Monitoring for Vulnerable Dependencies

Wednesday, October 20, 2021 - Richard Brown

Today, we live in a world of multiple dependencies, with popular packages like npm, Yarn and NuGet housing reusable code for developers. Even a very simple Vue app created with the Vue CLI pulls in nearly 1000 npm packages — a further testament to the significance that dependencies hold within development.

But with great power, comes great vulnerabilities. Any of these packages could be hiding vulnerabilities that are just waiting to be exploited by hackers. The DCMS Cyber Security Breach survey shows that while breaches have decreased in the past year — from 46% in 2020, to 39% this year — cyber security remains a great threat to businesses across the UK.

Worryingly, less businesses are now deploying security monitoring tools (35% from 40%) last year or engaging in any user monitoring (32% vs. 38%). This reduction indicates negligence rather than progress; in reality, companies may be less aware of the breaches to which they are exposed.

The impact of suffering a breach can have monumental effects upon a business’ finances and reputation. At the beginning of this year, it was revealed that 17 organisations, including The Reserve Bank of New Zealand and The US Department of Health and Human Services — had been victims to a data breach at the hands of ransomware group Clop and financial crime group FIN11. This incident occurred after software provider Accellion had been too slow in relehasing patches for a zero-day vulnerability in one of their file sharing services.

This event serves as a timely reminder to promptly monitor and fix vulnerabilities, with Accellion now facing over 14 lawsuits for their negligence.

The prominence of these vulnerabilities is reflected in the OWASP top 10, where ‘Vulnerable and Outdated Components' is currently ranked #6 on the list (up from #9 in 2017). Faced with these concerns, businesses must be proactive and continually monitor dependencies for vulnerabilities to avoid potential breaches.

How we monitor for vulnerable dependencies at Audacia

At Audacia, we’re committed to secure software development. We run a scheduled job on every system to check for vulnerable dependencies. Using the free and open source OWASP Dependency Check tool, this job scans all npm, NuGet and, if required, yarn dependencies on a weekly basis.

The jobs themselves run as Azure Pipelines; we have a reusable set of steps written in YAML, so each system’s pipeline just needs to specify a schedule and execute those steps 

name: $(Date:yyyyMMdd)
trigger: none
pr: none
schedules:
  # Will run weekly, at midnight on Sunday
- cron: "0 0 * * 0"
  displayName: Weekly Dependency Check
  branches:
    include:
    - dev
resources:
  repositories: 
  # Use our Audacia.Build repository, which contains reusable pipeline steps and jobs
  - repository: templates
    type: git
    name: Audacia/Audacia.Build
pool:
  vmImage: windows-latest
 
steps:
 
  - template: /steps/npm/[email protected]
    parameters:
      displayName: npm Dependency Check
      publishAs: Dependency Check Result (npm)
      runEvenIfError: true
 
  - template: /steps/netcore/[email protected]
    parameters:
      displayName: .NET Dependency Check
      publishAs: Dependency Check Result (.NET)
      runEvenIfError: true

Any vulnerabilities that are discovered are reported as part of our Information Security Management System (ISMS). A per system report is then passed to the development team to investigate, so that we can assess any existing vulnerabilities and formulate a solution moving forward. The typical solution is to upgrade the vulnerable package if a patched version exists.

Monitoring Standards Company wide

As a company we have various checks in place to ensure that vulnerable dependencies are monitored on a consistent basis.

For one, we hold patching vulnerable and/or out-of-support dependencies as a core item in our secure coding standards, which all developers follow.

These same standards are reiterated at the start of each new project, which begins with a technical kick-off. There is a particular emphasis, here, on the need to patch vulnerabilities so that the development is aware of their responsibility. 

On top of this, each project goes through a pre-deployment checklist, which checks that a scheduled pipeline is set up for checking dependencies on a regular basis.

We are also acutely aware about the importance of keeping key frameworks, like .NET and Angular, up to date and on long-term support (LTS) releases. We monitor and handle version requirements proactively across all systems that we maintain.

A Necessity for Security

Like digital transformation, monitoring vulnerable dependencies can be thought of as a continuous process of improvement.

A one-off check prior to a release will not suffice, as new vulnerabilities are being discovered all the time. What was ‘fine’ last week could have a newly found vulnerability this week.

At Audacia, we put security at the very heart of our development and ensure that we regularly monitor, correct and update all dependencies as is needed.

Like this article? Share online.
Subscribe to insights

Sign up to receive the latest content based on research, industry experience and knowledge from our network of clients and partners.

Talk to Us
As a first step in the process, we can talk through your goals together to quickly determine indicative project timescales, budgets and review a high level plan for delivery.
Please enter your full name.
Please enter your company name.
Please enter your phone number.
Please enter your email address.
Thank you for contacting us. We will get back to you soon as possible.
There was an issue sending this form, please try again later or email us as [email protected].