How to identify and fix open-source vulnerabilities
Introduction
SaaS organisations rely on open-source software to shorten their turnaround time as it gives developers access to a myriad of top-notch projects. With open-source, developers can harness a variety of efficient tools that would be time-consuming to build.
For this reason, open-source is very important to both traditional and agile development processes.
Although the benefits of open-source can be alluring, there is a drawback worthy of note:
Open-source can potentially expose your projects to different kinds of vulnerabilities which can pose a security risk.
How do vulnerabilities creep in through open-source?
The basis of an open-source project is the voluntary contribution from different developers. It is not a strict requirement that these developers possess advanced security knowledge, and a lack of this knowledge can lead to the unintended creation of vulnerabilities.
When developing proprietary software, there is a testing phase that subjects the software to several security checks. Open-source, on the other hand, rarely goes through a similar level of security checks and some vulnerabilities may go unnoticed even with a large developer community reviewing the code.
When companies build their software on a layer of open-source components (with such vulnerabilities), they become potentially exposed to threats such as Denial-of-Service (DoS) attacks, malware injections and data breaches. Cyber-criminals keep abreast with these vulnerabilities and can use this information to exploit organisations that do not promptly update their vulnerable open-source components.
The Apache Struts (a framework wildly used in web applications) is a good case in point. Equifax (a consumer reporting agency) was slow to patch its Apache Struts framework, and this resulted in a data breach that affected millions of people:
The patches were, in fact, available two months before the breach.
Identifying and fixing vulnerabilities
There are two steps to resolving software vulnerabilities:
- Identifying vulnerabilities
- Fixing vulnerabilities
In a proprietary software project, vulnerabilities can go unnoticed for long if no deliberate checks are regularly made. Developers need to use the right tools to scan for and fix vulnerabilities. When a vulnerable dependency is identified, it must be remediated correctly.
In this section, we will go over a few methods to identify and fix open-source vulnerabilities.
Enable security alerts on source-code hosting platforms
Source-code hosting platforms can scan through your project’s dependency graph to find vulnerabilities. For example, GitHub can detect vulnerabilities from the GitHub Advisory Database or WhiteSource Bolt in one of the dependencies in your repository’s dependency graph.
Be sure to opt-in to such vulnerability detection alerts so you are always updated and protected.
Use an IDE plugin that detects vulnerabilities
Developers feel comfortable working in their favourite IDEs because it keeps them productive. IDEs are getting smarter by the day and even allow you to install plugins to enhance your coding experience.
On the issue of security, developers can install plugins that can scan direct and indirect dependencies in your projects, identify vulnerabilities and license issues and report them back to you.
Using automation
Besides making your work easier, automation can help resolve vulnerabilities in your software projects. Technology is moving towards automation and companies already use real-time monitoring to detect abnormalities (including security issues) in their systems.
Automated systems can scan dependency graphs for the latest updates and patches and send alerts when found. This way, the developer teams will always be aware of vulnerabilities and this can prevent a security breach scenario like Equifax.
Using NPM (JavaScript)
When you install a Node package using NPM, you might get a small informative error that warns you about several dependency vulnerabilities:
What this text means is that there are vulnerabilities in your project, ranging from low to high. NPM provides an inbuilt command to fix these vulnerabilities:
npm audit --fix
However, this command may not be able to fix all vulnerabilities or will leave you with just as many vulnerabilities as before. When this is the case, an alternative is to fix the vulnerabilities manually.
The audit command recommends installation commands to individually resolve vulnerable dependencies:
Some of these individual updates may be semver-breaking changes, so you need to carefully take the time to ensure that your project still works correctly.
Note: avoid using the —force flag when running the NPM audit command as it will forcefully update all packages with vulnerabilities, even if they introduce breaking changes.
Check vulnerability databases
Wikipedia describes a vulnerability database as:
A platform aimed at collecting, maintaining, and disseminating information about discovered computer security vulnerabilities. The database will customarily describe the identified vulnerability, assess the potential impact on affected systems, and any workarounds or updates to mitigate the issue. For a hacker to surmount a system's information assurance, three elements must apply: a susceptibility within the system, access to the susceptibility, and the ability to exploit the susceptibility.
Several platforms supply information on known vulnerabilities. They let you search through a database of vulnerabilities and may even show you the most severe vulnerabilities published in the last 90 days or suggest a fix (where it is available):
Manually fixing a vulnerability
For most vulnerabilities, the remediation process is as straightforward as updating the software to a non-vulnerable version. An adverse effect of such an upgrade is that it might introduce breaking changes to the project that depends on it.
For this reason, popular dependencies usually have point releases with security fixes. This makes it possible to remediate the vulnerabilities without introducing any breaking changes to the overall project.
In some cases where the project is no longer maintained and there are no updates available, you may need to investigate the vulnerability to understand it and create a working patch for yourself.
Conclusion
Building software with open-source components comes with several challenges, including the risk of security. It is important to regularly check (manually or with tools) your projects for open-source vulnerabilities and fix them when found.
Luckily for the contemporary developer, there are platforms dedicated to collecting information on different types of vulnerabilities. These platforms are called vulnerability databases and they can point you in the right direction towards resolving security issues.
Top comments (2)
Was just about to post for the first time ever regarding WhiteSource Bolt, but I see you've done a better job already :-D
Some comments may only be visible to logged-in visitors. Sign in to view all comments.