Finding Security Vulnerabilities In Web App Dependencies

Could you vouch for the security of every dependency included in the web applications hosted on your servers? Almost certainly not. Modern web applications are the peak of a mountain composed of perhaps hundreds of software packages. It’s beyond the ability of developers to check every line of every package for potential security vulnerabilities. I don’t want to single out any ecosystem for criticism, but this is a particular problem in the JavaScript world, where it’s normal to pull in a vast number of external packages from NPM.

This is not a new problem, but it’s one that’s been exacerbated in recent months with the increased prevalence of supply chain attacks. Criminals seek out vulnerable software projects in the knowledge that the code is almost always installed without a developer ever looking at it. However, there are tools to help developers and server administrators to identify security risks in software dependencies.

NPM Audit

NPM 6 was released in the middle of last year, and it includes a couple of tools that can highlight insecure or compromised software. In 2018, NPM acquired the Node Security Platform, a database of known JavaScript vulnerabilities. NPM 6 includes functionality built on the Node Security Platform. When a developer adds dependencies to a project, NPM wars them if any insecure packages are installed.

That’s useful when adding new dependencies, but what about projects with an established set of dependencies? The new npm audit command recursively reviews a project’s dependency tree, highlighting potential vulnerabilities and offering suggestions for secure package versions that can replace the affected code.

In NPM 6.1, this functionality was further extended with the addition of npm audit fix, which acts on the information in the audit reports, automatically installing secure versions of vulnerable packages without installing packages with breaking changes.

GitHub Security Alerts

If you use GitHub to version control your projects, you can take advantage of the platform’s built-in security alerts. GitHub tracks vulnerabilities published on the Common Vulnerabilities and Exposures (CVE) List. When security alerts are activated, GitHub identifies repositories that use software for which there is a vulnerability record, sending alerts to the repository owner.

It should be stressed that neither of these methods is foolproof. If a vulnerability isn’t included in a database — which is, by definition, the case for zero-day vulnerabilities — NPM and GitHub can’t tell you about it. Vulnerability notification systems aren’t a replacement for diligence when choosing dependencies for your project. But given the complexity of modern dependency trees and the need to trust external software, the tools we’ve discussed can catch vulnerabilities that would otherwise put users and data at risk.

Dedicated Server Special

Take advantage of our Double RAM offer on the E3-1230v2 4 x 3.30GHz+HT server! Only $134.95 per month. Managed and Unmanaged options available at checkout.