Enhancing Security in your Software Development LifeCycle – Dealing with Dependencies

Enhancing Security in your Software Development LifeCycle – Dealing with Dependencies

Tim Reed

Tim Reed

The adoption of agile practices has resulted in the emergence of shift-lift testing, where testing is performed much earlier in the Software Development LifeCycle (SDLC). Traditional waterfall models performed testing to the right of, or following, development. The benefits of testing earlier and more often cannot be underestimated. However, where does this leave security and security testing.

DevOps devotees will no doubt be familiar with these concepts and how security should be shifted as far left as possible. The very term DevSecOps is even contentious, with some arguing and coining the term SecDevOps to highlight just how far left security should be considered. So how do companies integrate and enhance security within their SDLC and in particular, how are they dealing with dependencies?

As with most things there are some issues to recognize, which will need to be accepted and some challenges that must be overcome.

The first step is identifying just how far left security should be considered. In an ideal world this should be done very early on in the design and planning phases, where security considerations and risks are identified, added to the requirements and then appropriate measures are taken to address them. The reality is that this, whilst important, only goes a small way to protecting your application. The first operational, tangible difficulty arises with the code itself, often well into the development lifecycle.

It may come as a surprise to some that modern applications contain (on average) less than 20% custom code. The majority of the code comes from frameworks and third-party libraries. As pressure on developers mount to create applications faster than ever, reliance on open-source code has increased exponentially. These libraries are often available within an assortment of package managers e.g. NPM, dotnet, PIP, or Composer.  As a result, these dependencies often appear in 1000s of projects, therefore security testing is often performed at scale by hundreds, if not thousands, of individuals, however the potential impact and value of successful exploitation is magnified. Hence, the need to manage your supply chain security and prevent the addition of vulnerable packages into your SDLC. The good news is that it is a relatively simple process to incorporate and can lead to substantial improvements in your security posture.

How to check for vulnerable dependencies 

Depending on your platform and package manager, there are a number of freely available tools that can be used to identify vulnerable packages and their dependencies. Whilst these solutions may not be as comprehensive or provide as much coverage as commercial or professional solutions, it’s a great start for any independent developer, start-up, or small team.

NPM

Running NPM’s audit command will list vulnerable dependencies in your project and can optionally try to fix these with the -fix flag added. npm-audit is triggered by default with every npm-install:

npm-audit

dotnet

Using the dotnet CLI you can check for any known vulnerabilities in dependencies using:

dotnet list package --vulnerable

Composer

Roave/security-advisories is a composer meta-package that contains a composer JSON file. Adding to the require-dev section in a project’s composer JSON file will cause a conflict with any known vulnerable packages and refuse to install them:

composer require --dev roave/security-advisories:dev-latest

While True: Automate

Of course, running these tools is a manual process that doesn’t fit with modern DevOps/DevSecOps practices. The first thing to do is to automate the detection of vulnerable packages and prevent them from entering your source control. You can add the commands described above as part of your pipeline, which may be a good starting point. There is an entire market designed around the sale of Software Composition Analysis (SCA) tools. These tools typically identify open-source components, their license compliance, and security vulnerabilities. Some can even help with fixing issues identified.

GitHub has added its Dependabot feature to monitor for vulnerable dependencies, when it detects them it can raise a pull request to update the manifest to the latest version. Gitlab also has a dependency scanning feature. It is worth noting that these features are limited to paid tiers or self-hosted plans.

Bitbuckets’ offering is an integration of Snyk’s tool (which will integrate into Gitlab and GitHub as well). This is also a paid offering though there is a free tier level that includes a limited number of tests.

There are also a variety of other third-party vendors that are vying for a place in your pipeline, such as Deps – a CLI tool, that integrates with most CI Tools to create pull requests. This is great if you want a custom solution.

The first step is always detection of these vulnerable packages. The next step is notification, this as we’ve seen is often done by means of pull requests. These can then be reviewed either by your security team or developers who can prioritise and triage these issues. You will want to decide on the criteria for this, often this focuses on the severity of the vulnerability as measured by its CVSSv3 score. There are times when the dependency itself may be vulnerable but is not used in a vulnerable way or additional measures exist that nullify the vulnerability.  Some updates may break functionality, some dependencies have vulnerable sub dependencies that often you won’t be updating yourself. So, it is important to have a process in place to identify, assess and triage vulnerable dependencies within your software development process.

Once risks are prioritised you can then explore the remediation.  This may at times involve code changes, other times it may not, and the packages can be updated as required. Many of the tools available allow you to auto update, and some allow you to set custom criteria for this e.g., update to minor versions but not major versions.

Open-source components are now a mainstay of application development, and their usage is only increasing.  Implementing a comprehensive supply chain management process as part of your DevOps practices can reduce your risk exposure and minimize the attack surface for malicious actors. The implementation of these practices is straightforward, they don’t require substantial configuration and should be viewed as a first step towards a more secure DevOps posture.

Resources

  1. Automated vs manual penetration testing

    Automated vs manual penetration testing – which is best?

    Today’s online world is a little like a virtual battlefield, rife with threats and vulnerabilities. So, having a strong cybersecurity posture for your business is crucial. Penetration testing – either automated or manual – is an essential tool to protect sensitive data and systems from hackers. These two methods aim to make defences stronger against…

    Read more

  2. Mobile application penetration testing

    Safeguard your business with mobile app penetration testing

    Mobile applications have become an essential tool for businesses of all sizes to engage with customers, streamline operations and drive growth. However, the increasing reliance on mobile technology comes with a unique set of security challenges you can’t afford to overlook. Mobile applications introduce new attack surfaces and vulnerabilities that differ from traditional web-based applications.…

    Read more

  3. White box penetration testing

    Uncovering vulnerabilities with white box penetration testing

    As a business owner or IT professional, you understand the importance of protecting your company’s sensitive data, systems and reputation from cyber threats. One of the most effective ways to uncover vulnerabilities and strengthen your organisation’s security posture is through penetration testing, particularly white box penetration testing. White box penetration testing is a comprehensive approach…

    Read more

  4. API penetration testing

    Securing APIs through penetration testing

    APIs (Application Programming Interfaces) have become the backbone of many modern applications, and indeed the foundation of some businesses services. APIs enable seamless communication between applications, services and systems, allowing organisations to innovate, collaborate and deliver value to their customers. However, as reliance on APIs grows, so does the need for robust security measures to…

    Read more

  5. Password cracking: How to crack a password

    An introduction to password security: How to crack a password

    Online Password Cracking An online attack is performed in real-time, against live services or applications to compromise active user accounts. Such attacks typically occur when a malicious actor lacks direct access to the target system or application and aims to gain an initial foothold. The first step in conducting online password attacks involves establishing as…

    Read more

  6. The importance of a post-penetration test action plan

    The importance of a post-penetration test action plan

    As cyber threats continue to evolve and become more sophisticated, businesses must stay one step ahead in protecting their sensitive data and network infrastructure. Penetration testing is an essential tool in this ongoing battle. Penetration testing – also known as pen testing or ethical hacking – is a controlled approach to identifying vulnerabilities in an…

    Read more

Get in touch with our experts to discuss your needs

Get in touch