Securing open source libraries : managing vulnerabilities in open source code packages

Cover Copyright Table of Contents Introduction Chapter 1. Known Vulnerabilities in Open Source Packages Vulnerabilities in Reusable Products Vulnerability Databases Common Vulnerabilities and Exposures (CVE) Common Platform Enumeration (CPE) Common Weakness Enumeration (CWE) Common Vulnerability Scoring System (CVSS) Known Vulnerabilities Outside CVE and NVD Unknown Versus Known Vulnerabilities Responsible Disclosure Summary Chapter 2. Finding Vulnerable Packages Taxonomy Known Vulnerability Versus Vulnerable Path Testing Source Versus Built Apps Finding Vulnerabilities Using the Command Line Finding Vulnerabilities in SCM (GitHub, BitBucket, GitLab) Granting Source Code Access Finding Vulnerabilities in Serverless and PaaS Finding Vulnerabilities in Containers Scanning Registries Scanning base images Scanning Packaged Container Apps Finding Vulnerabilities in the Browser Vulnerable Component Versus Vulnerable Apps Summary Chapter 3. Fixing Vulnerable Packages Upgrading Major Upgrades Indirect Dependency Upgrade Conflicts Is a Newer Version Always Safer? There Is No Fixed Version Patching Sourcing Patches Depend on GitHub Hash Fork and Patch Static Patching at Build Time Dynamic Patching at Boot Time Other Remediation Paths Removal External Mitigation Log Issue Remediating Container Vulnerabilities Rebuild as a Remediation Reaching Zero Vulnerabilities Remediation Process Ignoring Issues Fix All Vulnerable Paths Track Remediations Over Time Invest in Making Fixing Easy Summary Chapter 4. Integrating Testing to Prevent Vulnerable Libraries When to Run the Test? Blocking Versus Informative Testing Failing on Newly Added Versus Newly Disclosed Issues Platform-Wide Versus App-Specific Integration Integrating Testing Before Fixing Summary Chapter 5. Responding to New Vulnerability Disclosures The Significance of Vulnerability Disclosure Setting Up for Quick Remediation Monitoring Which Dependencies Your Apps Are Using Source Code Management Platform Integration Monitoring Deployed Code Integrating into Continuous Deployment Getting a Feed of Vulnerability Notifications CVEs Are Not Enough Early Notifications Automating Matching and Notification Who You Should Notify and How Automating Remediation Steps Breaking a Build on a New Vulnerability Becoming Vulnerable Due to Dependency Chain Updates Summary Chapter 6. Choosing a Software Composition Analysis Solution Choose a Tool Your Developers Will Actually Use Aim to Fix Issues, Not Just Find Them Verify the Coverage of the Vulnerability DB Ensure Your Tool Understands Your Dependencies Well Secure containers with a developer perspective. Choose the Tool That Fits Tomorrow’s Reality Too Chapter 7. Summary About the Author Open source software is amazing, but it's also a complicated beast when it comes to ownership, trust, and security. Many organizations operate mission critical systems with the help of open source libraries, unaware that some of these libraries include vulnerabilities that hackers can easily exploit. This type of vulnerability led to the 2017 Equifax breach. In this practical report, author Guy Podjarny provides a framework to help you continuously find and fix known vulnerabilities in the open source libraries you use. Every software library has potential pitfalls, and vulnerable dependencies are prime targets. Aimed at architects and practitioners in development and application security, this report walks you through practices and tools to protect your applications at scale. Understand what known vulnerabilities are and why they matter Learn how to find and fix vulnerabilities in open source libraries Integrate testing to prevent adding new vulnerable libraries to your code Respond to newly disclosed vulnerabilities in libraries you already use Learn which aspects matter most when choosing a Software Composition Analysis (SCA) testing tool