Code reuse: How to reap the benefits and avoid the dangers

by | Nov 12, 2018 | OWASP

Share This Story, Choose Your Platform

Code reuse (or software reuse) is defined exactly as one would expect: reusing code that already exists either within your organization or externally when developing new software.

The existing code may be reused to perform the same or very similar function. There are varying degrees of code reuse, ranging from repurposing a small section of internal code to relying on large third-party libraries and open-source frameworks.

While there are pros and cons to code reuse, one of the biggest (and often overlooked) issues is security. Whether you’re reusing internal or external code, if it has not been properly tested for vulnerabilities, your entire software application is at risk. This is typically a bigger concern when it comes to third-party code that has not been built and previously tested by your own team.

Anyone who doubts the potential ramifications of using insecure open source or third-party components can refer to the massive Equifax data breach to see just how devastating insecure code reuse can be for a company. The Open Web Application Security Project (OWASP) even includes “Using Components with Known Vulnerabilities” in its 2017 Ten Most Critical Web Application Security Risks (the OWASP Top 10).

Code reuse: The benefits and risks

There are several reasons why developers reuse code and third-party components:

  • Shorter development time—Tools such as GitHub and Python Package Index help developers find existing code to add functionality to their software without starting from scratch. This approach makes sense. Why waste time writing code to handle authentication if it has already been done? Instead, your developers can spend their time writing code for unique, value-added functionality to the product.
  • Better end product—Code reuse allows developers to add more functionality to software, creating what has the potential to be a better product. The caveat here is that it has to be secure. Otherwise, even the best product can quickly become one that can destroy your company’s reputation.

There are drawbacks to code reuse:

  • Buyer beware—There is no guarantee that the code you’re reusing is safe and free of vulnerabilities. If your team does not perform proper security checks, you may be exposing your software to data breaches, injection flaws, cross-site scripting, and other threats. For example, Apache Commons Collection is a popular third-party component for Java frameworks. Version 3.2.1 has a vulnerability that allows an attacker to take control of the server. Developers need to be aware of this threat so they can update to Version 3.2.2 or implement other security measures to prevent an attack.
  • Impact can be exponential—Insecure code used in a small piece of your project can lead to large-scale problems if it is used within a larger component.
  • Attackers are quick—If insecure code is reused and a vulnerability is exposed, you don’t have a lot of time to fix it. Attackers are moving faster than ever, often within days. The Apache Struts vulnerability from the Equifax breach, for example, is easy to carry out and repeat.
  • Lack of control—Obviously, you do not own the third-party components. If changes are made that impact your product, you will need to adjust immediately. Even changes to the license agreement can dramatically affect your application if you are not careful.

Software reuse techniques for secure software development

Use Software Composition Analysis (SCA) tools

SCA tools analyze the third-party source code, libraries, and frameworks used in an application to identify security vulnerabilities or licensing issues before the application is deployed. Examples include Black Duck and Sonatype.

SCA tools should be used in conjunction with other software vulnerability testing tools. This is the only way to make sure you’re finding vulnerabilities in both internally created code and external components.

An application vulnerability manager can streamline the process of correlating results from various tools, so you get comprehensive coverage in a manageable and easily digestible format.

Document the software supply chain

This is especially important for larger enterprises, where it can become easy to lose track of where third-party components are being used across databases and code repositories.

Create and maintain a list of all open source and third-party components used. This list should include which version of a particular component or library is currently in place.

A repository management tool can be used to manage the list. A point person should be assigned to maintain control, inform the necessary developers when updates or patches are required, and enforce a timeline for fixes.

Regular checks should be performed to make sure third-party components are secure. If a vulnerability is found, the documentation can be used to quickly identify any and all software using the vulnerable components.

Only allow code reuse from trusted sources

When reusing code, use code from popular libraries with active users. If the user community is large and engaged, any exposed vulnerabilities are more likely to be quickly shared so you can begin remediation work right away.

Use the OWASP Dependency Check

The OWASP Dependency Check is a tool that can be used to identify known vulnerabilities in third-party components you may be using. The check currently supports Java and .NET.

Manage patches

Monitor external components in use, so you are notified when a vulnerability is identified. This allows you to fix issues right away, before an attacker can exploit your software vulnerability.

Have an emergency plan in place, as patches often need to be created quickly. A documented procedure is best to make sure patches are installed in a timely manner.

Change your developers’ mindset

Developers tend to focus more on functionality than security. Educating your developers about the importance of secure code and making security testing a required part of the development process will decrease the incidence of insecure code reuse. Basic security training can also help developers build more secure code. When your developers understand the importance of using only trusted third-party components, your software’s overall risk posture will improve.

Reusing code brings some significant benefits to software development, but if security is ignored, the consequences can be dire—especially when it comes to third-party components. If your team takes the proper precautions and remains vigilant in security procedures, code reuse can be a vital part of your next software project.

Share This Story, Choose Your Platform