Scribd
Upload
44 views20 pages

05 - Vulnerability Scanning For App Dependencies

05 - Vulnerability Scanning for App Dependencies

Uploaded by

Floatpoint Exists
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
44 views20 pages

05 - Vulnerability Scanning For App Dependencies

05 - Vulnerability Scanning for App Dependencies

Uploaded by

Floatpoint Exists
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 20

Vulnerability Scanning for

App Dependencies
by TWN
No part of this publication may be reproduced, copied, transmitted in any
form or by any means, electronic, mechanical, photocopying, recording or
otherwise, without the prior written permission of nnSoftware GmbH

Copyright 2023 nnSoftware GmbH. All rights reserved.


TechWorld with Nana is an established name in the DevOps and
Cloud industry, and it stands for the quality trainings helping 1,000s
of engineers acquire the most in-demand skills in this field.

Our mission is enable individual engineers as well as companies to take advantage of the
recent developments in Cloud and DevOps fields, to use technologies and concepts in
order to create efficient, automated, streamlined DevSecOps processes in organisations.

Copyright 2023 nnSoftware GmbH. All rights reserved.


Why Software Composition
Analysis (SCA)?
Introduction

Application code is made up of 3rd party libraries

Developers use many 3rd-party frameworks and libraries to write the code
So main parts of the final application code are actually external 3rd party
open source components

These are called “dependencies” of an application

Dependenies are external libraries, frameworks and


modules that the application relies on to function properly
Each library used, can depend on other libraries

Copyright 2023 nnSoftware GmbH. All rights reserved.


Introduction
No matter the programming language, the application always has dependencies
Dependencies of an application are defined in a dependencies file
Why SCA?

For Hackers it doesn’t matter where the code that ends


up in your final application coes from

To ensure we use secure third party code, we do


vulnerability scans for those libraries as well

Copyright 2023 nnSoftware GmbH. All rights reserved.


What is SCA?
Software Composition Analysis (SCA)

Scans for vulnerabilities in your dependencies


It does also static code analysis

SCA Tools

Various tools available per language (npm audit, retire.js for JavaScript)
Tools available that support multiple programming languages (dependency-
check by OWASP)
Always use popular, verified tools and combination of multiple complimentary
tools

Copyright 2023 nnSoftware GmbH. All rights reserved.


Vulnerability Databases
Public vulnerability databases

Often libraries are used by thousands of other


companies/projects
So generally libraries are scanned continuously for
vulnerabilities
This data is saved in a public vulnerability database

Each library contains information, such as:

What issues are in which version of the library?


In which version is the issue fixed?
(This data gets updated regularly)

Copyright 2023 nnSoftware GmbH. All rights reserved.


Vulnerability Databases
Common Vulnerabilities and Exposures

Free service that identifies and catalogs known


software vulnerabilities
CVE is not, in itself, an actionable vulnerability database
List is maintained by a large community of trusted
entities and individuals
It’s used by many security tools

SCA tool validates whether we use a library with a


vulnerable version

Copyright 2023 nnSoftware GmbH. All rights reserved.


Use SCA Tool
SCA Tool

For any tool you use, you can proceed like this:

1 - Use official Docker Image of Tool

2 - Execute command

3 - Check documentation, what


parameters and behavior you need

DevOps and tools are dynamic and evolving

Copyright 2023 nnSoftware GmbH. All rights reserved.


Retire.js
Add to CI Pipeline

What it is and how it works

Popular open source scanner for


JavaScript libraries
Maintains database of known
vulnerabilities
Scans code of libraries in
node_modules folder

Copyright 2023 nnSoftware GmbH. All rights reserved.


Remediation Example of
Vulnerable Dependencies
Example detected vulnerability

Vulnerable Library
allowing for Code
Injection

Which is fixed above in a specific version

Copyright 2023 nnSoftware GmbH. All rights reserved.


Direct vs Transitive Dependencies

Looks like an easy fix of just updating library version, but it’s not...

Direct dependency is package you include in your own project


Transitive (indirect) dependency is a package used by one of your direct dependencies
It’s like a nested tree

Copyright 2023 nnSoftware GmbH. All rights reserved.


Updating Library Versions in general

Looks like an easy fix of just updating library version, but it’s not...

Incompatibility issues

New library version may be incompatible with our application code

In that case developers may need to update the actual code, not just
update the version

Copyright 2023 nnSoftware GmbH. All rights reserved.


Note on Updating Library Versions

This is another reason why developers are responsible for fixing security issues related
to the application code itself
As DevSecOps engineers we make developers aware of the known vulnerabilities
Developers know the code the best

Especially major updates are critical and must be done with care.
Extensive testing necessary to ensure nothing is broken

Copyright 2023 nnSoftware GmbH. All rights reserved.


Status of DevSecOps Pipeline
Note on Updating Library Versions

Tests different aspects of our application

Hard-coded secrets

Code security

Vulnerabilities in dependencies

Copyright 2023 nnSoftware GmbH. All rights reserved.

You might also like