Five Ways to Find and Fix Open Source Vulnerabilities – Guest Post by Limor Wainstein

Open source software has proven to have many benefits for enterprises as well as developers, however, they also pose significant risks as they are prone to a number of open source vulnerabilities. These are particularly related to application security.

A number of developer teams rely largely on open source software to quicken the delivery of digital innovation. Traditional, as well as agile development processes and workflows, often make use of per-built and reusable open source software components.

However, the problem lies in the fact that most open source software is often not subject to the same level of checks as compared to software that is custom built. Most of the development work is crowd-sourced to a large community of developers who often have little understanding of the security concerns that may arise based on the organization’s use of the software.

Use Relevant Tools to Find Vulnerabilities in OSS

Listed below are some of the popular tools and their USPs that might help you manage vulnerability in open source software.

Node Security Project (NSP)

The NSP is known largely for its work on tracking security of Node modules and NPM dependencies. The project offers tools that scan and finds vulnerabilities using some public vulnerability databases like NIST National Vulnerability Database as well as its own, inbuilt database. The project was recently acquired by npm and integrated into the latest version of npm in the form of npm audit. It is a script to check whether any public vulnerability has been found in your packages and node modules.

npm audit automatically checks for issues in your  for direct dependencies, bundle dependencies and development dependencies. When you install a new package or update an existing one, it shows a brief summary of the issues found in your local dependencies. You can also use the tool to generate security reports for JavaScript projects.

OSSIndex

OSSIndex is a repository of software information that focuses on vulnerability issues. It extracts its information from NPM, Nuget, Maven Central Repository, Bower, Chocolatey, and MSI.  Along with its own database that leverages the NIST NVD, it also pulls vulnerability information from mailing lists and various other sources.

OSSIndex effectively covers JavaScript, .NET/C#, and Java ecosystems. It offers a REST API endpoint so that developer can build an inhouse application to check for vulnerability issues.

Dependency-check

Dependency-check is an open source command line tool from OWASP. It can be used as a stand-alone tool or as part of a package of inbuilt tools. Dependency-check supports Java, .NET, JavaScript as well as Ruby. It pulls its vulnerability information from the NIST NVD. Lots of plugins to  to several IDEs, deployment systems, and source repositories are built on top of dependency-check.

Bundler-audit

Bundler-audit is an open source command line tools that checks for dependencies focused on Ruby Bundler. It retrieves its vulnerability information from the NIST NVD and RubySec, a Ruby vulnerability database.

Commercial Tools

Apart from open-source tools, there are commercial tools like: Hakiri, Snyk, WhiteSource, Gemnasium etc. Most of these tools provide dependency checks for a projects based on a wide-array of languages via static code analysis. Apart from that, they also offers free plans for publicly accessible open source projects and paid plans for private projects. In addition to offering tools to identify known vulnerabilities, commercial tools also assists developers to fix these issues with guided upgrades and open source patches.

Notify the developer community about the vulnerability

In case you come across a vulnerability in the open source software, it is a good practice to inform the software developer of the vulnerability in the package. If the software has an active developer community, this often results in a prompt response and a quick fix. In case the software package in question is not being actively developed at the time, you are left with one of the three following options

  1. Patch the library yourself so that all users benefit from the update
  2. Identify a similar alternate package that can be used
  3. Build a replacement package in-house according to your organization’s needs.

Patching the library and giving it back to the community is probably the best option of the three.  Anyone using the library will benefit from it and you can expect more community members to join in. Apart from that, being popular in the open-source circles will help your company build reputation which is always a good thing.

Integrate Security Compliance Practices into Your Application

Automating some of the tasks and integrating additional layers of security can prevent you from having vulnerable dependencies in the first place. Let’s have a look at the best practices to integrate security compliance practices.

  1. Make Security a Company-wide Culture – Security policy should span across departments and usually involves close collaboration with the organization’s IT R&D department.
  2. Focus on Compliance – Year round compliance goes a long way in mitigating security risks and helps organizations avoid costly fines later. Compliance represents a set of tools and best practices for keeping your application secure and free from possible attacks. Creating a set of policies that support action and automation for constant compliance helps avoid regrettable data breaches and other security vulnerabilities.
  3. Automation – Automation may well be the only sure way to execute security policies. Some examples of policy components that can be automated include-
    • Policy-based Integration
    • Integrity Monitoring
    • Threat Intelligence
    • Compliance Assessment

Address Internal Threats – Written policy is something that is good to have in place and supports an IT culture of better security, it is important to complement this with employee training and awareness. Encouraging an atmosphere of ‘see something, say something’ is a helpful way of ensuring each employee in an organization plays a part in ensuring security and compliance.

Write Tests for Your Components and Dependencies

Probably the most comprehensive way of improving the security of the open source software your organization uses is to test the security of each open source code. Open source analysis is almost as important as proprietary code, because not only could the code have unknown security vulnerabilities, its dependencies and functions may differ between each use case. Therefore, a component that may be secure in one application may be insecure when used in a different application.

Build gate checks, constraints and validations for your components and dependencies so that some of the milder vulnerabilities in your dependencies won’t have an impact on your application. Security testing and code review are the only sure ways to detect these issues.

Prioritize Threat Intelligence

Risks cannot be effectively addressed without keeping an eye out for accurate knowledge of your environment and threats. With access to comprehensive threat intelligence, an organization can understand and respond to negative challenges before a possible data breach because of a vulnerability. For instance, ensure that your organisation has taken measures to keep track of security updates for both direct and indirect dependencies in a timely manner. In addition to that, keep note of modern threats and whether any of those threats are capable of having an impact.

About OrangeScrum:

OrangeScrum is an Enterprise Open Source Project Management & Collaboration tool that helps you to organize your tasks, projects, resources, docs, invoices, expenses & timesheets at one place. It offers both Open Source and Cloud version. To know more details, visit orangescrum.org.

You can use OrangeScrum to manage and track your bug & issues at one place.  Read here how you can use OrangeScrum as a Bug Tracking System or you can check out the Bug & Issue Tracker feature of OrangeScrum here. Download our free Open Source Project Management Tool to manage your projects, bugs, tasks, users to maximize your productivity. Want a personalized demo, schedule a demo here.

Installation Free Project Management for those who love to be on the cloud

About the author

Limor Wainstein
Limor Wainstein

Limor is a technical writer and editor at Agile SEO, a boutique digital marketing agency focused on technology and SaaS markets. She has over 10 years' experience writing technical articles and documentation for various audiences, including technical on-site content, software documentation, and dev guides. She specializes in big data analytics, computer/network security, middleware, software development and APIs.