Fact: up to 90% of one app usually consists of third-party components, most of which are open source. This can lead to all sorts of security risks and problems. But since we can not – nor want to – stop using open source, it is important to stop ignoring the security concerns and start tracking dependencies that are used in your software.
Software dependencies are often the biggest risk – because every application consists of a lot of small components, security risks can appear from anywhere in the codebase.
And even though most organizations think that open source code is more secure compared to commercial code, the truth is that it is not. The open-source ecosystem is fragile and could be easily attacked. There are different services that tackle the problem and here are 13 tools you should consider using for checking the security risks in open source dependencies.
Node Security Project
Node Security Project works on Node.js modules and provides a tool that scans for dependencies. It will track vulnerabilities by using public databases as well as its own database, built through scanning NPM modules.
RetireJS
RetireJS is an open-source dependency checker specifically for JavaScript. Easy to use with multiple components and plugins for Chrome, Firefox, Grunt, ZAP, Gulp, and Burp. It retrieves information for vulnerabilities from NIST NVD and from other sources, such as bug-tracking systems, mailing lists, and blogs.
OSS Index
OSS Index extracts information for dependencies from Nuget, NPM, Maven Central Repository, Chocolatey, Bower, and MSI – meaning it covers .NET/C#, JavaScript, and Java ecosystems. It also features a free vulnerability API. Currently, it retrieves vulnerability information from NIST NVD, with plans to include also mailing lists, bug-tracking systems, and databases.
Dependency-check
A well-maintained open-source command-line tool that can be used in build tools and stand-alone mode. It supports .NET, Java, JavaScript, and Ruby and retrieves information only from the NIST NVD.
Hakiri
A commercial tool for checking dependencies for Ruby and Rails projects that use static code analysis. It has a free plan for public open-source projects, and for private projects, there is a paid plan. Apart from NVD, Hakiri uses Ruby Advisory Database.
Snyk
Focused on JavaScript NPM dependencies, Snyk is a commercial service that offers tools for the detection of vulnerabilities in JavaScript projects, as well as fixing them through open-source patches and guided upgrades. It has its own vulnerability database that gathers data from the NSP and NIST NVD.
Gemnasium
Gemnasium is a commercial tool that offers free plans and has its own vulnerability database drawn from several sources. It provides two unique features – an auto-update option and Slack integration, in addition, to support for Ruby, PHP, NPM (JavaScript), Python, and Bower.
TeamSecure
If you or your business doesn’t have the technical knowledge to check the security of the dependencies that are used in your software, you can hire someone who can. Recruiting an in-house security specialist takes time and knowledge, not to mention the financial cost. Teamsecure.io specializes in the recruitment of IT talent in all fields but specifically in security. The team has access to thousands of IT experts across the world with skills in penetrations testing, security code review, compliance, and managed security services. TeamSecure can also check whether there is a vulnerability in one of the dependencies used. You can contact them with your needs to learn more about what they offer.
