What are some of the growing cybersecurity risks in the modern software development landscape that keep CISOs busy?
Developers and security teams face an ever-increasing array of threats, from sophisticated open source and vendor-controlled supply chain attacks to vulnerabilities introduced by AI-generated code like prompt injection and poor code security by GitHub Copilot. The complexity of modern applications, which often rely heavily on open source components (such as those you find on npm, PyPI, or RubyGems) and containerized deployments, adds to the challenge.
Given the scale and complexity of these risks, automating vulnerability management has become essential. Manual cybersecurity processes simply cannot keep up with the volume and velocity of potential vulnerabilities and software development. Automation not only speeds up the identification and remediation of security issues but also ensures that these processes, followed routinely by security teams, are consistently applied across all stages of the software development lifecycle.
Let’s break these down a bit further… Another example of a high-profile supply chain attack is the attack on Codecov, where attackers gained access to sensitive data by exploiting vulnerabilities in a popular code coverage tool. A developer’s routine includes managing the risks associated with open-source dependencies. Open-source dependencies can introduce both direct and transitive vulnerabilities into your codebase. Direct vulnerabilities are found in the libraries you explicitly include, while transitive vulnerabilities exist in the dependencies of those libraries. Managing these risks manually is daunting, making automation a critical component of a robust security strategy.
With GenAI, AI code assistants like GitHub Copilot or ChatGPT introduce real, potential vulnerabilities. GenAI can inadvertently introduce insecure coding practices or fail to recognize context-specific security requirements. For example, an AI model might generate code vulnerable to SQL injection or cross-site scripting (XSS) attacks. Monitoring and securing AI-generated code is therefore crucial to maintaining application security.
The complexity of keeping up with new container vulnerabilities doesn’t escape security teams either. The rapid pace of new container vulnerabilities can be overwhelming. Each new vulnerability requires timely identification and remediation to prevent potential exploits. This complexity necessitates automated solutions with security expertise to manage container security effectively.
Container vulnerabilities can have a significant impact on the overall security of your applications. A single vulnerable container image can compromise the entire application stack. Tools like Snyk Container automate the process of identifying and remediating vulnerabilities in container images. Snyk Container can suggest new base image tags that minimize vulnerability counts and automate Pull Requests to update your code repositories.
How do we mitigate all of these AppSec cybersecurity threats?
为了减轻与 AI 生成代码相关的风险,请考虑使用 Snyk Code 等工具。这种快速的 SAST 工具由 Snyk DeepCode AI 提供支持,可以通过插件直接集成到开发人员的 IDE 中。它使用特定于安全的数据训练来识别易受攻击和不安全的代码,确保在开发早期发现并解决问题。
Snyk DeepCode AI 入门非常简单。该插件支持流行的 IDE,例如 Visual Studio Code、IntelliJ IDEA、VS Code 和 PyCharm。
安装后,侧边栏上的 Snyk 徽标将显示在您的开源依赖项、您自己的代码(或 GenAI 生成的代码)以及 IaC 问题中发现的漏洞和安全问题。
让我们看一个缓解 GenAI 引入的漏洞的示例。我在此项目中使用 GitHub Copilot 自动完成代码,该代码创建 Express POST 端点路由来查询 OpenAI API,然后使用 res.send() 将响应发送到浏览器。
但是,如果此有效负载中的响应直接在浏览器中呈现怎么办?如果使用默认的 text/html 内容类型标头发送此请求,则跨站点脚本漏洞将影响正在运行的应用程序。对此我们能做什么?
正如您在第 31 行上方的注释中看到的,Snyk 建议修复此安全问题。我点击它,几秒钟之内,Snyk DeepCode AI 扩展提出了一种缓解措施,将 res.send() 替换为 res.json,如下所示:
res.json(response.choices[0].message.content);
通过此更改,Express 应用程序强制响应中的内容类型为 application/json,它是通用文本,并且可以允许诸如alert() 之类的文本。
通过在 IDE 中利用 Snyk,开发人员可以使用底层 Snyk DeepCode AI 引擎主动识别和缓解漏洞,确保他们的代码从一开始就是安全的。这种主动的应用程序安全方法在当今的环境中至关重要,因为与开源供应链和 GenAI 生成的代码相关的风险始终存在。
Snyk Open Source 是一款功能强大的工具,旨在帮助开发人员和安全团队管理与开源依赖项相关的风险。随着对开源库的依赖日益增加,对强大且自动化的依赖关系管理的需求变得前所未有的迫切。 Snyk Open Source 提供全面的漏洞扫描和修复功能,确保您的项目保持安全和合规。
在我之前的 Node.js 应用程序中,我还使用了 SQLite 依赖项,Snyk 提醒我存在安全问题,如下所示:
This vulnerability information is helpful to understand which transitive dependency is introducing the security risk and how to mitigate it, if at all possible. In this case, the transitive dependency inflight is detected to have a medium vulnerability.
Snyk detects that my lockfile and dependency is potentially out of date and so it can’t find a remediation path. However, let’s see the automation in practice when we import the GitHub code repository to Snyk. Doing so, shows the following information on the Snyk application:
From this point on, Snyk will automatically open new Pull Requests to suggest dependency upgrades when security vulnerabilities are detected in my package manifest.
Managing dependencies is not just about the libraries you directly include in your project. Transitive dependencies—those pulled in by your direct dependencies—can also introduce vulnerabilities. Snyk excels at identifying and remediating vulnerabilities in both direct and transitive dependencies.
Consider the following scenario:
{
"dependencies": {
"express": "^4.17.1",
"lodash": "^4.17.20"
}
}
In this example, express and lodash are direct dependencies. However, express might have its own set of dependencies, which in turn might have their own dependencies. Snyk will traverse this entire dependency tree, identifying and addressing vulnerabilities at every level.
When it comes to managing container vulnerabilities, Snyk Container helps remove the burden of keeping base image tags up-to-date with security patches.
Snyk Container is a comprehensive solution designed to help developers and security teams manage container vulnerabilities effectively. Containerized application workloads is prevalent at the Enterprise and as is the need to secure these environments. Snyk Container integrates seamlessly into your CI/CD pipeline, providing continuous monitoring and proactive remediation of vulnerabilities in your container images.
One of the standout features of Snyk Container is its ability to automate the creation of Pull Requests to address vulnerabilities in your container images. This automation is a game-changer for both developers and security teams, as it significantly reduces the manual effort required to keep container images secure.
Here's an example of how Snyk Container might automate a PR to update a vulnerable package in a Dockerfile:
FROM node:14.1.0 RUN npm install express COPY . /app CMD ["node", "/app/index.js"]
When Snyk Container detects a vulnerability, it automatically generates a PR with the necessary changes to mitigate the issue. This could include updating a vulnerable package or applying a security patch. By automating this process, Snyk Container ensures that vulnerabilities are addressed promptly, reducing the window of exposure.
By following these recommended base images, you can significantly reduce the number of vulnerabilities in your container images, enhancing the overall security of your applications.
Snyk Container identified multiple vulnerabilities in this base image and automatically generated PRs to update the image and associated dependencies. The team was able to review and merge these PRs quickly, reducing their vulnerability count by over 30% within seconds by merging the Pull Request and ensuring the CI/CD pipeline tests pass with flying colors.
This proactive approach not only improved the security posture of their applications but also freed up valuable time for developers to focus on building new features rather than managing vulnerabilities.
The above is the detailed content of Proactive AppSec continuous vulnerability management for developers and security teams. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
