Open-source dependencies can introduce significant security risks
In a blog post, OpenSSF contributors wrote that, although the benefits of using open-source dependencies often outweigh the downsides, the incurred risks can be significant. “A simple dependency update can break a dependent project. Furthermore, like any other piece of software, dependencies can have vulnerabilities or be hijacked, affecting the projects that use them,” they added.
David A. Wheeler, director of open source supply chain security at the Linux Foundation, tells CSO the biggest security risk posed by developers’ use of open-source dependencies is underestimating the effects that vulnerabilities in both direct and indirect dependencies can have. “Flaws can crop up in any software, which can significantly impact the supply chain that uses it if care is not taken. Too often, many of the dependencies are invisible and neither developers nor organizations see all the layers to the stack. The solution isn’t to stop reusing software; the solution is to reuse software wisely and to be prepared to update components when vulnerabilities are found.”
However, developing an effective dependency security strategy can be challenging as it involves a different set of problems than most developers are familiar with solving, the blog read. The npm Best Practices guide is designed to aid developers and organizations facing such problems so they can consume dependencies more confidently and securely. It provides an overview of supply chain security features available in npm, describes the risks associated with using dependencies, and lays out advice for reducing risks at different project stages.
Dependency management key to addressing open-source risks
The guide focuses largely on dependency management, detailing steps developers can take to help mitigate potential threats. For example, the first step to using a dependency is to study its origin, trustworthiness, and security posture, the guide states. It advises developers to look out for typosquatting attacks, when an attacker creates an official-looking package name to trick users into installing rogue packages, by identifying the GitHub repository of the package and assessing its trustworthiness (number of contributors, stars, etc.).
Upon identifying a GitHub project of interest, developers should identify the corresponding package name and use OpenSSF Security Scorecards to learn about the current security posture of the dependency, the guide adds. Developers should also use deps.dev to learn about the security posture of transitive dependencies and npm-audit to learn about existing vulnerabilities in the dependencies of the project, the guide states.
Reproducible installation can ensure that exact copies of dependencies are used each time a package is installed, which offers security benefits, the guide reads. These include quick identification of potential network compromises should a dependency have vulnerabilities, mitigation of threats such as malicious dependencies, and detection of package corruptions.
Developers should also use a lockfile, which implements hash pinning using cryptographic hashes, the guide added. “Hash pinning informs the package manager of the expected hash for each dependency, without trusting the registries. The package manager then verifies, during each installation, that the hash of each dependency remains the same. Any malicious change to the dependency would be detected and rejected.”
Ongoing maintenance of dependencies is important, too, with periodic updates in line with the disclosure and patching of new vulnerabilities key. “In order to manage your dependencies, use a tool such as dependabot or renovatebot. These tools submit merge requests that you may review and merge into the default branch,” the guide read. To remove dependencies, developers should periodically run npm-prune and submit a merge request, it adds.
The guide also shares security guidance on package release/publishing and private packages from internal registries.