Software developers are depending more and more on third-party code, or dependencies, when forging their applications. Rather than reinvent the wheel for tasks such as logging and authentication, developers often deploy open-source code. That can can create security problems for software writers, as the recent mammoth breach at credit services company Equifax illustrated.
The Equifax breach, which compromised sensitive information about roughly 143 million Americans, resulted from the use of a vulnerable Apache Struts component. The vulnerability had been discovered and patched by the Apache community, but Equifax’s coders hadn’t gotten around to upgrading the component.
Recognizing the threat that dependencies pose to applications, GitHub has introduced a new tool, the dependency graph, that leverages GitHub’s enormous collection of open-source data to help developers better manage dependencies. Developers working on GitHub can access the dependency graph from within their repositories and see all packages and applications to which they’re connected, as well as those that are connected to them.
Will the dependency graph move the needle on application security?
Where GitHub got it right
In addition to tracking dependencies, GitHub promises to add security alerts to the dependency graph. Through the tool, developers will be able to track when dependencies are associated with publicly known security vulnerabilities. They’ll be notified when a vulnerability is detected and, in some cases, receive suggestions for security fixes from the GitHub community.
Awareness doesn’t equate to action
Developers are aware of the risks third-party components pose to their applications, but many do nothing about them. A new survey of 300 CTOs, CIOs, and developers by NodeSource, a Node.js company, and Sqreen, a maker of SaaS security monitoring and protection software, said as much. In taht study, 40% of developers said third-party modules posed the greatest risk to application security. But 40% of coders also admitted to not checking for third-party vulnerabilities in their own apps.
“A lot of times, components have vulnerabilities in them, and developers aren’t kept aware of them,” said Code Dx’s Prole. “They’ll pull in a dependency and just forget about it. They never go back to see if there have been any issues with it.”
“Developers have so many demands on them to get releases out, they don’t have time to think about checking vulnerabilities in dependencies.”