Monitoring for Vulnerable Dependencies

Monitoring for Vulnerable Dependencies

Richard Brown

20 October 2021 - 4 min read

SecurityDevOpsMonitoring Dependencies
Monitoring for Vulnerable Dependencies

Today, we live in a world of multiple dependencies, with popular packages like npm, Yarn and NuGet housing reusable code for developers. Even a very simple Vue app created with the Vue CLI pulls in nearly 1000 npm packages — a further testament to the significance that dependencies hold within development.

But with great power, comes great vulnerabilities. Any of these packages could be hiding vulnerabilities that are just waiting to be exploited by hackers. The DCMS Cyber Security Breach survey shows that while breaches have decreased in the past year — from 46% in 2020, to 39% this year — cyber security remains a great threat to businesses across the UK.

Worryingly, less businesses are now deploying security monitoring tools (35% from 40%) last year or engaging in any user monitoring (32% vs. 38%). This reduction indicates negligence rather than progress; in reality, companies may be less aware of the breaches to which they are exposed.

The impact of suffering a breach can have monumental effects upon a business’ finances and reputation. At the beginning of this year, it was revealed that 17 organisations, including The Reserve Bank of New Zealand and The US Department of Health and Human Services — had been victims to a data breach at the hands of ransomware group Clop and financial crime group FIN11. This incident occurred after software provider Accellion had been too slow in relehasing patches for a zero-day vulnerability in one of their file sharing services.

This event serves as a timely reminder to promptly monitor and fix vulnerabilities, with Accellion now facing over 14 lawsuits for their negligence.

The prominence of these vulnerabilities is reflected in the OWASP top 10, where ‘Vulnerable and Outdated Components' is currently ranked #6 on the list (up from #9 in 2017). Faced with these concerns, businesses must be proactive and continually monitor dependencies for vulnerabilities to avoid potential breaches.

How we monitor for vulnerable dependencies at Audacia At Audacia, we’re committed to secure software development. We run a scheduled job on every system to check for vulnerable dependencies. Using the free and open source OWASP Dependency Check tool, this job scans all npm, NuGet and, if required, yarn dependencies on a weekly basis.

The jobs themselves run as Azure Pipelines; we have a reusable set of steps written in YAML, so each system’s pipeline just needs to specify a schedule and execute those steps

name: $(Date:yyyyMMdd)
trigger: none
pr: none
schedules:
  # Will run weekly, at midnight on Sunday
- cron: "0 0 * * 0"
  displayName: Weekly Dependency Check
  branches:
    include:
    - dev
resources:
  repositories: 
  # Use our Audacia.Build repository, which contains reusable pipeline steps and jobs
  - repository: templates
    type: git
    name: Audacia/Audacia.Build
pool:
  vmImage: windows-latest
  
steps:
  
  - template: /steps/npm/dependency-check.yaml@templates
    parameters:
      displayName: npm Dependency Check
      publishAs: Dependency Check Result (npm)
      runEvenIfError: true
  
  - template: /steps/netcore/dependency-check.yaml@templates
    parameters:
      displayName: .NET Dependency Check
      publishAs: Dependency Check Result (.NET)
      runEvenIfError: true

Any vulnerabilities that are discovered are reported as part of our Information Security Management System (ISMS). A per system report is then passed to the development team to investigate, so that we can assess any existing vulnerabilities and formulate a solution moving forward. The typical solution is to upgrade the vulnerable package if a patched version exists.

Monitoring Standards Company wide

As a company we have various checks in place to ensure that vulnerable dependencies are monitored on a consistent basis.

For one, we hold patching vulnerable and/or out-of-support dependencies as a core item in our secure coding standards, which all developers follow.

These same standards are reiterated at the start of each new project, which begins with a technical kick-off. There is a particular emphasis, here, on the need to patch vulnerabilities so that the development is aware of their responsibility.

On top of this, each project goes through a pre-deployment checklist, which checks that a scheduled pipeline is set up for checking dependencies on a regular basis.

We are also acutely aware about the importance of keeping key frameworks, like .NET and Angular, up to date and on long-term support (LTS) releases. We monitor and handle version requirements proactively across all systems that we maintain.

A Necessity for Security

Like digital transformation, monitoring vulnerable dependencies can be thought of as a continuous process of improvement.

A one-off check prior to a release will not suffice, as new vulnerabilities are being discovered all the time. What was ‘fine’ last week could have a newly found vulnerability this week.

At Audacia, we put security at the very heart of our development and ensure that we regularly monitor, correct and update all dependencies as is needed.

Ebook Available

How to maximise the performance of your existing systems

Free download

Richard Brown is the head of engineering at Audacia, responsible for steering the technical direction of the company and maintaining standards across development and testing.