How to Use Sonatype OSS Index to Identify Security Vulnerabilities
It’s nearly impossible to build a modern application without relying on third-party libraries. Open source software has been an amazing boom to software development. It’s been instrumental in allowing developers to build increasingly more complex applications that make the internet what it is today.
However, third-party libraries also present a few problems from a security perspective. For instance, as a developer, you can be doing everything right in your codebase security wise—utilizing the right patterns for avoiding Cross-Site Scripting (XSS) and SQL injection (SQLi), for instance. But a single vulnerability in a library can leave you vulnerable despite your best efforts. This problem isn’t going to go away. More package managers are starting to include vulnerability checks as part of their workflow, but not all are there yet.
Read on for ways you can stay on top of this information using Sonatype’s free service offering, OSS Index.
Challenges With Third-Party Libraries
Staying up to date with the security state of dependencies is almost a full-time job. For each dependency, you could search the internet and see if anything pops up. You could also search common sources of vulnerability information. The most popular source is the Common Vulnerabilities and Exposures (CVE) feed from the National Vulnerability Database (NVD). This database contains known vulnerability information for software and libraries. Doing this regularly for even one package is a lot of work, and forget about doing it for all of the packages that your project is using. The other drawback is that for each vulnerability, we may have to dig a bit to identify the versions that are vulnerable.
Adding to the difficulty, not all package managers include vulnerability information as part of their management tools, so we need an alternative. In the article “Getting Started With DepShield: An Introduction,” (Read more...)
*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Casey Dunham. Read the original post at: https://blog.sonatype.com/how-to-use-sonatype-oss-index-to-identify-security-vulnerabilities
