Government Security News April May 2015
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Vulnerabilities in your software?<br />
Continued from page 11<br />
urges software developers to use<br />
the newest versions of third-party<br />
components, with the most<br />
recent vulnerability patches, as<br />
older versions are not always<br />
updated. Although time-consuming,<br />
OWASP recommends<br />
making sure all components and<br />
versions are identified and the<br />
security of these components is<br />
frequently monitored. They also<br />
suggest establishing tight security<br />
policies regarding the<br />
use of components, and consider<br />
using security wrappers<br />
around components<br />
to disable unused functionality<br />
and/or secure weak or vulnerable<br />
aspects of the component.<br />
Identification Tools<br />
Furthermore, OWASP advises<br />
developers to use tools that are<br />
specifically designed to identify<br />
vulnerabilities in third-party<br />
components and open-source<br />
software. Some examples include:<br />
Dependency-Check, an<br />
open-source tool used to scan<br />
Java and .NET applications and<br />
their dependent libraries to identify<br />
any known, publicly disclosed,<br />
vulnerabilities; as well as<br />
Retire.js, another popular tool to<br />
help detect vulnerable JavaScript<br />
components.<br />
Furthermore, solutions developed<br />
by Sonatype and Black<br />
Duck Software are also helping to<br />
address the third party component<br />
challenge. Sonatype offers<br />
a patented approach to provide<br />
software developers and security<br />
analysts with valuable data on<br />
component vulnerabilities. This<br />
data can then be integrated with<br />
other tools, such as application<br />
security testing tools, to ensure<br />
an application is void of vulnerabilities.<br />
And, Black Duck offers a<br />
range of code scanning and code<br />
matching products and services<br />
that provide users with visibility<br />
into their code assets, help them<br />
discover what open source code<br />
is used within specific applications,<br />
direct them to the code<br />
origin and code provenance, and<br />
assist them with license identification.<br />
Take the Necessary<br />
Precautions<br />
In recent years, software provid-<br />
48<br />
ers have become increasingly<br />
aware of potential vulnerabilities<br />
in their code and many have taken<br />
steps to reduce the weaknesses<br />
in their custom code. However,<br />
with applications using approximately<br />
30 or more third-party<br />
components in their applications,<br />
their security measures must extend<br />
beyond their own code. All<br />
it takes is one vulnerable component<br />
to enable an attacker to gain<br />
access to mission-critical data or<br />
take down an entire enterprise.<br />
By leveraging application<br />
security testing solutions<br />
to focus on the custom<br />
code in conjunction with<br />
tools that identify vulnerabilities<br />
in third-party components,<br />
software developers will be<br />
able to more quickly find and fix<br />
weaknesses throughout the software<br />
development lifecycle and<br />
prevent malicious cyber security<br />
attacks.