphony WebWork

anyone?

Source code analysis

Configuration review

Jun-Oct 2008

bypass security measures in

ParameterInterceptor

Jul 2010

Dec 2011

Ouch, there is more...

The fix was not sufficient.

Clearing stack disallowed access to many context variables. But there were others

08 Jun 2008

CVE-2008-6504

7 Jan 2004

18 Dec 2003

Hello XWork developers,

I believe I've discovered a vulnerability that allows attackers to bypass security measures

implemented in ParametersInterceptor. OGNL is a pretty complex language and provides a lot of features,

so, for example, using expression evaluation

(http://www.ognl.org/2.6.9/Documentation/html/LanguageGuide/expressionEvaluation.html)

it is possible to bypass the '#' protection and modify objects in the context.

So, for instance, to set #session.user to '0wn3d' the following parameter name can be used:

('\u0023' + 'session[\'user\']')(unused)=0wn3d

which will look as follows once URL encoded:

('\u0023'%20%2b%20'session[\'user\']')(unused)=0wn3d

It turned out, that the problem concerns not only ParametersInterceptor, but also CookieInterceptor, DebuggingInterceptor, and ExceptionDelegator ;)

Same patch - whitelist of allowed chars in cookie names.

Additionally, it turned out that ParametersInterceptor allowed to overwrite arbitrary files, because an attacker could still access public constructors with only one parameter of type String.

25 Dec 2011 - Struts 2.3.1 released

Security Bulettin: http://struts.apache.org/2.x/docs/s2-008.html

Bug entered in Jira

"Patrick says he has fixed this"

http://jira.opensymphony.com/browse/XW-641

Security Flaw: setting params should not evaluate methods

Struts does not properly restrict # (pound sign) references to context objects, which allows remote attackers to execute Object-Graph Navigation Language (OGNL) statements and modify server-side context objects, as demonstrated by use of a \u0023 representation for the # character.

The single most important

business reason to use framework

http://jira.opensymphony.com/browse/WW-434

"When setting a parameter, methods should not be invoked. This is neccessary to prevent paremeter names such as:

* @System@exit(1)

* class.classLoader.somethingScary() "

https://issues.apache.org/jira/browse/WW-3470

http://struts.apache.org/2.x/docs/s2-005.html

http://www.exploit-db.com/exploits/14360/

http://jira.opensymphony.com/browse/WW-434

Ooops... the parameter names are evaluated as java.

What it actually means is: remote code execution,

for example: @System@execute('shell cmd')

14 Oct 2008 - Xwork 2.0.6, Struts 2.0.12

[few months discussion on how to fix the vulnerability

without breaking OGNL features]

BUT: there are still cases where the whitelist mechanism does not prevent the context from being manipulated, thus XWork 2.0.5 and Struts 2.0.11.2 DO NOT FIX THE ISSUE SATISFACTORILY.

22 Jun 2008 - Xwork 2.0.5,

Struts 2.0.11.2; security bulletin

fixed - value stack clearing

updated security bulletin

cast:

http://jira.opensymphony.com/browse/XW-641

https://issues.apache.org/jira/browse/WW-2692

http://struts.apache.org/2.x/docs/s2-003.html

Aug 2011:

Metasploit Module

2012

2013

2003

2011

2008

2010

Penetration tests

TIME = MONEY

Most popular frameworks

Imagine an intruder having "root" on your

server from the Internet - by single crafted URL.

Isn't it worth to check the application's "entrails" to avoid that?

"Xerces was the fifth most common Java framework or technology that we saw, after JSPs, Spring MVC, and Struts 1.x."

You can develop function rich applications much more quickly

Applications follow many best practices that make them maintainable

Example 2 - XSS

http://www.veracode.com/blog/2011/12/about-veracodes-december-platform-release/

Mar 2010

Jan - Feb 2008

Ouch, they can use <sCript>, not just <script>!!!

XSS discovery & fix

you could list application external dependencies

and check for relevant security advisories

But maybe in your free time ;)

implemented fix for S2-002 only checks for "<script>",

not "<sCript>"

https://issues.apache.org/jira/browse/WW-3410

--- struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/util/UrlHelper.java 2008/01/24 07:37:32 614813

+++ struts/struts2/trunk/core/src/main/java/org/apache/struts2/views/util/UrlHelper.java 2008/01/24 07:39:45 614814

@@ -174,10 +174,14 @@

buildParametersString(params, link, "&");

}

- String result;

-

+ String result = link.toString();

+

+ if (result.indexOf("<script>") >= 0){

+ result = result.replaceAll("<script>", "script");

+ }

+

try {

- result = encodeResult ? response.encodeURL(link.toString()) : link.toString();

+ result = encodeResult ? response.encodeURL(result) : result;

} catch (Exception ex) {

// Could not encode the URL for some reason

// Use it unchanged

Final fix:

- builder.append(name);

+ builder.append(translateAndEncode(name));

Veracode promised to publish soon more detailed statistics, stay tuned.

SecuRing assessed web application statistics:

the #1 most popular J2EE web application framework is Struts.

https://issues.apache.org/jira/browse/WW-2414

https://issues.apache.org/jira/browse/WW-2427

For both the <s:url> and the <s:a> tag, it is possible to inject parameter values that do not get escaped properly when the tag's resulting URLs are constructed and rendered.

Security Bulletin

http://struts.apache.org/2.x/docs/s2-002.html

"<script> tokens do get recursively escaped"

Please upgrade to Struts-2.0.11.1

Real world examples

2010

2009

2008

Take an application, which development started some years ago, and you can be nearly 100% sure that it is based on Struts.

That's why most vulnerabilities I will be talking later on will concern Struts.

and dealing with the problem

a few dozen applications

I have tested, but can't name here - NDA, sorry ;)

Apache

J2EE blog application

blog.usa.gov blogs.oracle.com

blogs.apache.org IBM developerworks...

Developers often delegate to framework the most crucial security components

roller-4.0.1, released Feb 2009

contains Struts 2.0.9 & Xwork-2.0.4

with remote code execution vulnerability known since 2008

Does White House know about this?

next release: roller-5.0.0, May 2011

most up-to-date version as of today

Now they surely do,

they've got the Echelon, anyway

Struts 2.2.1 (also a few critical bugs)

Spring 2.5.6

Spring Security 2.0.5 - 2 serious vulnerabilities Sep 2011

But what about the others?

vCenter Orchestrator; Alive Enterprise

VMware vCenter Orchestrator is an application to automate management tasks. Alive Enterprise is an application to monitor processes

Disclaimers:

I DID NOT confirm any vulnerabilities in Apache Roller.

I have asked for clarification on roller-dev mailing list, and as of today the question was not answered.

Vulnerable versions of used libraries DOES NOT necessarily mean there are vulnerabilities in application.

Besides, Roller developers do care on upgrading libraries:

https://issues.apache.org/jira/browse/ROL-1840

What the Roller developers say?

I have asked about this problem on roller-dev mailing list.

"It's possible that those library vulnerabilities could be exploited, but I can't be sure without further investigation. The safest thing to do is probably to switch out those libraries for the newer security-fixed versions. I'll check to see if that can be done fairly easily.

I'm not aware of a relevant security procedure, but I'll do some research and see if there is a policy or procedure that we should be following."

Struts remote code execution (CVE-2010-1870) vulnerable.

Vulnerability details published Jul 2010.

Advisory released Mar 2011 (8 months later):

VMSA-2011-0005 VMware vCenter Orchestrator remote code execution vulnerability

"VMware would like to thank the Vulnerability Research Team of Digital Defense, Inc. for reporting this issue to us."

How long would it take if nobody told them?

And BTW, the first release of advisory did not mention Alive Enterprise, just vCenter Orchestrator. It took them another month to discover it ;)

And when will they address Dec 2011 critical Struts vulnerabilites?

Initial release (2011-03-14)

http://lists.vmware.com/pipermail/security-announce/2011/000129.html

Update (2011-04-12)

http://lists.vmware.com/pipermail/security-announce/2011/000132.html

Crucible, Fisheye, Confluence...

not to mention Jira

  • input data validation
  • output encoding
  • (sometimes) access control

Today, all of LinkedIn’s applications use Spring as the foundation, and Spring is fully

integrated into the company’s development life cycle. Spring components used by LinkedIn include Spring Core, Spring IoC and Spring MVC.

In 2010, they were first to fix a serious vulnerability in Struts, and worked together on the problem with Struts developers.

They have released fixed versions of their products months prior the official release of fixed Struts library.

LinkedIn engages SpringSource, the company behind Spring, for technical support. This is an advantage for LinkedIn because the leading contributors to Spring are now on staff at SpringSource. In fact, 97% of Spring code has been written by employees of SpringSource. “If we have a problem, we can just open a ticket and get a response quickly,” Pujante relates. “All the employees at SpringSource are really smart and know what they are talking about.

They have dug really deep into the issues, they understand our problems, and they solve them.”

http://www.springsource.com/files/uploads/all/pdf_files/customer/S2_CaseStudy_LinkedIn_USLET_EN.pdf

Developers

focused on their own code

Developers are probably the most suitable group to

deal with security vulnerabilities in external libraries.

Anyway, they use frameworks to simplify the development,

and forget about "boring" problems.

But don't they trust frameworks too much?

reluctant to upgrade external dependencies

this can be very resource-consuming task

API changes among framework versions

sometimes have to rewrite a lots of application code

I saw real-life scenarios with developer's own fork of framework, written for particular application

The absolute minimum is monitoring of relevant security advisories. There should be a procedure for that.

But it would be advisable to have in team/consult someone security-minded.

Responsibility for finished deals.

Maybe it would be worth to have commercial support for most crucial libraries?

I personally did not encounter any developers procedure of monitoring external libs security

From my personal experience:

developers, asked about certain known vulnerability, will state the problem does not concern their code, until presented with the proof of concept exploit - working in black&white with their application.

It does not necessarily mean their bad intentions. They may just lack proper resources and knowledge.

Learn more about creating dynamic, engaging presentations with Prezi