No application development is completed without use of third party and open source libraries now-a-days. These libraries save developers time by providing ready to use functionalities which can directly be integrated with the application source code. On the other side, use of third party and open source libraries has also brought security risks to the applications. These libraries are often developed keeping functional requirements in mind. Security requirement are cornered which leaves such libraries vulnerable to application security attacks. When these libraries are integrated with application source code, the application also becomes vulnerable.
Why Security In Third Party & Open Source Components
A very recent example is of Apache Struts 2 remote code execution vulnerability (CVE-2017-9805). Apache Struts 2 is an open source web application framework written in Java. The remote code execution vulnerability is a result of ignoring secure coding practices in development. Struts REST plugin fails to handle XML payloads while deserializing them properly. All versions of Apache Struts since 2008 (Struts 2.1.2 – Struts 2.3.33, Struts 2.5 – Struts 2.5.12) are affected, leaving all web applications using the framework’s REST plugin vulnerable to remote attackers. Many Indian web applications are also found vulnerable to this vulnerability and some are exploited successfully as well.
Third party and open source libraries are essential part of application development. Hence, it is necessary to deploy appropriate security controls around usage of these libraries and that is how Third Party & Open Source Component Management process comes in picture. Third Party & Open Source Component Management is a control within application security framework and governance model.
Managing Risks of Vulnerable Third Party & Open Source Component
Organizations can’t prevent developers to use these components but can have a visibility into the security status of components used by developers. It can be ensured that a component is vulnerability free and there is no harm in using this component in application development.
In Afflux Consulting, we suggest following ways to manage risks from third party & open source components –
- Enforce a policy to introduce process of validating third party & open source components for open security vulnerabilities before using the application development.
- Maintain an inventory of vulnerable components which must not be used in the application development. A security advisory should be issues to developers for usage of the inventory.
- Develop secure coding guidelines and educate developers about security vulnerabilities in third party & open source components.
- Integrate security testing into SDLC so that security vulnerabilities in third party & open source components used in application development are identified as early as possible.
- Use a specialized tool to detect third party & open source components used in application development and open security vulnerabilities in those components.
We assist organizations in developing and maintain application security framework by providing customized services as per organization’s security requirements. Please visit Application Security section in Service Offerings or Contact Us to hear more from us.