Saturday, November 18, 2017

Secure your applications by checking potential security vulnerabilities in 3rd party libraries

Hello Friends, Let's start our today's discussion with short questionnaire session. [Although here, both the quiz masters & contestants role will be played by me but hey you are free to poke me through comments if I am unfair anywhere  😎]

Q1: As a developer, do you always put a lot of efforts in developing & making your application secure from any security vulnerabilities?
A: Right, we all do. We not only use the coding conventions, standards, design patterns & OOAD principles but also follow various industry and organization specific best practices adhering to the security standards.

QM: Oh That's great to hear! Next question

Q2: Do you use any 3rd party libraries while development or restrict your self from using it?
A:  Of course, we all use 3rd party libraries while development to either reduce development costs or to meets deadlines like Apache Log4j (logging library), Jackson (JASON parser library), Apache Commons Lang, Hibernate ORM etc.
We can't think about development without using 3rd part libraries and why one would not use 3rd party libraries if there are already available open sources libraries for functionalities we are looking for. Why waste our precious time, effort & energy for solutions that already exist? 😉

QM: You are right, it's good to leverage existing solutions but be careful on what 3rd party component are you using.

Q3: Do you check 3rd party libraries for any known, publicly disclosed, potential security vulnerabilities?
A: As we told earlier in Q1, we have developed our application keeping all the necessary best practices related to security in our minds and yes the thought of having potential security vulnerabilities in 3rd party libraries have crossed our mind but we also thought that since the 3rd party libraries that we have used in our application are developed by very known organizational entities and they would be free from security vulnerabilities.
Truly speaking, for some 3rd party libraries, we would wanted to do the through vulnerability analysis but due to hard deadlines, meetings, last minutes requirement changes in project[world famous excuses 😔],  we ended up not doing that analysis.  

QM: Sorry to say, not checking potential security vulnerabilities in 3rd party libraries is a terrible mistake. Let's fire our next question to understand it's importance.

Q4: Are you aware of OWASP Top 10 list ? 
A: [Majority] Never heard about it. [One or two] We have heard the name but not recollecting it properly. what is it exactly?

QM: OWASP stands for The Open Web Application Security Project (OWASP), which is an international, well known, non-profit organization that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security. They published "The Top Ten" list aims to raise awareness about application security by identifying some of the most critical risks facing organizations. Among this top 10 list, at number 9, we  have "Top 10 2013-A9-Using Components with Known Vulnerabilities".

Now Think, how important is to analyze the potential security vulnerabilities in 3rd part libraries that they have included this in their Top 10 list because no matter how much effort we all put in securing our application if the 3rd party libraries has any known, publicly disclosed, vulnerabilities then our application is not secured.

Also check out the statistics from the whitepaper "The Unfortunate Reality of Insecure Libraries":

Q5: Are you thinking about how will you check for any known, publicly disclosed, vulnerabilities in the 3rd party libraries?
A: Yes, you are reading our mind. 😊 We assume, there must be any list or database which contains all the information about the known, publicly disclosed, vulnerabilities in 3rd party libraries. We just have to find that list or database and check for vulnerabilities in our used 3rd party libraries.

QM: Great! You all are in the right track.  National Vulnerability Database contains known, publicly disclosed, vulnerabilities in 3rd party libraries. There are also many tools available like OWASP Dependency Check to check the vulnerability in 3rd party libraries.

Disclaimer: This questionnaire compilation is based on the analysis done by me among my friends on the topic "Potential Security Vulnerabilities in 3rd Party Libraries". I know, you might be already doing vulnerability analysis on 3rd part libraries before using them.

No comments:

Post a Comment