If you use open-source code frameworks, libraries, and code components and take advantage of code-scanning technologies, sooner or later you’ll find yourself in an interesting situation: learning that a code element is subject to a known threat or vulnerability.
You’ll have to obtain a remedy of some kind. This might come in the form of remediation code, such as a patch, fix or update for the vulnerable code element. Or it may manifest as remediation advice — probably a description of alternate code elements or other workarounds to avoid reported threats and vulnerabilities.
First things first: understand and prioritize
Whenever you use a code scanner to review code for threats and vulnerabilities, it will provide a report that lists what it finds. It should also assign a severity level to each item, so you’ll have some idea of how important it is to patch or remediate, depending on what you find.
Items are usually ranked numerically (in the manner of CVSS) or according to a named severity level (see the diagram below). The higher the number, or the more severe the level named, the more important it is to act quickly.
|CVSS V3 SCORE RANGE||SEVERITY IN ADVISORY|
|0.1 – 3.9||Low|
|4.0 – 6.9||Medium|
|7.0 – 8.9||High|
|9.0 – 10.0||Critical|
The closer things get to the bottom of the chart, the more important it is to act fast.
Of course, there is also likely to be some time and effort involved in adding patches, fixes, and updates in the development branch, as well as for associated testing. Ditto for implementing remediation advice and workarounds, except there will be even more time and effort involved.
Even for the most pressing of items, it may be necessary to pass notice to your users first (and to suggest interim workarounds), and then provide changes and fixes as soon thereafter as your update process will allow.
On the other hand, for vulnerabilities with low rankings for which there aren’t any known exploits in the wild, it may be OK to integrate any related updates or workarounds into your regular update cycle, and simply add another item to that planned release’s to-do list.
Patches are easy; remediation can be tricky
When library, framework or other open source code elements are involved and a fix, patch or update is available, you need only generate a new executable that integrates those changed elements for distribution. This can usually happen quickly and may not take much time or effort to prepare. Nevertheless, it’s important to stick to QA and testing regimes, and to make sure that what you provide to customers and users does not make things worse.
Remediation advice can be an entirely different animal. It may involve scripting configuration and installation changes, or documenting configuration changes for third-party software or services such as firewalls, URL filters, whitelist/blacklist data and so forth. It may involve replacing existing API calls with different but equivalent API calls to keep your code working, but in new and different ways, all of which must be tested and vetted carefully before release to production can occur. It may involve replacing sections of code that have compromised API calls with temporary stubs that avoid those calls to elude potential vulnerabilities.
You won’t know what you’re up against until you read the remediation advice, understand what it’s telling you, and determine what kinds of code changes are necessary to enact that advice
Kiuwan’s scans help build better code
Kiuwan’s code-scanning solution provides metrics to help programmers (and testers) understand how their code ranks in terms of key characteristics such as maintainability, portability, efficiency, and reliability. It will give line-by-line remediation advice to help speed up the development process and to improve the quality of the resulting code it’s used to create and maintain.
And when security comes into play as vulnerabilities are reported and must be dealt with, Kiuwan’s Insights (SCA) helps to identify and remediate threats from open-source components. Meanwhile, Kiuwan Code Security checks the code base against key third-party security standards such as OWASP while making sure code is thoroughly reviewed through application security testing, static code analysis, buffer overflow analysis, SQL injection, and cross-site scripting avoidance, and more.
Finally, Kiuwan’s automated security solutions are engineered to fit well into any development methodology, whether you’re applying DevOps or a more traditional structured approach. Look to Kiuwan to help you deal with vulnerabilities and remediation advice as it applies to your codebase.