Are my open-source libraries vulnerable? (2 min reading to make your life more secure)
The explosion of open source and issues related to it
The amount of open source or other third party code used in a software project is estimated as 60-90% of a codebase. Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defences and enable a range of possible attacks and impacts.
Conclusion: even if you perform constant security code reviews, you still might be vulnerable because of third-party components.
Some have tried to do this manually, but the sheer amount of work and data is growing and is time consuming, difficult, and error prone to manage. It would require several full time employees and skilled security analysts to constantly monitor all sources to stay on top.
How to solve the problem in a few clicks
Node Security Project (free)
The NSP is known for its work on Node.js modules and NPM dependencies. It also provides tools that scan for dependencies and find vulnerabilities using public vulnerability databases.
The goal of Retire.js is to help you detect use of version with known vulnerabilities.
Retire.js has these parts:
- A command line scanner
- A grunt plugin
- A Chrome extension
- A Firefox extension
- Burp and OWASP Zap plugin
OSS Index is a free service used by developers to identify open source dependencies and determine if there are any known, publicly disclosed, vulnerabilities.
OSS Index is based on vulnerability data derived from public sources and does not include human curated intelligence nor expert remediation guidance.
Bundler-audit is an open-source, command-line dependency checker focused on Ruby Bundler. This project retrieves its vulnerability information from the NIST NVD and RubySec, which is a Ruby vulnerability database.
Hakiri (free trial)
Hakiri monitors Ruby apps for dependency and code security vulnerabilities.
Black Duck from Synopsys
Duck KnowledgeBase—the most comprehensive database of open source component, vulnerability, and license information—Black Duck software composition analysis solutions and open source audits give you the insight you need to track the open source in your code, mitigate security and license compliance risks, and automatically enforce open source policies using your existing DevOps tools and processes.
Different open-source and commercial tools have emerged over the years to tackle this problem. Each tool/service tackles the problem a bit differently. However, it worth to start thinking about security of open-source libraries.