Monitoring for Vulnerable Dependencies
Wednesday, October 20, 2021 - Richard Brown
Today, we live in a world of multiple dependencies, with popular packages like npm, Yarn and NuGet housing reusable code for developers. Even a very simple Vue app created with the Vue CLI pulls in nearly 1000 npm packages — a further testament to the significance that dependencies hold within development.
But with great power, comes great vulnerabilities. Any of these packages could be hiding vulnerabilities that are just waiting to be exploited by hackers. The DCMS Cyber Security Breach survey shows that while breaches have decreased in the past year — from 46% in 2020, to 39% this year — cyber security remains a great threat to businesses across the UK.
Worryingly, less businesses are now deploying security monitoring tools (35% from 40%) last year or engaging in any user monitoring (32% vs. 38%). This reduction indicates negligence rather than progress; in reality, companies may be less aware of the breaches to which they are exposed.
The impact of suffering a breach can have monumental effects upon a business’ finances and reputation. At the beginning of this year, it was revealed that 17 organisations, including The Reserve Bank of New Zealand and The US Department of Health and Human Services — had been victims to a data breach at the hands of ransomware group Clop and financial crime group FIN11. This incident occurred after software provider Accellion had been too slow in relehasing patches for a zero-day vulnerability in one of their file sharing services.
This event serves as a timely reminder to promptly monitor and fix vulnerabilities, with Accellion now facing over 14 lawsuits for their negligence.
The prominence of these vulnerabilities is reflected in the OWASP top 10, where ‘Vulnerable and Outdated Components' is currently ranked #6 on the list (up from #9 in 2017). Faced with these concerns, businesses must be proactive and continually monitor dependencies for vulnerabilities to avoid potential breaches.
How we monitor for vulnerable dependencies at Audacia
At Audacia, we’re committed to secure software development. We run a scheduled job on every system to check for vulnerable dependencies. Using the free and open source OWASP Dependency Check tool, this job scans all npm, NuGet and, if required, yarn dependencies on a weekly basis.
The jobs themselves run as Azure Pipelines; we have a reusable set of steps written in YAML, so each system’s pipeline just needs to specify a schedule and execute those steps
name: $(Date:yyyyMMdd) trigger: none pr: none schedules: # Will run weekly, at midnight on Sunday - cron: "0 0 * * 0" displayName: Weekly Dependency Check branches: include: - dev resources: repositories: # Use our Audacia.Build repository, which contains reusable pipeline steps and jobs - repository: templates type: git name: Audacia/Audacia.Build pool: vmImage: windows-latest steps: - template: /steps/npm/[email protected] parameters: displayName: npm Dependency Check publishAs: Dependency Check Result (npm) runEvenIfError: true - template: /steps/netcore/[email protected] parameters: displayName: .NET Dependency Check publishAs: Dependency Check Result (.NET) runEvenIfError: true
Any vulnerabilities that are discovered are reported as part of our Information Security Management System (ISMS). A per system report is then passed to the development team to investigate, so that we can assess any existing vulnerabilities and formulate a solution moving forward. The typical solution is to upgrade the vulnerable package if a patched version exists.
Monitoring Standards Company wide
As a company we have various checks in place to ensure that vulnerable dependencies are monitored on a consistent basis.
For one, we hold patching vulnerable and/or out-of-support dependencies as a core item in our secure coding standards, which all developers follow.
These same standards are reiterated at the start of each new project, which begins with a technical kick-off. There is a particular emphasis, here, on the need to patch vulnerabilities so that the development is aware of their responsibility.
On top of this, each project goes through a pre-deployment checklist, which checks that a scheduled pipeline is set up for checking dependencies on a regular basis.
We are also acutely aware about the importance of keeping key frameworks, like .NET and Angular, up to date and on long-term support (LTS) releases. We monitor and handle version requirements proactively across all systems that we maintain.
A Necessity for Security
Like digital transformation, monitoring vulnerable dependencies can be thought of as a continuous process of improvement.
A one-off check prior to a release will not suffice, as new vulnerabilities are being discovered all the time. What was ‘fine’ last week could have a newly found vulnerability this week.
At Audacia, we put security at the very heart of our development and ensure that we regularly monitor, correct and update all dependencies as is needed.