Securing open source: a brief look at dependency management
Taking full advantage of all that IT automation and orchestration have to offer frequently involves combining IT infrastructure automation with in-house application development. To this end, open source software is often used to speed development. Unfortunately, incorporating third-party software into your application means incorporating that third-party software’s vulnerabilities, too.
Scanning for, identifying, and patching open source dependencies in an application’s codebase is known as dependency management, and it’s increasingly considered a critical part of modern development. A recent report found that 60% of open source programs audited had a vulnerability that’s already been patched. With 96% of all code using open source libraries, this is a problem that impacts everyone.
There are many dependency management products available; too many to list in a single blog post. That said, we’ll look at some examples of well-known dependency management products that fall into three broad categories: free, open source software; commercial software with a free tier; and commercial software without a free tier.
Some dependency management products rely on open source vulnerability lists (the most famous of which is supplied by the National Institute of Standards and Technology [NIST]). Some products are commercial, and use closed databases (often in combination with the open source ones). Let’s take a look at the diversity of choices available.
Free, Open Source Software
Open Web Application Security Project (OWASP) is more of a meta project, or online community, than an individual product. There are currently four flagship OWASP projects, and they’re all useful to any organization developing their own software, or engaging in IT automation.
OWASP Zed Attack Proxy (ZAP) is described as “an open source web application security scanner.” Essentially, it’s a proxy server that can manipulate all traffic traversing it. This includes the ability to manipulate HTTPS streams.
OWASP Web Testing Environment Project is basically a bunch of penetration testing tools packaged as a live CD, virtual machine (VM), cloud instance, or more.
OWASP Offensive Web Testing Framework (OWTF) is a suite of tools for penetration testers. There are a great many plug-ins available.
OWASP Dependency Check is exactly what it sounds like. Billing itself as “a software composition analysis utility,” it’s a dependency management product that supports scanning code written in Java and .NET, with experimental support for Ruby, Node.js, and Python. There’s also some limited support for C/C++ if using autoconf or cmake.
Retire is free, and has been known to show up as a plug-in in web browsers, proxies, and as part of larger tools like OWASP. Retire has become quite popular as a web browser plug-in, in part because it offers passive scanning of websites as you browse, but also because of the extensive suite of scanning options that can be used.
Bundler-audit is another tightly focused dependency management product. In this case, bundler-audit is aimed at Ruby developers. For quite some time Ruby wasn’t widely supported by other dependency management products; bundler-audit is a good example of how open source projects tend to emerge to fill these gaps.
Commercial Software with a Free Tier
Greenkeeper is a fairly popular dependency management product, offering both free and paid tiers. The free tier is aimed at open source projects. Greenkeeper is popular in large part because it can be configured to update dependencies automatically.
Many dependency management applications won’t update dependencies at all, only providing alerts to developers, but otherwise requiring manual intervention. The reason for this caution is usually typically some form of “Don’t incorporate things you don’t understand, or haven’t tested, into your software.” To be able to address these concerns, Greenkeeper is capable of running npm tests using the new vulnerabilities before committing the changes.
OSSIndex and Nexus are both put out by Sonatype. OSSIndex and Nexus are good examples of the contrast between dependency management that uses entirely open and public vulnerability databases (OSSIndex), and dependency management that uses proprietary tools and sources (Nexus). Both are put out by the same vendor, and both have had their performance well characterized by numerous reviewers.
Commercial Software Without a Free Tier
Whitesource is a highly rated commercial dependency management product known for the diversity of development languages it supports. In addition to the standard publicly available vulnerability databases, Whitesource also tracks security advisories that are more expansive than Mitre/CVE, as well as project-specific bug trackers.
Synopsys BlackDuck is an example of software in the “pricing is not publicly available” class of products that has a dependency management component. BlackDuck can perform open source discovery through a number of methods ranging from scanning source code to scanning file systems. It can also perform dependency management, snippet matching, binary analysis and more. BlackDuck also has some automation capabilities.
Veracode, jFrog , Checkmarx, and SourceClear are other popular examples of commercial products that either are dependency management solutions, or offer that as part of a broader product. None of the products in this category are known to have a free tier.
Something for Everyone
Network automation alone can be a significant development project, but infrastructure automation is frequently only the beginning. IT automation happens layer upon layer. Once one system is automated, it’s frequently ignored from then on, forgotten in the rush to automate the next system, and to solve the next problem.
Once IT infrastructure is automated, the next step is orchestrating all of those automations to deliver self-service IT—also known as cloud computing. And once IT infrastructure has achieved cloud levels of orchestration, it becomes trivial to integrate applications with the infrastructure upon which they execute.
Layer upon layer of automation, integration, and dependency build up over time. But all software must be patched, especially the software we forget is even there. Fortunately, with such a diversity of dependency management products available, there’s something for everyone, no matter the size of the project you’re working on. This is important, because for IT automation to be successful it must be built on usable, user-friendly tooling.
Different tools are needed for different stages of a project’s lifecycle. The software that boosts your efficiency when your project has three developers is going to look a lot different from the software that keeps your project humming when you have 3,000.
Source:: Cumulus Networks