Barre Dijkstra

dear #appsec people, I'm curious how you deal with 3rd party dependencies. do you use a scanner that reports cves? manual audits? have external audits done?
and any difference in dealing with opensource and closed source libs?

and if you audit, how do you determine scope of which part to audit? you can determine the library code used, but that might change 1 commit later.

Jul 18, 2023 at 4:48pmWeb
Show threadKris HardyJul 18, 2023

@salp Two things: 1) a scanner that runs nightly as part of a CI pipeline for security tests (this picks up new deps issues on an ongoing basis), 2) a scanner that is integrated with the PR build pipeline so that each PR is checked before being merged (this checks the point in time when the Devs are touching the code which make fixes much easier).

Open source is checked against CVEs. Closed source is checked using SAST and SCA tools.

Show threadBarre DijkstraJul 18, 2023
@nonlinear do I understand correctly that you use dependency known vuln checks? so trusting the vulnerability db of the scanner provider is sufficient?
am I also right to assume the ci/cd scan is a sast?
Show threadKris HardyJul 18, 2023
@salp Yes, trusting the vuln db is sufficient for our use case. If we're really paranoid about a dependency, we'll also do a manual code audit, push the dependency to our private repo, and run SAST on each commit for that dependency. For our private code, the scan is SAST, SCA for any of its dependencies, plus peer review for each PR. If the change has possible security implications (changing auth, adding new API endpoints, etc) then the appsec team also reviews the PR.
Show threadBarre DijkstraJul 18, 2023
@nonlinear thanks for the response, I can imagine how hard you go on 3rd party sec if case dependent