Over a million developers have joined DZone.

SafeNuGet in Action: Finding Packages with Known Security Vulnerabilities on Top of Visual Studio 2012

DZone's Guide to

SafeNuGet in Action: Finding Packages with Known Security Vulnerabilities on Top of Visual Studio 2012

· ·
Free Resource

As software applications get more distributed and complicated, there is a need to rely on third party components in order to make your application scalable and reliable. As an example of this behavior, we can take a look at the download statistics at nuget.org.  

As described in the Web page "NuGet is the package manager for the Microsoft development platform including .NET". At the time of writing this article (March of 2014) this is the list of most downloaded packages:

And the below image shows up the number of current packages available at NuGet:

However, if any of those packages had a known security vulnerability and you add it to your application, you are adding a  new risk into your application and directly to your organization. To give you an idea on how serious this can be, the OWASP Foundation in the latest OWASP Top 10 2013, which is the top 10 list of security risk that affects Web applications, has include a new application security risk called Using Components with Known Vulnerabilities and you can read more about it from here 

Using components with known vulnerabilities opens the door to compromise your application, therefore having a list of those components (and it's versions) is key to make sure that we are not going to introduce a risk in our organization. Having said that, a centralized repository that tracks those versions is really necessary. In encourage you to take a look at the SafeNuGet feed and send a pull request if you think there is a known vulnerability on any NuGet package that we are not aware of. The feed is this https://github.com/OWASP/SafeNuGet/blob/master/feed/unsafepackages.xml.

Hands on Lab: Adding SafeNuGet into ASP.NET MVC 4 application.

Adding SafeNuGet to your projects is fairly simple. In this case we just created a ASP.NET MVC4 application from scratch . Visual Studio will create for you some templates and it will add some packages in your solution, at the time of writing this blog (February 2014) and using Visual Studio 2012 here are the packages added automatically:

Now let's add SafeNuGet to our solution using the standard way:

That's it. Now when you compile the project, SafeNuGet will notify you if there is any package with a known vulnerability in your application. The results are impressing.

There is a warning indicating that one of the library in our solution is vulnerable. Let's confirm that jQuery UI version was added:

This is the security issue created, which was opened here http://bugs.jqueryui.com/ticket/6016

It seems like there was a potential Cross-Site Scripting (XSS) vulnerability in the  UI dialog title. As far as we can see,the issue was addressed in a newest version that clearly we are not using yet.

In this article we can see that our ASP.NET MVC project has a component(or package) with a known vulnerability, however having a component with a known security issue does not stricly means that your application is vulnerable or that you have translated the risk to your application and to your organization. Having said that, there might be some scenarios where a component with a security problem has been added to your application but you might not be using it yet.

However is very important to put an eye on those components. It's also very important to know the security issues or bugs that a component has in order to make a informed decision on whether or not include it into your application.

If you want to know more about SafeNuGet, I encourage you to look at the OWASP Project page 


Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}