How to Address Vulnerabilities in Applications? These Tools Will Solve Them for You
Even though the security of the project and its dependencies should be a priority during app development, the number of vulnerabilities in applications and targeted attacks exploiting them is rising every year. Fortunately, there are tools that can help you expose them.
When you are writing a non-trivial project it is almost certain that you will use third-party code. You load external dependencies into your project that solves part of the logic or provides further functionality. Especially in the last year, this trend of decomposition and outsourcing is getting faster and faster - mostly because of the growing popularity and quantity of open source software. For example in a typical Javascript project, there are tens of dependencies - including the transitive dependencies, the number can go into the lower hundreds.
Minimize risks for the user
As useful and sometimes necessary it is to use third-party code, it also brings some safety risks. One of the last medialized cases was for example the package `1337qq-js` which was supposedly sending sensitive user files. The security team at Microsoft notified the community about the package and you will not get it installed from npm anymore. However, this is only one of the smaller “attacks” that are also often focused on stealing credentials to crypto wallets.
If we abstract from targeted and often very specific attacks, also code written in good faith can cause issues with a specific user input or it can introduce other problematic behaviour into your project. According to an analysis, up to 59 % of vulnerabilities in open source software remain unfixed. For the remaining 41 %, the median implementation time for the fix is 265 days.
Snyk: a lot of bang for the buck
In such an environment, it is of course best to be informed about each vulnerability as soon as possible and automatically at best. One of the easiest ways to protect Javascript projects is the command npm audit which scans dependencies on your project and compares their versions with the list of known vulnerabilities. With some, the fix is super easy, in such case, it can be solved automatically by the command “npm audit fix”.
Another tool that can also be used is Snyk which we have good experience with at Ackee and which is free for open source projects. It is and online and CLI tool that is looking for vulnerabilities not only in Javascript code but also in Typescript, PHP, Java, C#, Python and many other languages. During its analysis, Snyk uses not only public databases of vulnerabilities of individual platforms, but it also has a research team looking for vulnerabilities in the packages. At the same time, you can read on their blogs articles for example about how to stay safe when using npm.
As a developer-centric platform, Snyk offers, apart from CLI and an online environment, also integration to repository services and CI/CD tools. Apart from code vulnerability analysis, it can also uncover vulnerabilities directly in a Docker container, at the OS level. There is also a public database of vulnerabilities available, where you can for example look up the package that I mentioned at the beginning.
Safety comes first
The safety of a project and its dependencies is obviously a more complex topic than can fit into one article. Both of the above mentioned tools - ”npm audit” and Snyk - are however very simple and their use does not take up much time. For the beginning, it is an ideal way to start, if you want a lot of bang for the buck and therefore it can be seen as some “necessary minimum”.
In Ackee, we use “npm audit” in all of our projects that we are currently working on. If there is any more severe vulnerability found, the build fails and such version is not even deployed. The project remains running on an older version and for the deployment of a new one, a developer must resolve the security issue - for example by updating the dependency. With new open source packages, we also use Snyk, for example within the cosmas project.