book

Securing Open Source Libraries

Name: Securing Open Source Libraries
Author: Guy Podjarny
ISBN: 9781491996973

by Guy Podjarny

November 2017

Intermediate to advanced

71 pages

1h 32m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Introduction
Book Purpose and Target AudienceTools Versus LibrariesApplication Versus Operating System DependenciesKnown Vulnerabilities Versus Other RisksComparing ToolsBook Outline
1. Known Vulnerabilities in Open Source Packages
Vulnerabilities in Reusable ProductsVulnerability DatabasesCommon Vulnerabilities and Exposures (CVE)Common Platform Enumeration (CPE)Common Weakness Enumeration (CWE)Common Vulnerability Scoring System (CVSS)Known Vulnerabilities Outside CVE and NVDUnknown Versus Known VulnerabilitiesResponsible DisclosureSummary
2. Finding Vulnerable Packages
TaxonomyKnown Vulnerability Versus Vulnerable PathTesting Source Versus Built AppsFinding Vulnerabilities Using the Command LineFinding Vulnerabilities in SCM (GitHub, BitBucket, GitLab)Granting Source Code AccessFinding Vulnerabilities in Serverless and PaaSFinding Vulnerabilities in the BrowserVulnerable Component Versus Vulnerable AppsSummary
3. Fixing Vulnerable Packages
UpgradingMajor UpgradesIndirect Dependency UpgradeConflictsIs a Newer Version Always Safer?There Is No Fixed VersionPatchingSourcing PatchesDepend on GitHub HashFork and PatchStatic Patching at Build TimeDynamic Patching at Boot TimeOther Remediation PathsRemovalExternal MitigationLog IssueRemediation ProcessIgnoring IssuesFix All Vulnerable PathsTrack Remediations Over TimeInvest in Making Fixing EasySummary
4. Integrating Testing to Prevent Vulnerable Libraries
When to Run the Test?Blocking Versus Informative TestingFailing on Newly Added Versus Newly Disclosed IssuesPlatform-Wide Versus App-Specific IntegrationIntegrating Testing Before FixingSummary
5. Responding to New Vulnerability Disclosures
The Significance of Vulnerability DisclosureSetting Up for Quick RemediationMonitoring Which Dependencies Your Apps Are UsingSource Code Management Platform IntegrationMonitoring Deployed CodeIntegrating into Continuous DeploymentGetting a Feed of Vulnerability NotificationsCVEs Are Not EnoughEarly NotificationsAutomating Matching and NotificationWho You Should Notify and HowAutomating Remediation StepsBreaking a Build on a New VulnerabilityBecoming Vulnerable Due to Dependency Chain UpdatesSummary
6. Choosing a Software Composition Analysis Solution
Choose a Tool Your Developers Will Actually UseAim to Fix Issues, Not Just Find ThemVerify the Coverage of the Vulnerability DBEnsure Your Tool Understands Your Dependencies WellChoose the Tool That Fits Tomorrow’s Reality Too
7. Summary

Overview

Open source software is amazing, but it’s also a complicated beast when it comes to ownership, trust, and security. Many organizations operate mission critical systems with the help of open source libraries, unaware that some of these libraries include vulnerabilities that hackers can easily exploit. This type of vulnerability led to the 2017 Equifax breach.

In this practical report, author Guy Podjarny provides a framework to help you continuously find and fix known vulnerabilities in the open source libraries you use. Every software library has potential pitfalls, and vulnerable dependencies are prime targets. Aimed at architects and practitioners in development and application security, this report walks you through practices and tools to protect your applications at scale.

Understand what known vulnerabilities are and why they matter
Learn how to find and fix vulnerabilities in open source libraries
Integrate testing to prevent adding new vulnerable libraries to your code
Respond to newly disclosed vulnerabilities in libraries you already use
Learn which aspects matter most when choosing a Software Composition Analysis (SCA) testing tool

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781491996980

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills