11 min read

In the second of our three part blog series as we lead up to Christmas, the Meterian Team shares with you shortcuts to make the most out of what you already have.  

A library, component, piece of code is reusable when it can be re-used in different parts of the same or different project with minimal to no need of code modifications. 

Scanning for, identifying, and patching open source dependencies in an application’s codebase is known as dependency management. This is a critical part of modern software development since nearly 100% of codebases are made up of open source components. These dependencies can be directly used by your application or indirectly used through transitive relationships. You can imagine the number of connected components if your software codebase has hundreds of modules.

Many vulnerabilities remain, leaving software applications unsecured

In our analysis of 1310 website applications,  the most popular component with a security vulnerability was jQuery.  Out of 332 javascript components used across all the web apps,  81% of the components had a security vulnerability.  All of these vulnerabilities could be easily removed by simply upgrading to jQuery 3.5.1.  It’s great that software is reusable, but beware of the invisible stakeholder who preys on out-of-date components’ security holes.  Like fresh food, software components also have a “best before” date.  To get the most out of them before they go bad and become easy pickings for malicious bot-scripts of hackers, keep your code’s dependencies up to date. This is best done programmatically rather than manually.

Neither software development nor cybersecurity teams can keep up with all the changes and fixes required to keep the code performant and secure. Therefore, knowing how to leverage the right tools to detect and patch in a timely manner can make a difference in preventing a cyber breach spoiling a company’s business and reputation. In a Ponemon study last year:

• 60% of respondents said their organisations suffered a breach due to an unpatched known vulnerability where the patch was not applied
• 62% were unaware that their organisations were vulnerable prior to the data breach
• 52% of respondents said their organisations were at disadvantage in responding to vulnerabilities because they use manual processes

Earlier this year another Ponemon report highlighted the need for a programmatic approach to managing vulnerabilities as unpatched known vulnerabilities remain a significant risk: “Over six months, an average of 28% of vulnerabilities remain unmitigated, and organizations have a backlog of 57,555 identified vulnerabilities.” Remember, even just one vulnerability exploited could lead to a cyber breach. Furthermore, 60% of open source programs audited had a vulnerability that’s already been patched.

For this blog, we present the top 3 most popular components found from our survey of 1310 web applications past their “best before” date. Below are recommended substitutions for an alternative or updated component that is vulnerability free so you can #BoostOpenSourceSecurity in your software applications:

• jQuery 1.12.4  -> Please update to jQuery 3.5.1

 1 high level threat:  Affected versions of jquery interpret text/javascript responses from cross-origin ajax requests, and automatically execute the contents in jQuery.globalEval, even when the ajax request doesn't contain the dataType option. 
 Recommendation: Update to version 3.0.0 or later. 

• handlebars.js 4.0.11 ->  Update handlebars module to version >=4.6.0

 1 high level threat: Versions of handlebars prior to 3.0.8 or 4.5.3 are vulnerable to prototype pollution. It is possible to add or modify properties to the Object prototype through a malicious template. This may allow attackers to crash the application or execute Arbitrary Code in specific conditions.
 1 medium level threat: Affected versions of handlebars are vulnerable to Denial of Service. The package's parser may be forced into an endless loop while processing specially-crafted templates. This may allow attackers to exhaust system resources leading to Denial of Service.. Recommendation: Upgrade to version 4.4.5 or later. 

• Twitter-bootstrap 3.x.x (3.3.7)  -> update to the next safe version 3.4.1

 1 high level threat: XSS in data-template, data-content and data-title properties of tooltip/popover
 1 medium level threat: In Bootstrap before 3.4.0,  XSS  (cross site scripting) is possible in the affix configuration target property. 

Remains of the day

At the end of the day, updating your application’s dependencies is easy if you know what to look out for, when to apply the update, and have an automated workflow to help you do this consistently and at scale.  Finding the right combination of open source components to help speed and secure your development is one example of how “Necessity is the mother of invention.” Meterian speeds up the task of keeping your open source dependencies up to date easily and continuously so developers can focus on the main course of innovating securely.

In the spirit of giving this Christmas and to fuel the creative cooks out there (perhaps you or that important person in your life who always makes sure a delicious meal is ready for you at dinner time!), here’s how to use leftover Christmas veg to make two speedy suppers:

Linguine with with cavolo nero and bacon

Serves: 4
Prep time: 10 minutes
Cooking time: 20 minutes

Ingredients
400g linguine
olive oil
6 slices smoked streaky bacon, cut into 1cm or bite size pieces
1 tbsp olive oil
2 shallots, finely chopped
2 garlic cloves, crushed
300g cavolo nero, hard stalks removed, and roughly chopped (shortcut: blitz the shallots, garlic and cavolo nero leaves in food processor until finely chopped)
75ml double cream (optional)
2 egg yolks
¼ nutmeg, freshly grated
50g parmesan cheese, finely grated
salt & freshly ground black pepper 

Tip: No cavolo nero?  Don’t get stuck in a rut.  Try any slightly bitter green veg, such as brussels sprouts, broccoli, broccolini, gai lan, or rapini.  All lend a lovely nutty flavour balanced with the delightful pungence of parmesan cheese and black pepper.

 Instructions
 Cook the linguine in a pan of boiling, salted water following the pack instructions. Meanwhile, heat some olive oil in a large frying pan, and cook the bacon for a couple of minutes. Add the shallots and garlic cloves, and finely chopped cavolo nero to stir-fry with the bacon.  After 3-4 minutes,  take off the heat.
Mix the cream and egg yolks with with the nutmeg, ⅔ of the cheese and some black pepper.
Put the bacon and veg stir fry back on the heat, add a little of the pasta cooking water and simmer down to 2 tbsp.
Drain the cooked pasta, and add the pasta to the pan with the cavolo nero-bacon and cream mixture. Next add the remaining grated parmesan cheese, and season with more salt and pepper to taste. 

Cod, Chorizo and Potato Stew

Serves: 4
Preparation time:10 minutes
Cooking time:30 minutes

Ingredients
110g chorizo, cut into 2cm slices
1 onion, sliced
1 garlic clove, crushed
4 potatoes
1 can of chopped tomatoes (220-250g)
500ml fish stock
600g frozen cod fillets, defrosted and cut into 3 - 4cm chunks
20g flat leaf parsley, chopped

Instructions
1. Heat a large pan over a medium heat and cook the chorizo for 2 - 3 minutes, then remove from the pan and set aside. Drain all but 1 tbsp of fat from the pan and use to cook the onion and garlic over a medium heat for 6 - 8 minutes until soft. Peel potatoes and cut into 3cm chunks.  Put the potatoes in the pan with the chorizo and cook for 3 minutes.
2. Add the tomatoes and fish stock, bring to the boil and simmer for 10 - 12 minutes until the potatoes are tender. Stir in the cooked chorizo. You can freeze the stew at this stage, letting it cool to room temperature first.
3. If cooking from frozen, defrost the stew overnight in the fridge or in a microwave, then reheat. Add the cod to the stew and simmer for 4 - 5 minutes until just cooked. Season and serve immediately, scattered with parsley.

“The evening’s the best part of the day. You’ve done your day’s work. Now you can put your feet up and enjoy it.”

― Kazuo Ishiguro, The Remains of the Day

The tools that boost your efficiency when your coding project has a handful developers may need to be very different from the software that keeps your project humming when you have 1,000 or more. We’ve designed Meterian to evolve with your application security tech stack as your software engineering and digital transformation needs evolve. If your open source dependency management system is not humming smoothly with your software development life cycle, or your open source components are decaying and reducing their life time value for the organisation, consider reusing and securing your software components with Meterian. Get in touch today.