GitLab, a rival to Microsoft’s hosted git service GitHub, has for the second time tested the security of customers’ hosted software projects… and found them wanting.

The code storage and automation biz initially scanned hosted code for security issues in April. Having just just reprised its examination, the outfit has found there’s still work that needs to be done to reduce software vulnerabilities.

The biz’s second security trends report shows a surge in projects that integrate vulnerable code libraries.

“The percentage of projects finding issues with dependent libraries in use has significantly increased over the last year, from 26 per cent to 69 per cent,” said Wayne Haber, engineering director, in the report. “This reinforces that updating dependent libraries should be prioritized based on the risks those libraries pose.”

The habit of creating apps with libraries that depend on still smaller libraries has made managing modern software security difficult, to say the least, since a bug in a common dependency can become a widespread problem across multiple projects. The issue is particularly bad in the Node.js ecosystem.

As of August, the libraries with the most vulnerabilities (all distributed via npm) were:

  • Lodash: Object prototype pollution
  • Execa: OS command injection
  • Mixin-deep: Prototype pollution
  • Kind-of: Type checking
  • Sockjs: Cross-site scripting
  • Ajv: Improper input validation
  • Minimist: Improper input validation
  • Yargs-parser: Improper input validation
  • JQuery: 3rd party CORS request may execute
  • Dot-prop: Direct request forced browsing

Both Lodash and JQuery tend to feature prominently in security reports as a source of vulnerabilities. It doesn’t help that they’re both widely used and have gone long periods without updates.

Haber said the top three Common Weakness Enumerations (CWEs) – programming blunders that have the potential to lead to exploitable vulnerabilities – were:

  • CWE-20: Improper input validation, which enables injection attacks.
  • CWE-787: Out of bounds write of intended buffer, which enables remote code execution.
  • CWE-400: Uncontrolled resource consumption, which enables denial of service attacks.

There are a few bright spots, where “bright” means not getting worse or marginal improvement. The percentage of projects using containers with vulnerabilities, for example, has fallen from 52 per cent to 41 per cent. Also the percentage of projects with flaws found through static analysis has remained basically flat (from 49 per cent to 52 per cent).

At the same time, the sorts of flaws identified via static analysis seem like they should have been dealt with long ago, like passwords exposed in URLs, improper permissions for files, predictable pseudorandom number generation, and lack of cipher integrity checking.

If anything, GitLab’s report shows that there’s always going to be work for computer security professionals. ®

Source link