Pushing Left, Like a Boss — Part 5.2- Use Safe Dependencies
By
Tanya Janca (SheHacksPurple)
on May 12, 2021
According to many sources between 70–90% of application code is contained within libraries and other 3rd party components. When we use libraries, frameworks and other 3rd party components, we are accepting all of the risks that come with them (including vulnerabilities). Luckily for us, when security researchers find security vulnerabilities in products (including libraries, frameworks and other components) they often report them to Mitre, who log them in the Common Vulnerability Enumerator (CVE) database, a publicly searchable database containing all publicly-disclosed known vulnerabilities**. Using the CVE database either manually or (preferably) through use of an automated tool, to verify if your application is using known-vulnerable components is a key strategy to improve the security of your custom-built applications. There are *many* free and premium tools on the market (listed below), and I would suggest that you use at least one of them to ensure that the 3rd party code you are using is safe.
<rant>
Automating this should be part of every CD/CI pipeline. You should also automate scanning of your source code repository on a regular basis. Everyone should do this, for every project, no matter how small. It’s so easy, and it’s such a huge win for the security of your applications, there is no excuse not to do it.
</rant>
** The CVE list of vulnerabilities is not exhaustive. Many nation-states (including the one you live in), as well as criminal, terrorist, hacktivist, and other malicious groups, actors or organizations do not report zero days that they find(vulnerabilities that are not known to the public and for which there is no known patch), in order to keep them for use as part of their own nefarious activities. Just because you have scanned your third party components for vulnerabilities does not mean they are bulletproof. Sorry folks.
Non-exhaustive list of software that scans 3rd party components for security vulnerabilities, also known as Software Composition Analysis (SCA):
- Snyk
- White Source
- CAST Software
- OWASP Dependency Check
- NSP (Node.JS )
- SourceClear
- Dependabot (GitHub)
- Safety (Python)
- Veracode
- RetireJS (javascript)
- Black Duck (Synopsys)
- Hakiri (ruby)
- Cloud Defense
- bundler-audit
- Sonatype
- Flexera
- Revenera.com
- Versions (Maven)
- ActiveState
- Fixinator (Cold Fusion only)
There are many tools to help verify that you are using safe dependencies in your applications. Make use of one or more to ensure you are releasing secure apps!
