Securing Your Dependencies

Development teams rarely perform code reviews on third-party dependencies, but the libraries and toolkits we use are often a source of software vulnerabilities. As a site owner, you need to ensure code written by other people is not making your system insecure.

Risks

Prevalence Occasional
Rating prevelance on a298cccc3e525887223509d0e6fe9a464d7d7f60574014de1fe402608154d354 Rating prevelance on a298cccc3e525887223509d0e6fe9a464d7d7f60574014de1fe402608154d354 Rating prevelance on a298cccc3e525887223509d0e6fe9a464d7d7f60574014de1fe402608154d354
Exploitability Moderate
Rating exploitability on 6b817c6c589f0911378579408b6cbfc6d82345849ae2da559b8d11602b9a987b Rating exploitability on 6b817c6c589f0911378579408b6cbfc6d82345849ae2da559b8d11602b9a987b Rating exploitability on 6b817c6c589f0911378579408b6cbfc6d82345849ae2da559b8d11602b9a987b
Impact Devastating
Rating impact on 48bdb4077813afe9762f27e229e64207ec59c3891a54a3adf931c2c91a6d99bd Rating impact on 48bdb4077813afe9762f27e229e64207ec59c3891a54a3adf931c2c91a6d99bd Rating impact on 48bdb4077813afe9762f27e229e64207ec59c3891a54a3adf931c2c91a6d99bd

Almost every kind of website vulnerability has manifested itself in commonly used software libraries at some point:

  • SQL Injection vulnerabilities that allow execution of arbitrary SQL statements against a database.
  • Cross-Site Scripting vulnerabilities that permit attackers to execute malicious Javascript in the browser.
  • Command Injection vulnerabilities that allow execution of arbitrary scripts on the server.

Including these vulnerabilities into you systems opens you (and your users) to data theft, infection by malware, and system takeover.

Protection

Careful consideration of how you manage dependencies is key to keeping your system secure. There are number of aspects you need to get right.

  • Automate your build and deployment processes. To make your code secure, you need to know what code you are running. This means declaring all third-party libraries within build scripts or dependency management systems; building and deploying from source control; and keeping records of deployment logs.

  • Deploy known-good versions of software. Dependency management tools often allow you leave the version of each dependency indeterminate, which is shorthand for “grab the latest available version at build time.” Try to avoid this - upgrade versions deliberately, when you have had chance to review the release notes, and pin dependency versions in your code.

  • Keep on top of security bulletins. Make sure your team is on the lookout for security announcements for the software you use. This can mean signing up for mailing lists, joining forums, or following library developers on social media. The development community is often the first become aware of security issues.

  • Perform regular code reviews so your whole development team knows what third-party libraries are being used, and which parts of your codebase depend on them.

  • Make penetration testing part of your development lifecycle. Penetration testing tools will attempt to take advantage of known exploits, checking whether your technology stack contains vulnerable components.

Further Reading

If you don’t yet use dependency management, you probably should start. Here are the most popular dependency management systems for some major programming languages:

Could third-party code be infecting your users?

Netsparker n 834848961a0bf6ec5556448ff47f421d0b1204a572877a59717064b1088e8c43 Check today. Scan your website for vulnerabilities with the