Cover
Copyright
Table of Contents
Introduction
Chapter 1. Known Vulnerabilities in Open Source Packages
Vulnerabilities in Reusable Products
Vulnerability Databases
Common Vulnerabilities and Exposures (CVE)
Common Platform Enumeration (CPE)
Common Weakness Enumeration (CWE)
Common Vulnerability Scoring System (CVSS)
Known Vulnerabilities Outside CVE and NVD
Unknown Versus Known Vulnerabilities
Responsible Disclosure
Summary
Chapter 2. Finding Vulnerable Packages
Taxonomy
Known Vulnerability Versus Vulnerable Path
Testing Source Versus Built Apps
Finding Vulnerabilities Using the Command Line
Finding Vulnerabilities in SCM (GitHub, BitBucket, GitLab)
Granting Source Code Access
Finding Vulnerabilities in Serverless and PaaS
Finding Vulnerabilities in Containers
Scanning Registries
Scanning base images
Scanning Packaged Container Apps
Finding Vulnerabilities in the Browser
Vulnerable Component Versus Vulnerable Apps
Summary
Chapter 3. Fixing Vulnerable Packages
Upgrading
Major Upgrades
Indirect Dependency Upgrade
Conflicts
Is a Newer Version Always Safer?
There Is No Fixed Version
Patching
Sourcing Patches
Depend on GitHub Hash
Fork and Patch
Static Patching at Build Time
Dynamic Patching at Boot Time
Other Remediation Paths
Removal
External Mitigation
Log Issue
Remediating Container Vulnerabilities
Rebuild as a Remediation
Reaching Zero Vulnerabilities
Remediation Process
Ignoring Issues
Fix All Vulnerable Paths
Track Remediations Over Time
Invest in Making Fixing Easy
Summary
Chapter 4. Integrating Testing to Prevent Vulnerable Libraries
When to Run the Test?
Blocking Versus Informative Testing
Failing on Newly Added Versus Newly Disclosed Issues
Platform-Wide Versus App-Specific Integration
Integrating Testing Before Fixing
Summary
Chapter 5. Responding to New Vulnerability Disclosures
The Significance of Vulnerability Disclosure
Setting Up for Quick Remediation
Monitoring Which Dependencies Your Apps Are Using
Source Code Management Platform Integration
Monitoring Deployed Code
Integrating into Continuous Deployment
Getting a Feed of Vulnerability Notifications
CVEs Are Not Enough
Early Notifications
Automating Matching and Notification
Who You Should Notify and How
Automating Remediation Steps
Breaking a Build on a New Vulnerability
Becoming Vulnerable Due to Dependency Chain Updates
Summary
Chapter 6. Choosing a Software Composition Analysis Solution
Choose a Tool Your Developers Will Actually Use
Aim to Fix Issues, Not Just Find Them
Verify the Coverage of the Vulnerability DB
Ensure Your Tool Understands Your Dependencies Well
Secure containers with a developer perspective.
Choose the Tool That Fits Tomorrow’s Reality Too
Chapter 7. Summary
About the Author