Revelry engineering blog header image lightbulb twil this week i learned. Chalkboard style

#RevTWIL: Vulnerabilities – And How Technical Debt Accrues Interest

At Revelry, we believe in sharing and learning from one another (beliefs that are rooted in our Core Values). Among the many things we do to encourage internal knowledge exchange is to have a different team member present at each week’s Engineering Meeting. These presentations don’t have to be lengthy, formal, or complicated; in fact, many are brief, but also powerful in that they teach our Revelers something new, inspire conversation, and encourage collaboration.

In the spirit of sharing, we share our This Week I Learned presentations (aka RevTWILs”) here. We hope you find them helpful.

THIS WEEK: Software developer Sam Keer shares dependencies and his hero, Dependabot!:

Dependencies

  • Huge time savers that are reliable and documented
  • Frequently receive updates that ensure reliability and security
  • Updates may lead to incompatibility

“Dependencies are great. They’re tools other people have built, so we don’t need to roll out our own auth, forms, components, payment gateways, etc.; they’re ready to go right out of the box with varying levels of documentation. Frameworks and libraries are typically secure and well documented – but they aren’t always perfect.

“As dependencies are updated, or issues with existing dependencies are discovered, syntax and subdependencies can change. This can lead to incompatibility between the new dependency versions and the app that uses them.

“Vulnerabilities can be inherited through dependencies. Dependency incompatibility may require upgrades, patching, or finding replacement dependencies.”

Dependencies with Vulnerabilities

  • Major version change syntax updates can lead to incompatibility
  • Some older, less-frequently used dependencies don’t have many maintainers or may not have been updated in years
  • Gaps in documentation are common with older dependencies
  • Forums where implementations involving older dependencies have been discussed in the past may no longer exist

“For example: Dep x gets upgraded. Dep y depended on x. Dep y may (or may not) have been using the part of dep x that included a vulnerability. 

“As we know, the development process takes time, so dep y might depend on the version of dep x that includes a vulnerability for a while.

“Maybe this vulnerability was patched after a major version bump or two, but using the safe version requires massive syntax changes throughout the app.

“It may never be patched, leaving that patch up to us. Even if these are built well, they can be incredibly complex and time consuming to make sense of.

“Often, there isn’t a ton of documentation on what’s happening behind the scenes, and once someone begins patching packages, that code lives in an app – meaning solutions aren’t widely available, even if a bunch of people have had the same problem.

Our Hero: Dependabot!

  • Dependabot helps us know if our app includes dependencies with known vulnerabilities, and what we need to look out for immediately
  • Statuses and their meanings:
    • Critical: Attackers might be able to execute code or commands in the app, access data, or worse
    • High: Attackers CANNOT execute code or a command on the app, but can still execute script code in the user’s browser or steal the user’s cookies
    • Moderate: Attackers can access potentially sensitive information on the app
    • Low: Information leakage, configuration errors, or poor security measures

Examples of Vulnerabilities: Critical

Disclaimer: The specific examples are not always tied to the levels of concern. For example, Prototype Pollution is not always going to be a critical vulnerability; the criticality level concerns how these vulnerabilities can be leveraged.

  • Prototype pollution
  • Denial of Service
  • SQL Injection

“Prototype pollution: Setting properties through the URL without sanitization, properties get inherited by js objects throughout the app. Example: https://vulnerable-website.com/?__proto__[evilProperty]=payload

“Denial of service: Consume 100% of cpu and prevent server requests, including rendering. Sometimes Dependabot offers suggestions.

“SQL Injection: Text isn’t safely added to a query, allowing the user to execute code via the query.

Examples of Vulnerabilities: High

  • Cross site request forgery
  • Improper/Broken Access Control

“Cross site request forgery (CSRF) is a vulnerability where an attacker performs actions while impersonating another user. Examples: Transferring funds to an attacker’s account by changing a victim’s email address or redirecting your pizza delivery to my address

“Improper Access Control / Broken Access Control: Attackers can bypass app permissions, potentially giving attacker access to sensitive information

Examples of Vulnerabilities: Moderate and Low

  • Cross site scripting
  • Path Traversal
  • DDOS

“Cross site scripting: Injecting scripts into the app via methods or scripts that live in the browser

“Path Traversal: Potential for attackers to read the file system of an app

“DDOS: Potential for attackers to eat up cpu and memory

Are There Bigger Fish to Fry? 

Features are often prioritized, but if we wait too long on updates, we roll the dice on how difficult they may be further down the line.

  • Incremental = easier
  • Coverage makes upgrades (and features!) safer 
  • Compatibility
  • Monitoring version updates

“It’s easier to upgrade dependencies ASAP to keep changes incremental, reviewable, and QA-able – rather than excavating an app a decade later and doing archaeological research trying to figure out what someone on stack overflow meant by “this was an easy fix, take a look here: <dead link>” 6 years ago.

“Compatibility is no joke. A partner not being able to upgrade/fix their app easily, because it won’t build, can lead to unnecessary expenses and frustration.

“Dependabot can be catered to your app’s needs via settings or a dependabot.yml configuration file. If there is a safe, non-breaking version upgrade available, Dependabot can be configured to automatically open up a pull request, including a fix. If the suggested version upgrade might include breaking changes, Dependabot will provide an explanation of a suggested implementation / workaround solution or indicate the dependency version required to remove the vulnerability.

We're building an AI-powered Product Operations Cloud, leveraging AI in almost every aspect of the software delivery lifecycle. Want to test drive it with us? Join the ProdOps party at ProdOps.ai.