Open source public repositories can pose a number of threats to organizations due to malicious practices such as typosquatting, dependency confusion, and introducing malware.
However, due to the complexity of software and the speed at which it needs to be delivered in a competitive marketplace, engineers have no choice but to rely on third-party, external libraries to create innovative applications faster. Despite the fact that open source dependencies are widely used, thoroughly tested, and often have vulnerabilities crop up and get resolved far faster than proprietary code, coding with open source is not without risk.
This article examines some of the risks of using external dependencies in software development, as well as ten popular tools that can prevent the accidental inclusion of malicious software in your products, no matter the vector. Specifically, we’ll look at how to avoid the dangers related to typosquatted packages, dependency confusion, and malware, and then examine different tools and services that you can use to mitigate these threats.
Open Source Threats: Know Your Enemy
Software engineers need to understand the potential issues that might be encountered when adding new dependencies or updating existing dependencies in the runtime environment on which their code runs. Some of the most common threats include:
- Typosquatting – also known as URL hijacking, typosquatting occurs when malicious actors create compromised packages that are almost identical in feature/functionality to commonly used dependencies, but named slightly differently in the hope that developers will mistype their install command. These packages typically function as expected while the embedded malware or malicious code executes its exploits.
- “Malware” is short for “malicious software.” Malware includes viruses, trojan horses, ransomware, spyware, and other exploits that can wreak havoc on your software, computer systems, customers, and users.
Engineers too often assume that the open source packages used by their organization are safe and well maintained, but this is not always the case. In fact, there’s no guarantee that the package you’re adding to your runtime environment is free from malware. Instead of blindly trusting public repositories, it’s always a good precaution to perform at least limited checks on what gets imported into the organization.
Open Source Threat Tools
This section examines some of the top tools that can be integrated with common software development processes in order to provide a layer of protection against open source dependency threats. The solutions run the gamut from open source tools to commercially sold software. Similarly, the software ranges from point solutions for specific threats to open source security platforms. Collectively, they can help you erect a powerful, ind-depth defence, but even individually they can provide an effective solution depending on your need.
UpGuard is a third-party risk and attack surface management platform. It’s a paid solution that can protect your organization from a wide range of attacks and vulnerabilities, and it includes a typosquatting module. As a platform provider, they are focused on evolving and improving their offerings, as well as supporting their users.
UpGuard is a paid service with a variety of pricing models to fit your needs. They offer a 7-day free trial following an onboarding call (which includes a demo). They provide services to a wide range of security-conscious organizations, such as the New York Stock Exchange.
- Pros: low barrier to entry; ease of use
- Cons: frequent false positives; support team can be hard to reach in a timely manner
The Python Package Index (PyPI), is an online repository that houses Python packages in all shapes and forms. Its accessibility is both a blessing and a curse, making it simple to download packages that can accelerate Python development, but also making it easy for nefarious coders to upload malware. PyPI is also rife with examples of typosquatting and dependency confusion candidates.
Pypi-scan is a command line utility that helps security engineers identify potential typosquatting packages. It also assists software engineers in ensuring that the package they’re including is what they intend it to be. Pypi-scan is especially adept at finding possible typosquatting packages, but it lacks intelligence and the analytical ability to identify those containing malware.
- Pros: freely available open source software
- Cons: limited in scope to PyPI only; needs to be paired with a malware scanner for maximum effectiveness
The Tidelift Catalog
The Tidelift catalog takes a different approach to protecting organizations from potential dangers, acting as a freely available online reference that includes thousands of popular open source packages (over 7,000 packages at time of writing) from multiple ecosystems, and provides recommendations as to which packages/versions are considered safe to use.
If you subscribe to the Tidelift catalog, you can get further information about each package, including open source licensing, plus end-of-life and deprecation timelines. In cases where vulnerabilities are present in a package, the service also provides proven workarounds. Pricing is based on the size of your development team. In addition to the catalog, a support team is also available to help troubleshoot problems, as well as to consider catalog additions and enhancement requests.
- Pros: Tidelift maintainer partners can provide additional, confidential information
- Cons: limited size of catalog
If your tech stack is NodeJS and you’re concerned about dependency confusion, Loki is a tool that can help you shore up your software supply chain security and prevent attacks. Using Loki, engineers can scan their projects and identify potential vulnerabilities. In addition to scanning, Loki also has an “attack mode” that lets engineers explore potential vulnerabilities without compromising the integrity of the base project.
Loki is an open source project, which can remove many barriers for inclusion in a solution intended to protect enterprises from open source threats. It has proven itself to be a popular tool among NodeJS developers for preventing the introduction of vulnerabilities into their code.
- Pros: open source solution; one of only a few dependency confusion tools
- Cons: not really a scanner, but rather an enabler of “what if” attack scenarios
Nexus Firewall by Sonatype
Nexus Firewall takes a slightly different approach to protecting your software projects from actual and potential threats posed by imported dependencies. With the Firewall in place, all imported dependencies pass through it and are classified as safe, suspicious, or malicious. Safe components are allowed through, while suspicious and malicious files and packages enter a quarantine area.
The Sonatype security team reviews every component/dependency identified as suspicious in order to reclassify them as either safe, in which case they are allowed to continue, or malicious, in which case they remain unavailable for use. Nexus Firewall is a platform that leverages Nexus’ experience within the malware space, and combines it with the power of machine learning to make intelligent decisions. Pricing is determined based on the number of engineers it supports.
- Pros: automated out-of-the-box rules, but customizable for your needs
- Cons: purchased as part of the larger Nexus Lifecycle platform, rather than a point solution
BluEye by BluSapphire
BluEye is a malware detection solution that proactively scans incoming files and packages against an extensive and growing collection of malware samples. This approach ignores what a package is, and focuses instead on whether the contents represent a potential threat.
The BluSapphire Platform provides a wide range of modules that you can use to protect your organization from potential threats, including the BluEye Sandbox, which automatically performs static and binary analyses to identify malware contents within code packages. But the Platform also offers a wide range of security capabilities, from advanced threat management to threat detection services to post-mortem tools that can help investigate attacks and exploits against your systems.
As with the other commercially sold security platforms included in this list, the BluSapphire Platform requires a substantial financial investment. In exchange, BluSapphire offers best-in-class tools and support services designed to limit security breaches and attacks in your organization.
- Pros: best-in-class solution
- Cons: purchased as part of a larger security platform, rather than a point solution
GitLab Dependency Scanning
As a code repository solutions provider, GitLab and similar providers (such as GitHub) include dependency scanning as part of their premium offering. Situated at the heart of the software lifecycle, GitLab is an integral part of the development and deployment process, and is therefore an excellent place to perform dependency and vulnerability scans.
You can configure GitLab Dependency Scanning to regularly scan all repositories on a regular schedule, or else based on some criteria, such as when new or modified code has been added. Scanning is supported for various languages, from Ruby to .NET to Python and Java. With the growing adoption of technologies like Docker and Kubernetes, it’s important to note that GitLab Dependency Scanning can also scan container images for vulnerabilities located in the container’s operating system and language-specific binaries.
- Pros: scans both code repos and container contents
- Cons: only available with premium support
Black Duck by Synopsys
Black Duck Software Composition Analysis is a commonly used SCA tool that helps organizations identify:
- Open source dependencies in a codebase
- Security of a codebase, including any vulnerabilities present
- Open source licensing information
- Code quality of a codebase
In this way, Black Duck can help mitigate the threat posed by malware and dependencies containing exploitable code.
Black Duck combines several risk detection and mitigation services for comprehensive coverage of the composition of your software. The service analyzes files and dependencies for known exploits, but it also performs deeper binary analyses to identify emerging threats. In addition, it can identify open source code contained in compiled libraries and applications at runtime.
Finally, the service can scan your proprietary source code for code snippets that may have been gleaned from open source libraries. This is important as it can put your organization at legal risk for license and copyright violations.
- Pros: identifies open source code mistakenly included in proprietary code
- Cons: high frequency of false positives
Software is continually evolving and improving, but engineers too often grow accustomed to using a standard version of a library without consideration for improvements made in subsequent versions. The result is new software that relies on outdated and potentially vulnerable dependencies. RetireJS is a NodeJS-based utility that seeks to remedy this problem by identifying old and deprecated dependencies that should be updated or retired from use.
RetireJS can be used as a command line utility or integrated into various development processes (such as gulp or burp) to identify and report on packages that should be retired. As with Loki and pypi-scan, this open source tool relies on donations and community involvement. However, it is an excellent first line of defense that you can integrate into your daily development activities.
- Pros: simple, easily-integrated open source tool
- Cons: limited to NodeJS
Last but not least, SonarQube is a Static Application Security Testing (SAST) tool that can be integrated into a development environment to identify security issues during code review, or else used as a quality control mechanism within a CI/CD pipeline. It automatically identifies bugs, security issues, vulnerabilities, etc and surfaces each issue in a comprehensive report.
SonarQube is available through a tiered pricing model from the free community edition to subscriptions based on the number of lines of code (LOC) in your codebase, plus a few different commercial support options. The tool is used and trusted by many of the world’s largest technology enterprises, and as such, it is not uncommon to see engineers citing their experience with this tool on their résumés.
- Pros: automated, best-in-class SAST tool
- Cons: frequently identifies false positives
As security-conscious IT professionals, we should all be aware of the risks involved with using external libraries and dependencies in our code. With delivery timelines shortening and application complexity increasing, incorporating these external resources in our codebase is unavoidable, but it’s vital we develop secure and well-defined processes to mitigate risks.
As you look at your options, you’ll find far more security solutions than can be included in a single blog post like this one simply because of the wide range of software supply chain threats that exist. While you might consider assembling a number of solutions to address as wide a range of exploits as possible, cobbling together multiple solutions is both time and resource intensive (not to mention pricey).
Instead, consider using a comprehensive, out-of-the-box solution like the ActiveState Platform, which can help ensure your developers always work with open source packages whose security and integrity are assured. A well-supported, comprehensive security solution limits risk and exposure while ensuring that you are doing your best to keep everyone safe – and helps the organization stay within budget constraints, as well.