Five things I knew about security, before I knew anything about security

Hayley Denbraver 👩‍💻🥑 on August 04, 2019

I am a Developer Advocate for a company (Snyk) that specializes in helping devs find and fix security vulnerabilities in their open source dependen... [Read Full]
markdown guide
 

Super job - it's all very much common sense if you can approach information security from a human perspective, I'll bung in another couple I use and a war story (non-technical!)

Layered security: you keep important documents in a locked filing cabinet, inside your locked house (possibly in a private apartment block). This makes breaking multiple locks slower and riskier for the attacker - if it's not worth their time/risk they'll pick an easier target.

Separation of responsibilities: you have the key to a private mail box, however the post office staff must open the building for you to use it. An attacker now needs to coerce two parties, not one, again increasing the time and risk involved for them.

War story: while a student, my car was stolen twice in a year and joyridden round the town. I fitted a flashing red led, it was never touched again - deterrents work to keep the bear moving along.

 
 

If you are warned about 50 security vulnerabilities (which don't end up being actual vulnerabilities), what is the likelihood that you will pay attention to the next alert?

This is the main problem I have with most dependency security checkers. Even the expensive tools like BlackDuck, JFrog XRay, Nexus IQ report way too many false positives. It's not worth the huge license fees.

I work on a big Java enterprise application. We make a lot of use of parts of big frameworks. All tools I've tried report security issues on parts of the framework we do not depend upon. Just because I use Spring Framework does not mean I use Spring MVC. They are different components which are explicitly different dependencies. It's not like the case if Commons Collectiins where a security bug exists in the package, but we simply do not use that code.

 

Yeah, that is a problem and one we are still hacking on.

There are three ways we try to address it, but there is definitely room to improve.

  1. We make it possible to 'ignore' those kinds of vulnerabilities. Basically, you can review it once and dismiss it without addressing it because it isn't relevant to you and then it doesn't obscure the information that is relevant.

  2. Snyk have a research team that curates our database. Basically they have removed some general false positives and add metadata to other vulnerabilities to help you make a conscious decision whether something needs to be fixed or isn't relevant to you.

  3. Also, we have a product that can monitor an application that is up and running, and let you know if you are calling a function, etc that is compromised. Then it is much easier to prioritize what you are going to fix. It is obviously not the solution for everyone, but I am excited to see where it goes.

 

Great write up! As someone who uses Snyk, the cli is easy to use, but please pass on the message for adding Gradle support for the Intellij IDEA plugin. 🙏

 

I think this is on our roadmap, but I will pass it along regardless. Expanding support for IDEs is definitely something we want to do!

 

Remember, you are trying to outrun your peers, not the bear.

This truly summarizes security in today's world.

The bear will always to chasing. Just don't be the last in line closest to bear.

code of conduct - report abuse