Two prominent C standard libraries that offer methods for typical DNS operations have a major...
How to Handle with Third-Party Programming Library Vulnerabilities
Almost every piece of software uses several layers of third-party libraries. Consider the case when a Java program uses a standard library method to prepare a date. That function could in turn call a calendar-related function from another library. And then another function is called, and so on.
What if one of those highly nested libraries has a security weakness that is made public? Your application is now vulnerable, and a malicious attacker can gain access to the server where it is running—even if you didn’t introduce a problem yourself.
There are several scanners available to assist you in finding vulnerabilities in dependencies, but dealing with them requires some finesse. In this blog, we’ll look at the procedure.
Information about Flaws from Various Sources
We’re all secured by a large network of security specialists who run software through a variety of difficult tests to find and disclose hazardous bugs. Their testing might be as simple as passing unusual data to a function to see whether it becomes confused and allows an attacker to take control of the software. Fuzzing is a fascinating subject that involves sending massive amounts of randomly generated characters to programs to uncover faults and vulnerabilities. Other thorough analysis tools hunt for suspicious issues in either static code (static analysis) or a running program (running analysis) (dynamic analysis).
Of course, less well-intentioned researchers are also on the lookout for similar holes to create nasty attacks for government and ransomware customers. Although zero-day exploits (security holes not yet known to the public) are harmful, the majority of assaults rely on defects that are well known and that victims have let to remain on their systems. You can be confident that hostile actors are perusing the publicly available flaw lists.
Before a critical stage in the life cycle, such as quality assurance or deployment, at the absolute least, execute an automated vulnerability check. You don’t want to enter a critical point of the life cycle with a vulnerability since the cost of correcting it will be substantially higher.
Regularly running vulnerability scanners is an important aspect of DevSecOps, a popular approach that incorporates security into the application life cycle. Scans that follow the Security Content Automation Protocol are required by several regulatory contexts, including the CIA and FBI (SCAP). NIST created SCAP, which is now available as an open-source project named Open SCAP.
Easy Fixes
You’ve discovered a weakness! Hopefully, the solution will be simple and painless. If the package’s creators have issued a new version that includes the patch, all you have to do now is rebuild your application using the updated version. Naturally, every modification to a package might lead to new issues, so you should perform your regression tests following the update.
Project Thoth, an open-source tool developed by Red Hat for locating safe libraries for Python applications, represents one advanced trend in software builds. Thoth doesn’t just bring in the most recent stable version of each library your program utilizes; it searches a variety of public databases and tries to offer a package combination that works flawlessly together. Developers in other programming languages are taking the same approach.
If there isn’t a new version yet that fixes the software error, you might be able to identify an older version of the library that doesn’t have the bug. Of course, if the old version contains other flaws, it will be of little use to you. If the previous version appears to fit your needs, you must ensure that you are not reliant on the functionality included in newer versions, and you must perform your regression tests once more.
Identifying the Context of a Flaw
Assume that the solutions described in the preceding section are not accessible. You’re trapped using a library that has a known security weakness in it to create your software. Now we’ll need to do some more in-depth investigation and reasoning.
Examine the factors that might lead to a security breach. Many exploits are theoretical at the time they are reported by security researchers, but they can swiftly become actual. So study the vulnerability report to learn what an attacker needs to become a threat. Is it necessary for them to have physical access to your system? Do they need to be root (superuser)? Once they’ve gained root, they’re unlikely to need to take advantage of your fault to cause havoc. You may conclude that an attacker is unlikely to be able to use the vulnerability in your environment.
Some automated vulnerability scanners have a high level of openness. They may highlight something as an issue, but you may determine it isn’t in your situation.
You may be able to add additional tests to ensure that the bug isn’t exploited. Assume one of the arguments supplied to the vulnerable function is the buffer length; the attack will only be dangerous if that parameter is negative. A buffer’s length should, of course, always be zero or positive. With a negative value in that parameter, your software will never validly call the function. You may improve security by including this before each function call:
if (argument < 0)
exit;
Other vulnerabilities work by introducing characters that should never be used invalid input, allowing you to check for them before providing data to functions. Some languages, based on a Perl innovation from many years ago, label hazardous variables as “tainted” so you know you’ve examined them for security flaws.
Instead of embedding such checks throughout the program, it could be easier to incorporate a check for unsafe input in an application proxy or other wrapper.
This solution should only be temporary, as the library’s maintainers should resolve the defect as soon as possible.
If no one has already shared this workaround with the community, leave a comment on the issue where the problem was discovered and give your solution to others.
You could discover, by the way, that the disclosed defect affects a function you’re not using. However, be aware since you could call a library function that indirectly calls the unsafe function. There are tracing and profiling tools that allow you to examine your application’s whole tree of function calls to discover whether you’re in danger.
Maybe you’re just right in the sights of attackers because you’re employing a function with a fault you can’t fix. So think about it: do you need the feature with the flaw? Alternative libraries with equivalent functionalities are frequently available. Alternatively, the function’s specific usage may be simple enough for you to create it yourself. Writing your version of the function, on the other hand, is a terrible approach since you’re more likely to add issues than to solve the issue. After all, you’re even less experienced with secure code than the library’s maintainers.
You could also feel secure enough in your coding abilities and knowledgeable enough with the package you’re using to contribute a bug fix. This is just an option for open source software, but certainly, hope you’re utilizing them wherever possible.
But don’t want to leave you without reiterating the importance of defending in depth. If your app is only for internal use, for example, firewall restrictions and authentication should guarantee that you’re only talking with valid users. On the other hand, even an internal user might be hostile, or an outsider could use them as a stepping stone into your server. As a result, a secure application is still required.
Conclusion
Security issues are a continual danger in software development, and they may be found anywhere. You need to be aware of such flaws since a breach in your system might result in a ransomware attack, the loss of valuable client data, the use of your system in a botnet, or other unpleasant outcomes. Do not allow yourself to become a victim.
However, because there are so many problems, you can’t just decide to discard every library for which a vulnerability has been detected. If an upgrade is available, apply it as soon as possible. In all other circumstances, I hope this information has aided you in making sound security judgments.
Here at CourseMonster, we know how hard it may be to find the right time and funds for training. We provide effective training programs that enable you to select the training option that best meets the demands of your company.
For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com