book

Securing Open Source Libraries

by Guy Podjarny

November 2017

Intermediate to advanced

71 pages

1h 32m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Book Purpose and Target AudienceTools Versus LibrariesApplication Versus Operating System DependenciesKnown Vulnerabilities Versus Other RisksComparing ToolsBook Outline
Vulnerabilities in Reusable ProductsVulnerability DatabasesCommon Vulnerabilities and Exposures (CVE)Common Platform Enumeration (CPE)Common Weakness Enumeration (CWE)Common Vulnerability Scoring System (CVSS)Known Vulnerabilities Outside CVE and NVDUnknown Versus Known VulnerabilitiesResponsible DisclosureSummary
TaxonomyKnown Vulnerability Versus Vulnerable PathTesting Source Versus Built AppsFinding Vulnerabilities Using the Command LineFinding Vulnerabilities in SCM (GitHub, BitBucket, GitLab)Granting Source Code AccessFinding Vulnerabilities in Serverless and PaaSFinding Vulnerabilities in the BrowserVulnerable Component Versus Vulnerable AppsSummary
UpgradingMajor UpgradesIndirect Dependency UpgradeConflictsIs a Newer Version Always Safer?There Is No Fixed VersionPatchingSourcing PatchesDepend on GitHub HashFork and PatchStatic Patching at Build TimeDynamic Patching at Boot TimeOther Remediation PathsRemovalExternal MitigationLog IssueRemediation ProcessIgnoring IssuesFix All Vulnerable PathsTrack Remediations Over TimeInvest in Making Fixing EasySummary
When to Run the Test?Blocking Versus Informative TestingFailing on Newly Added Versus Newly Disclosed IssuesPlatform-Wide Versus App-Specific IntegrationIntegrating Testing Before FixingSummary
The Significance of Vulnerability DisclosureSetting Up for Quick RemediationMonitoring Which Dependencies Your Apps Are UsingSource Code Management Platform IntegrationMonitoring Deployed CodeIntegrating into Continuous DeploymentGetting a Feed of Vulnerability NotificationsCVEs Are Not EnoughEarly NotificationsAutomating Matching and NotificationWho You Should Notify and HowAutomating Remediation StepsBreaking a Build on a New VulnerabilityBecoming Vulnerable Due to Dependency Chain UpdatesSummary
Choose a Tool Your Developers Will Actually UseAim to Fix Issues, Not Just Find ThemVerify the Coverage of the Vulnerability DBEnsure Your Tool Understands Your Dependencies WellChoose the Tool That Fits Tomorrow’s Reality Too

Overview

Open source software is amazing, but it’s also a complicated beast when it comes to ownership, trust, and security. Many organizations operate mission critical systems with the help of open source libraries, unaware that some of these libraries include vulnerabilities that hackers can easily exploit. This type of vulnerability led to the 2017 Equifax breach.

In this practical report, author Guy Podjarny provides a framework to help you continuously find and fix known vulnerabilities in the open source libraries you use. Every software library has potential pitfalls, and vulnerable dependencies are prime targets. Aimed at architects and practitioners in development and application security, this report walks you through practices and tools to protect your applications at scale.

Understand what known vulnerabilities are and why they matter
Learn how to find and fix vulnerabilities in open source libraries
Integrate testing to prevent adding new vulnerable libraries to your code
Respond to newly disclosed vulnerabilities in libraries you already use
Learn which aspects matter most when choosing a Software Composition Analysis (SCA) testing tool

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Publisher Resources

ISBN: 9781491996980

Securing Open Source Libraries

by Guy Podjarny

Overview

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

Core Software Security

Hands-On Security in DevOps

Securing DevOps

How Open Source Ate Software: Understand the Open Source Movement and So Much More

Publisher Resources

Overview

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,and much more.

You might also like

Core Software Security

Hands-On Security in DevOps

Securing DevOps

How Open Source Ate Software: Understand the Open Source Movement and So Much More

Publisher Resources

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.