Cover image for Secure code review: Part 3 - Test for vulnerabilities introduced by dependencies

Secure code review: Part 3 - Test for vulnerabilities introduced by dependencies

brianverm profile image Brian Vermeer ๐Ÿง‘๐Ÿผโ€๐ŸŽ“๐Ÿง‘๐Ÿผโ€๐Ÿ’ป ใƒป2 min read

Code reviews are hard to do well. Particularly when youโ€™re not entirely sure about the errors you should be looking for! The DevSecOps approach pushes security testing left so that vulnerabilities can be found and fixed earlier, in the design, development, or CI/CD stages of the workflow. Itโ€™s always a good idea to check for security issues in code that you review. In case you donโ€™t know what to look for, check out this series to give you pointers for your next code reviews!

Test for new security vulnerabilities introduced by third-party open source dependencies

Modern application development is heavily dependent on third-party libraries. By using package managers like npm, Maven, Gradle PyPI, or any equivalent, we have easy access to publicly available libraries and frameworks. As developers, we want to focus on specific business logic and not so much on creating boilerplate functionality, using frameworks and libraries to do the heavy lifting is an obvious choice..

Thereโ€™s a good chance you donโ€™t know how many direct dependencies your application uses. When looking at an average project, the amount of your code can be as little as 1% โ€” the rest is imported libraries and frameworks. A lot of code that is put into production is simply not ours, but we do depend on it heavily. Itโ€™s also extremely likely you donโ€™t know how many transitive dependencies your application uses. Larger frameworks nowadays are depending on other libraries that also depend on other libraries. By pulling in a single library or framework, chances are that you are pulling in at least a dozen more libraries and/or frameworks, that you are not always aware of. This way dependencies are making up for the majority of your overall application. Attackers target open source dependencies more and more, as their reuse provides a malicious attacker with many victims. For this reason, itโ€™s important to ensure there are no known vulnerabilities in the entire dependency tree of your application.

Letโ€™s use Snyk as an example. Snyk statically analyzes your project to find vulnerable dependencies you may be using and helps you fix them. You can test your repos through Snykโ€™s UI to find issues, but also to keep users from adding new vulnerable libraries by testing pull requests and failing the test, if a new vulnerability was introduced. Automated fix PRโ€™s are also an option.

Depending on how you like to work, you can choose to connect your repository to the Snyk UI or scan the project on your local machine using the CLI (check the CLI cheat sheet), an integration in your build system, or a plugin in your IDE. From left (the developersโ€™ local machine), to completely right (your system in production), and every step in between, you should analyze your dependencies automatically to ensure quick feedback.

Want to know more

Check the complete Secure code review cheat sheet

Posted on by:

brianverm profile

Brian Vermeer ๐Ÿง‘๐Ÿผโ€๐ŸŽ“๐Ÿง‘๐Ÿผโ€๐Ÿ’ป


Java Dev | DevRel | VirtualJug Co-lead | UtrechtJUG Co-lead | MyDevSecOps Co-lead | Dutch Air Reserve | Taekwondo Master | Flag Football CB/WR


markdown guide