Mitigate vulnerabilities in your open-source dependencies
A vulnerability in Apache Struts 2, an open-source web application framework, allowed hackers to steal Equifax’s private records of 147 million Americans. An investigation discovered that Equifax was informed of the vulnerability but a failure in internal processes delayed the patching of the vulnerability.
Most organizations don’t have an up-to-date catalog of all the third-party components they use. “Vendors often use open source as a way of cutting down costs and getting to market faster without realizing the need to closely track these components for security or licensing issues,” says Craig Young, a principal security researcher at Tripwire VERT. This “move fast” approach is common in startups and small teams where quick turnarounds are of utmost importance.
Companies need to have software inventories and well-defined processes for applying security patches on time. In this article, we’ll look at the strategies and tools you can employ to mitigate vulnerabilities in your open source dependencies.
Create a Software Bill of Materials (SBOM)
An SBOM is a list of all software components/packages (with version numbers) that are incorporated into the final build of a software product. It will help you keep track of your custom packages and third-party dependencies. An SBOM also helps you to keep compliance with open-source licenses so that you don’t become SFLC’s next target.
How do I know all the components in my final build? Ask your build system.
Java: mvn dependency:tree, gradle app:dependencies
Node.js: npm list
Python: pip freeze
C/C++: Makefile
Embedded Linux System: Yocto build history, Buildroot
Sometimes you might need to access the default OS package manager or filesystem to get a list of all the packages. Once you have your list, you might want to connect it to a vulnerability database like the NVD. There’re many options but I’ll look at two solutions.
Timesys Vigiles
This is a software composition analysis (SCA) tool that will help you analyze and connect your SBOM to a vulnerability database. It’s optimized for embedded systems, but you can still use it for desktop, mobile and web applications. There is a free version available with limited features but still usable. For embedded, it can automatically generate an SBOM using Yocto, Buildroot, or Timesys Factory. For other platforms, you simply upload a custom .CSV file or create an SBOM using their web wizard tool.
CycloneDX + Dependency-Track
We’ve talked about storing your list of software packages in .CSV files but there are standard SBOM specifications you can use. The three main SBOM specifications available today include CycloneDX, SPDX, and SWID. I recommend CycloneDX which is more light-weight and better suited for application security contexts. Once you generate your SBOM file using CycloneDX, you can import it to Dependency-Track to manage and track your components. Your tech stack will determine how your CycloneDX SBOM spec will be generated. But you can reference this tutorial for a Mix/Elixir project with NPM dependencies to see how it’s done.
Create Guidelines for Patching and Updating Components
The failure of Equifax’s internal processes shows us that we need well-defined procedures for applying security patches on time. When you receive 20 security notifications for components in need of updates, who will coordinate the patching effort? What is the role of security researchers/engineers and the developers when applying patches? Which updates will be prioritized first?
You should put in place a prioritization system that distinguishes between low-priority and urgent security alerts. Synk recently added this feature to all their plans. Dependency-Track and Dependency-Check can also prioritize vulnerabilities.
Hire a reputable security firm to help you with employee training, advice on setting security guidelines, audits and pentesting to know your exposure and worst-case scenarios.
Secure your third-party dependencies using a free/commercial security solution
Free Solutions
Dependency-Check
It’s closely related to Dependency-Track but it does not require an SBOM to analyze your open source dependencies. Set it up to scan your project directory and it will generate an XML report of your vulnerabilities. The XML report can be imported to Dependency-Track for further analysis.
OSS Index
A free service by Sonatype for scanning vulnerabilities in your project. A lot of free tools like Dependency-Track use the OSS Index API for scanning because it has more vulnerabilities not present in the NVD. DepShield is a free scanner powered by OSS Index for scanning public and private GitHub repositories. If you need commercial support and more features you can upgrade to their Nexus Platform.
WhiteSource Bolt
Is a free vulnerability scanner available for GitHub repos (public or private) and Azure DevOps. It supports over 200 languages but scans are limited to 5 per day per repo. You can compare its features with the full solution to see if you need an upgrade. Check out their other free tool, WhiteSource Renovate which you can use to resolve outdated dependencies.
Commercial Solutions
Synk
An Israeli and London startup that offers a full end-to-end security suite for enterprises. They secured a $150M funding earlier this year and Greenkeeper (has recently closed shop) has advised all its users to migrate to Synk. Their commercial plans are aimed at medium to large enterprises but they have a free plan . The free plan is limited to 200 tests for open source vulnerabilities on private projects but no limits on open source projects.
Tidelift
Vetting and reviewing third-party components before use in your application can cost a lot of money and slow down the development cycle. Tidelift solves this problem by providing you with a catalog of already vetted open source components that are regularly scanned for vulnerabilities. You can create your custom catalog too. Tidelift pays open source developers to ensure packages are well maintained and security patches are applied. Pricing only targets large enterprises.
Fossa
A US-based startup that provides a set of tools for license compliance and vulnerability management. It leverages both static and dynamic code analysis to get a more accurate view of your dependencies. Their CLI tool is free under the MPL-2.0 License but it only generates dependency reports and license notices. Comprehensive vulnerability reports are available under commercial plans.
Open Source is more Securable
An open source library is generally more securable than a closed-source binary because the code is accessible and can be modified as per the open source license agreement. A good example is the WinRAR ACE vulnerability. WinRAR used the unacev2.dll library (which had been abandoned) to unpack ACE archives. A vulnerability in the dll put 500 million users at risk. “UNACEV2.DLL has not been updated since 2005 and we do not have access to its source code. So we decided to drop ACE archive format support to protect the security of WinRAR users,” RARLab said in a statement.
With an up-to-date software inventory and well-thought-out security protocols, companies can safely rely on open source to support their operations and products.
