Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

How Can Devs Keep up With the Library Security Devil?

DZone's Guide to

How Can Devs Keep up With the Library Security Devil?

So, you don’t have the budget to buy Contrast, but you want your developers to be on top of the security of your open source libraries. No problem! Here’s a few simple tips and tricks to staying current.

· Performance Zone ·
Free Resource

xMatters delivers integration-driven collaboration that relays data between systems, while engaging the right people to proactively resolve issues. Read the Monitoring in a Connected Enterprise whitepaper and learn about 3 tools for resolving incidents quickly.

So, you don’t have the budget to buy Contrast, but you want your developers to be on top of the security of your open source libraries. No problem! Here’s a few simple tips and tricks to staying current.

Get on the User and Developer Mailings Lists for All Your Libraries

Sometimes vulnerability notices are released on the author’s mailing list for library users.

So, each application utilizes, on average, 71 libraries. This is easy -- just subscribe your team leads to those 142 mailing lists! The tricky part will be that your application libraries change so much. We suggest you add a post-commit hook to notify you when libraries change, so you can get on the new lists.

Library-Security-1.jpg
We also hope you have a Ph.D in writing mail filters, because wow, that will rapidly become a noisy inbox.

Watch the CVE Data Dump Every Week

Mitre releases a data dump every week of the newly published vulnerabilities in their well-known format. You’ll need to write a parser and scan for the relevant libraries that your apps are using. Don’t worry, there are no standards or patterns here. So, you’ll have a lot of fun trying to match their entries with your libraries!

Also, make sure that only the teams that are using a particular library get the CVE notification. That means you’ll need to somehow get a continuous bill-of-materials for all your apps.

Get on Twitter!

We’re almost there. The CVE folks decided last year that they just can’t keep up with all the vulnerabilities in software. The node.js community doesn’t even bother with CVEs anymore because they couldn’t keep up.  So, they built their own system. To compensate for these critical holes, you’re gonna need Twitter.

On Twitter, you can be directly connected to a lot of the security researchers that are on the forefront of application security. You can also learn about other professions that may be less stressful than application security.

Pull Applications out of Production When a New Vulnerability Is Discovered

Be careful, there are plenty of these every week, so you’ll want to be quick about disabling your business.  After pulling your app and pissing off your customers, you can begin pissing off your developers. They’ll have to update the library and re-code your application to match any new APIs, re-test to make sure you didn’t break anything, and re-deploy your applications.  Easy!

Library-Security-4.jpg

Conclusion

I think I’ve given you a very simple guide on how to make sure you’re in the loop on library security. Now, what about unknown vulnerabilities in your open source libraries?

Well, the charade is up — you actually do need Contrast Security for that!

Discovering, responding to, and resolving incidents is a complex endeavor. Read this narrative to learn how you can do it quickly and effectively by connecting AppDynamics, Moogsoft and xMatters to create a monitoring toolchain.

Topics:
data ,security ,application security ,vulnerabilities ,developer ,libraries

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}