You almost can’t build a web application today without making use of third-party open source code. But how do you know that code you imported into your application from GitHub is secure? If the study sponsored by our technology partner and industry leader Contrast Security is to be believed, you have a 1-in-4 chance of importing someone else’s vulnerabilities into your application.
Using third-party libraries has become standard in the software development industry. Software is usually built on top of existing software, which in turn is built on top of other existing software, and so on. There’s little reason to reinvent the wheel, and programmers frequently develop functions, tools, and plug-ins to enhance everyone’s code, and release those under an open-source license. Adding some of these to new applications to solve a problem or implement a feature can dramatically reduce development time, so it’s become accepted practice to do so.
The outcome, however, can be dark.
Open-source Libraries are Vulnerable
Many third-party libraries are written by independent users who lack the resources to maintain and update them. Even some of those supported by larger enterprises adopt a set-it-and-forget-it approach, and let their published libraries fall into a state of neglect.
This can cause big problems down the road. Cyber threats crop up from unexpected places, and new vulnerabilities are discovered all the time. If software isn’t updated to mitigate these risks as they appear, then attackers can use those vulnerabilities as a foothold into your application.
Again, one in four open-source libraries contain known vulnerabilities, and those imported vulnerabilities can be used to penetrate the rest of your application.
That’s why you need to keep track of what goes into your application, including what versions of each component you have, and what vulnerabilities those components may have. Code Dx integrates with the right tools to check your application’s third-party libraries—a process called software composition analysis, and why we recently added Black Duck Hub to our family of tools.
Welcome, Black Duck Hub Users!
Black Duck Hub is an open-source library scanner that will analyze your application, identify every injection of open-source code, and map them against known vulnerabilities. This popular tool lets you create, implement, and enforce your own open-source standards, so you can make sure your development team sticks to the security rules.
Now that Code Dx works with Black Duck Hub, you can combine their third-party library analysis with other powerful security testing tools that will scan the rest of your code, from the inside-out. With a healthy selection of DAST, SAST, IAST, and now Threat Modeling tools, you can review every aspect of your application to make sure you and your customers’ data is secure. And you can manage all of those vulnerabilities from one place: Code Dx Enterprise.
A Dependency House of Cards
It gets even more interesting: it’s not always easy to actually know what third-party components your application is using. You may think you’ve only integrated one or two things, but in fact you may have brought in a host of other people’s code.
Nothing stops packages from using other packages, and other packages from using those, and so on. Software, especially open-source software, is usually dependent upon other, older code to function properly.
These third-party libraries are, essentially, houses of cards; their dependencies run deep, and without access to them, they won’t work, and neither will your application. You need all of that code, but then in order to be responsible you need to know what code you are using so you can make sure it’s safe.
To help you deal with this, Code Dx integrates with OWASP Dependency-Check, a tool that examines dependencies for your third-party libraries, and provides a clear look into what you’re actually importing into your project.