App dependencies and security vulnerabilities

  • by

Do you use dependencies in your apps? If you do, are you aware that they may contain security vulnerabilities?

Indirect dependencies, dependencies that are included in libraries that you use in your apps, that you may not be aware of, may also contain vulnerabilities.

Dependencies, though useful, can pose a security issue.

Here are some stats to think about

So how common are security vulnerabilities in dependencies?

  • 78% of vulnerabilities are found in indirect dependencies
  • 37% of open source developer’s don’t do any security testing during continuous integration
  • 2 years is the median time from when a vulnerability is added to the dependency until it was fixed
  • 88% growth in application vulnerabilities over the last 2 years
  • 81% users believe developers are responsible for open source security
  • 70% of open source developers have a medium to low security knowledge
  • 16 000 vulnerabilities were reported in 2018

The number of available open source packages are growing

Open source libraries are a crucial part of app development. This is borne out by the tremendous growth in the number of available dependencies, and also in the staggering download figures.

  • 102% growth for Maven Central in 2018
  • 37% growth for npm in 2018
  • The available java packages doubled in 2018
  • 250 000 new packages were added to npm in 2018
  • 31 billion lines of code contributed by open source developers to date in 2018
  • 317 billion javascript packages were downloaded from npm during 2018
  • 30 billion packages were downloaded from npm in December 2018 alone

How sure are you of the dependencies that you include in your apps?

As mentioned above, 78% of all vulnerabilities are found in indirect dependencies. These are the dependencies that libraries we include in our apps rely on.

There can be quite a long chain of indirect dependencies. Take the lint package for example. As of writing, it has 13 dependencies. One of these, chalk, has three dependencies, two of these each have 1 dependency. It can be quite a nightmare keeping track of all these dependencies.

How much do we know about the dependencies and their creators? Can they be trusted? This is not to say that they have malicious intents but looking at it purely from a maintenance point of view, how often are these dependencies maintained?

Sure, the more popular ones are probably updated regularly but what about the not so popular ones or the hidden indirect dependency? Maybe a developer, with good intent, created a useful dependency but has since moved on and no longer maintains his code.

Open source developers

Open source developers are usually volunteers, giving up their time and skill to develop a bunch of useful libraries that we probably could not do without. Unfortunately the very strength of open source development, the fact that they are free to use, is its weakness. Open source developers are usually not rewarded financially so there is not much of an incentive to maintain the code.

Most open source developers believe that security should play an important role when developing, however, they tend to spend most of their efforts building a functional piece of code and security takes a back seat. Also, there are no rules for open source developers and pretty much anything goes. Even though most developers would like to build secure code, many lack the skills, 70% of them in fact.

Fixing their code

84% of developers say that they’ll fix their code in less than a week after becoming aware of a vulnerability while 56% of them say that they’ll fix it within a day and 22% within hours.

As far as javascript and Node.js packages go, only 59% of packages with vulnerabilities have known fixes! So, over 40% of javascript and Node.js libraries have vulnerabilities with no known fixes.

Finding out about vulnerabilities

Almost half of the open source developers don’t know about the security vulnerabilities in their code until they are notified by an outside, public channel, for example when a user notifies them via email.

Steps you can take as a developer

Be aware of the dependencies you use in your apps, know which dependencies they rely on and especially of the possibility of any vulnerabilities that may exist.

Regularly audit your code to detect any vulnerabilities in your dependencies. In 2018, 44% of developers never ran a security audit on their code. This year, 2019, this has fallen to 26% of developers who never audited their source code. This is improving as more and more developers take their code security seriously.

It’s a good idea to have a responsible disclosure policy to report any security vulnerabilities. It’s best to notify the developer confidentially about vulnerabilities so that they can fix them before the vulnerability is made public. You should display a badge on your website indicating that you have a disclosure policy in place. This makes it more likely that you’ll get notified by your users of vulnerabilities in your code.

Look for security communication channels for the dependencies you use and subscribe to them so that you are informed of any potential security vulnerabilities as early as possible.

Update your dependencies regularly to make use of any fixes.

All stats taken from various articles published snyk blog.