This article is part of a series “Secure code development” in which I would like to show some tips and good practices for developers to help You build more secure software. Targeted audiences are IT students and junior developers but hopefully, anyone inside IT industry would read something interesting. Provided examples are created using java and spring-boot framework.
Dependency management
There is probably no application that uses no Open Source libraries. From some time already, almost every modern framework supports a solution that is dealing with dependency management – npm for JavaScripts, maven and Gradle for Java, pip for python or NuGet for .net applications. According to Synopsys report from 2019* more then 70% of the codebase of modern applications is code from imported libraries.
You must remember that each library You add to Your project has its own dependencies (which may have their own dependencies and so on…). So including single dependency may result in downloading and using dozens of open source libraries where every single one of them may or may not contain vulnerabilities.
This is why even if You have added few libraries into Your packages.json, operation of npm install looks like:
Open Source security – why it should be Your problem
Open Source libraries are becoming an interesting vector of attack for cybercriminals. Exploiting a single dependency may result in hundreds or even thousands of web applications vulnerable. There is an extraordinary presentation of Brian Vermeer** who shows how to make use of vulnerabilities in Open Source software which is used within a particular project. There are some quite easy to reproduce and use attacks on vulnerable libraries.
- Apache struts – for many security researchers name of this library is associated with Equifax*** breach. There are references with links to proper resources at the bottom of the article if You didn’t hear about this particular case please read carefully to see what can happen if the organization has no procedures or vision regarding vulnerability management or patch management within developed software. The vulnerability I am referring to is CVE-2017-5638 which is related to incorrectly parsing of Content-Type header which results in Remote Code Execution vulnerability.
Setting header value like this:
Content-Type: %{(#_='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(@java.lang.Runtime@getRuntime().exec('curl localhost:8000'))}
Will execute command ‘curl localhost:8000’ on host.
- Spring Data REST – this library is meant to help while creating REST Services. Including it within Your project results in generating CRUD methods (GET, PATCH, POST, DELETE) for particular entities. Unfortunately, version of the library bellow 2.6.9 is affected by CVE-2017-8046 which may result in remote code execution. Like it was mentioned before Spring Data REST generates methods where PATCH method is responsible for editing a particular object. Performing request which should update the post with id=12 but replacing the body with:
curl --request PATCH \ --url http://localhost:8080/posts/12 \--header 'content-type: application/json-patch+json' \ --data '[{"op":"replace","path":"T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{63,61,74,20,2f,65,74,63,2f,70,61,73,73,77,64})).x","value":"vulnhub"}]'
Where byte string is corresponding to “cat /etc/passwd” will result in executing OS command on host system.
Updating problems
The simplest solution seems to be to configure the environment to use the latest libraries available. Unfortunately, in many cases it can be a problem. Most of the OpenSource dependencies are built by the community with almost no revenue from this. There is a high probability that the next major version change (or even minor in some cases) is not backward compatible. So enabling auto dependency update may result in breaking the build of an application (because in newer version some of the methods may be unavailable).
Possible solutions to handle Open Source dependencies security
Security of Open Source libraries is a very popular topic today. There are plenty of solutions both free and commercial and I would like to point some of them here (most interesting from my point of view).
Free solutions:
- npm audit – is a build-in function of npm which performs analysis of dependencies from package.json. Operation is resulting in a list of vulnerabilities within the scope of used dependencies. Npm audit is not so accurate but it is worth mentioning.
- Pip safety check – is a package for python applications which is searching for default requirements file with the list of dependencies and then check if there are published vulnerabilities within them
- OWASP Dependency-Check – is a plugin for maven or Gradle. It verifies pom or build file to list libraries and check for vulnerabilities. It is worth mentioning that Dependency-Check enables security gateway which may block an application from been built if the application contains the particular number of vulnerabilities within dependencies.
- OWASP Dependency Track – this is high end solution which has no technology restriction (can be used by PHP, python, .net or JAVA applications). Dependency track is making use of CycloneDX library to generate SBOM (software bill of materials) – XML file which contains information of dependencies used within a project. Dependency Track may use commercial feed of vulnerabilities as well as the free one.
- GitHub dependabot– an awesome feature that works at this moment with javascript libraries. Each time dependabot detect vulnerable library within package.json it introduces a new pull request with a proper fix
There are also many commercial solutions: Snyk, Blackduck or Sonatype which offer much more options as well as CICD integration in scope of opensource management or licence management.
Conclusions
Open Source libraries used within developed software can contain security vulnerabilities. It is important to use bug and vulnerability free version as well as update dependencies to the latest versions whenever possible. There is a number of free and commercial solutions to support developers in this process. But even if there are tools available to be used it is really important for developers to understand how important is dependency management in terms of security.
References
* https://www.synopsys.com/software-integrity/resources/analyst-reports/2019-open-source-security-risk-analysis.html
** https://www.youtube.com/watch?v=irrN4YSRDkg
*** https://thehackernews.com/2017/10/equifax-credit-security-breach.html
https://owasp.org/www-project-dependency-check/
https://owasp.org/www-project-dependency-track/
https://docs.npmjs.com/cli/audit
Comments are closed