An Oxymoron : Static Analysis of a Dynamic Language (Part 2)
An important characteristic of modern node.js based applications is the extensive use of third-party libraries. On the npm platform over 1 million packages (mostly libraries) are available, and only a few of them have been screened intensively for security vulnerabilities. A challenge when analyzing the security of npm packages is that they are often not self-contained, but they in turn transitively depend on other npm packages for providing lower-level functionality. Statistics show that, on average, every npm package depends on 79 other packages and on code published by 39 maintainers . To correctly understand an application that uses npm packages, one needs to cohesively consider all these dependencies.
According to a security survey by npm, 77% of respondents were concerned with the security of OSS/third-party code.
Embedded below is a spreadsheet listing the top ‘x’ open source libraries sorted by utility dimensions
Two main directions are being pursued for automatically securing npm packages. First, there are tools that aggregate known security vulnerabilities in specific versions of individual libraries and report them to the developer directly. For example, npm audit analyzes all the dependencies of a Node.js application and warns the developer about any known vulnerabilities in the dependent-upon code. GitHub, Snyk, and other companies offer similar services.
The main limitation of this approach is a limited scoped view leading to high number of false positives
As a result of Node.js increasing popularity, there has been a growing demand for tools that assist programmers with tasks such as detecting and preventing security vulnerabilities.
In the next part of this series we will examine the evolution of new standards that has taken shape to address these issues.
An Oxymoron : Static Analysis of a Dynamic Language (Part 2) was originally published in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.
*** This is a Security Bloggers Network syndicated blog from ShiftLeft Blog - Medium authored by Chetan Conikee. Read the original post at: https://blog.shiftleft.io/an-oxymoron-static-analysis-of-a-dynamic-language-part-2-d150b393e551?source=rss----86a4f941c7da---4