O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Securing Open Source Libraries

Book Description

Open source software is amazing, but it’s also a complicated beast when it comes to ownership, trust, and security. Many organizations operate mission critical systems with the help of open source libraries, unaware that some of these libraries include vulnerabilities that hackers can easily exploit. This type of vulnerability led to the 2017 Equifax breach.

In this practical report, author Guy Podjarny provides a framework to help you continuously find and fix known vulnerabilities in the open source libraries you use. Every software library has potential pitfalls, and vulnerable dependencies are prime targets. Aimed at architects and practitioners in development and application security, this report walks you through practices and tools to protect your applications at scale.

  • Understand what known vulnerabilities are and why they matter
  • Learn how to find and fix vulnerabilities in open source libraries
  • Integrate testing to prevent adding new vulnerable libraries to your code
  • Respond to newly disclosed vulnerabilities in libraries you already use
  • Learn which aspects matter most when choosing a Software Composition Analysis (SCA) testing tool

Table of Contents

  1. Introduction
    1. Book Purpose and Target Audience
    2. Tools Versus Libraries
    3. Application Versus Operating System Dependencies
    4. Known Vulnerabilities Versus Other Risks
    5. Comparing Tools
    6. Book Outline
  2. 1. Known Vulnerabilities in Open Source Packages
    1. Vulnerabilities in Reusable Products
    2. Vulnerability Databases
      1. Common Vulnerabilities and Exposures (CVE)
      2. Common Platform Enumeration (CPE)
      3. Common Weakness Enumeration (CWE)
      4. Common Vulnerability Scoring System (CVSS)
    3. Known Vulnerabilities Outside CVE and NVD
    4. Unknown Versus Known Vulnerabilities
    5. Responsible Disclosure
    6. Summary
  3. 2. Finding Vulnerable Packages
    1. Taxonomy
      1. Known Vulnerability Versus Vulnerable Path
      2. Testing Source Versus Built Apps
    2. Finding Vulnerabilities Using the Command Line
    3. Finding Vulnerabilities in SCM (GitHub, BitBucket, GitLab)
      1. Granting Source Code Access
    4. Finding Vulnerabilities in Serverless and PaaS
    5. Finding Vulnerabilities in the Browser
    6. Vulnerable Component Versus Vulnerable Apps
    7. Summary
  4. 3. Fixing Vulnerable Packages
    1. Upgrading
      1. Major Upgrades
      2. Indirect Dependency Upgrade
      3. Conflicts
      4. Is a Newer Version Always Safer?
      5. There Is No Fixed Version
    2. Patching
      1. Sourcing Patches
      2. Depend on GitHub Hash
      3. Fork and Patch
      4. Static Patching at Build Time
      5. Dynamic Patching at Boot Time
    3. Other Remediation Paths
      1. Removal
      2. External Mitigation
      3. Log Issue
    4. Remediation Process
      1. Ignoring Issues
      2. Fix All Vulnerable Paths
      3. Track Remediations Over Time
    5. Invest in Making Fixing Easy
    6. Summary
  5. 4. Integrating Testing to Prevent Vulnerable Libraries
    1. When to Run the Test?
    2. Blocking Versus Informative Testing
    3. Failing on Newly Added Versus Newly Disclosed Issues
    4. Platform-Wide Versus App-Specific Integration
    5. Integrating Testing Before Fixing
    6. Summary
  6. 5. Responding to New Vulnerability Disclosures
    1. The Significance of Vulnerability Disclosure
    2. Setting Up for Quick Remediation
    3. Monitoring Which Dependencies Your Apps Are Using
      1. Source Code Management Platform Integration
      2. Monitoring Deployed Code
      3. Integrating into Continuous Deployment
    4. Getting a Feed of Vulnerability Notifications
    5. CVEs Are Not Enough
      1. Early Notifications
    6. Automating Matching and Notification
      1. Who You Should Notify and How
      2. Automating Remediation Steps
      3. Breaking a Build on a New Vulnerability
    7. Becoming Vulnerable Due to Dependency Chain Updates
    8. Summary
  7. 6. Choosing a Software Composition Analysis Solution
    1. Choose a Tool Your Developers Will Actually Use
    2. Aim to Fix Issues, Not Just Find Them
    3. Verify the Coverage of the Vulnerability DB
    4. Ensure Your Tool Understands Your Dependencies Well
    5. Choose the Tool That Fits Tomorrow’s Reality Too
  8. 7. Summary