Even though the security of the project and its dependencies should be a priority during app development, the number of vulnerabilities in applications and targeted attacks exploiting them is rising every year. Fortunately, there are tools that can help you expose them.
Minimize risks for the user
As useful and sometimes necessary it is to use third-party code, it also brings some safety risks. One of the last medialized cases was for example the package `1337qq-js` which was supposedly sending sensitive user files. The security team at Microsoft notified the community about the package and you will not get it installed from npm anymore. However, this is only one of the smaller “attacks” that are also often focused on stealing credentials to crypto wallets.
If we abstract from targeted and often very specific attacks, also code written in good faith can cause issues with a specific user input or it can introduce other problematic behaviour into your project. According to an analysis, up to 59 % of vulnerabilities in open source software remain unfixed. For the remaining 41 %, the median implementation time for the fix is 265 days.
Snyk: a lot of bang for the buck
As a developer-centric platform, Snyk offers, apart from CLI and an online environment, also integration to repository services and CI/CD tools. Apart from code vulnerability analysis, it can also uncover vulnerabilities directly in a Docker container, at the OS level. There is also a public database of vulnerabilities available, where you can for example look up the package that I mentioned at the beginning.
Safety comes first
The safety of a project and its dependencies is obviously a more complex topic than can fit into one article. Both of the above mentioned tools – ”npm audit” and Snyk – are however very simple and their use does not take up much time. For the beginning, it is an ideal way to start, if you want a lot of bang for the buck and therefore it can be seen as some “necessary minimum”.
In Ackee, we use “npm audit” in all of our projects that we are currently working on. If there is any more severe vulnerability found, the build fails and such version is not even deployed. The project remains running on an older version and for the deployment of a new one, a developer must resolve the security issue – for example by updating the dependency. With new open source packages, we also use Snyk, for example within the cosmas project.
Snyk is focused on developing a security solution for developers working with open source code. It resolves issues that cause vulnerabilities to the developers in open source which is stemming from repeated use of existing code, public repositories and other open source sources. Teams working in environments based on the DevOps principles can therefore uncover vulnerabilities more easily.