SSW Foursquare

Do you monitor your application for vulnerabilities?

Last updated by Tom Bui [SSW] 2 months ago.See history

Efficient software developers don't reinvent the wheel and know the right packages to use when monitoring vulnerabilities in both frontend and backend packages. 🔐 Using a bunch of third-party libraries as the supporting building blocks to build modern, high-quality applications became a common practice since they save time and money in full-stack projects.

But this comes with an unexpected side effect: out-of-date packages that must be updated and re-tested, and even worse, vulnerabilities can be introduced!

One of the big challenges for developers to address is when a project has been delivered to a client and gone into maintenance mode. With no developer actively working on the project, if a vulnerability is discovered in a library referenced in the project, no one will be aware of it, and it will cause pain.

However, if you monitor the packages you have installed, and a vulnerability is reported, then as developers, we have a duty of care to inform our clients.

Level 0 - Manual tracking

List all installed packages in a file and cross-check with the advisory board and Google it, and change each lines regularly. Not recommended because this consumes time.

screen shot 2022 05 20 at 12 11 25
Figure: Bad example - Tracking list of packages manually

Level 1 - Using tools to scan for vulnerabilities

Modern package managers such as npm or NuGet offers a way to check for vulnerabilities in the installed libraries. See Do you keep your npm and yarn packages up to date?

  • npm: npm audit
  • yarn: yarn audit
  • dotnet cli: dotnet list package --vulnerable

Regularly running this command can give a summarised report on known vulnerabilities in the referenced libraries.

This is an improvement over manual tracking but still requires a developer to check out the latest code and then run the command.

npm audit report
Figure: OK example - This npm audit command informs that there is 1 package with a high severity vulnerability

dotnet audit report
Figure: OK example - This dotnet command informs that there is 1 package with a high severity vulnerability

Using 3rd party tools can help you to automate vulnerability scanning.

These tools will alert you whenever there's a security vulnerability detected in the project and optionally raise a PR for it.

Some of the available tools in the market:

screen shot 2022 05 20 at 12 48 33
Figure: Good example - Dependabot produces a vulnerability report periodically (and can raise a PR for you)

screen shot 2022 05 20 at 12 38 26
Figure: Good example - Snyk produces a vulnerability detection alert email

We open source. Powered by GitHub