Managing Open Source Vulnerabilities in DevOps

Published August 12, 2020

Ed Tittel HeadshotWRITTEN BY ED TITTEL 

Ed Tittel is a long-time IT industry writer and consultant who specializes in matters of networking, security, and Web technologies. For a copy of his resume, a list of publications, his personal blog, and more, please visit www.edtittel.com or follow @EdTittel

If you use open-source code frameworks, libraries, and code components and take advantage of code-scanning technologies, sooner or later you’ll find yourself in an interesting situation: learning that a code element is subject to a known threat or vulnerability.

You’ll have to obtain a remedy of some kind. This might come in the form of remediation code, such as a patch, fix or update for the vulnerable code element. Or it may manifest as remediation advice — probably a description of alternate code elements or other workarounds to avoid reported threats and vulnerabilities.

First things first: understand and prioritize

Whenever you use a code scanner to review code for threats and vulnerabilities, it will provide a report that lists what it finds. It should also assign a severity level to each item, so you’ll have some idea of how important it is to patch or remediate, depending on what you find.

Items are usually ranked numerically (in the manner of CVSS) or according to a named severity level (see the diagram below). The higher the number, or the more severe the level named, the more important it is to act quickly.


Severity Levels

CVSS V3 SCORE RANGESEVERITY IN ADVISORY
0.1 – 3.9Low
4.0 – 6.9Medium
7.0 – 8.9High
9.0 – 10.0Critical
The closer things get to the bottom of the chart, the more important it is to act fast.

Of course, there is also likely to be some time and effort involved in adding patches, fixes, and updates in the development branch, as well as for associated testing. Ditto for implementing remediation advice and workarounds, except there will be even more time and effort involved.

Even for the most pressing of items, it may be necessary to pass notice to your users first (and to suggest interim workarounds), and then provide changes and fixes as soon thereafter as your update process will allow.

On the other hand, for vulnerabilities with low rankings for which there aren’t any known exploits in the wild, it may be OK to integrate any related updates or workarounds into your regular update cycle, and simply add another item to that planned release’s to-do list.

Patches are easy; remediation can be tricky

When library, framework or other open source code elements are involved and a fix, patch or update is available, you need only generate a new executable that integrates those changed elements for distribution. This can usually happen quickly and may not take much time or effort to prepare. Nevertheless, it’s important to stick to QA and testing regimes, and to make sure that what you provide to customers and users does not make things worse.

Remediation advice can be an entirely different animal. It may involve scripting configuration and installation changes, or documenting configuration changes for third-party software or services such as firewalls, URL filters, whitelist/blacklist data and so forth. It may involve replacing existing API calls with different but equivalent API calls to keep your code working, but in new and different ways, all of which must be tested and vetted carefully before release to production can occur. It may involve replacing sections of code that have compromised API calls with temporary stubs that avoid those calls to elude potential vulnerabilities.

You won’t know what you’re up against until you read the remediation advice, understand what it’s telling you, and determine what kinds of code changes are necessary to enact that advice

Kiuwan’s scans help build better code

Products like Kiuwan Code Analysis (QA) and Code Security (SAST) help developers in three ways.

Kiuwan’s code-scanning solution provides metrics to help programmers (and testers) understand how their code ranks in terms of key characteristics such as maintainability, portability, efficiency, and reliability. It will give line-by-line remediation advice to help speed up the development process and to improve the quality of the resulting code it’s used to create and maintain.

And when security comes into play as vulnerabilities are reported and must be dealt with, Kiuwan’s Insights (SCA) helps to identify and remediate threats from open-source components. Meanwhile, Kiuwan Code Security checks the code base against key third-party security standards such as OWASP while making sure code is thoroughly reviewed through application security testing, static code analysis, buffer overflow analysis, SQL injection, and cross-site scripting avoidance, and more.

Finally, Kiuwan’s automated security solutions are engineered to fit well into any development methodology, whether you’re applying DevOps or a more traditional structured approach. Look to Kiuwan to help you deal with vulnerabilities and remediation advice as it applies to your codebase.

Go to Kiuwan.com to learn more about what’s on offer, request a trial or contact the company.

Scan your code with Kiuwan banner