Pengurusan kerentanan berterusan AppSec proaktif untuk pembangun dan pasukan keselamatan

Apakah beberapa risiko keselamatan siber yang semakin meningkat dalam landskap pembangunan perisian moden yang membuatkan CISO sibuk?

Pembangun dan pasukan keselamatan menghadapi pelbagai ancaman yang semakin meningkat, daripada sumber terbuka yang canggih dan serangan rantaian bekalan dikawal vendor kepada kelemahan yang diperkenalkan oleh kod yang dijana AI seperti suntikan segera dan keselamatan kod yang lemah oleh GitHub Copilot. Kerumitan aplikasi moden, yang sering sangat bergantung pada komponen sumber terbuka (seperti yang anda temui pada npm, PyPI atau RubyGems) dan penggunaan kontena, menambah cabaran. 

Memandangkan skala dan kerumitan risiko ini, mengautomasikan pengurusan kerentanan menjadi penting. Proses keselamatan siber manual tidak dapat bersaing dengan jumlah dan halaju potensi kelemahan dan pembangunan perisian. Automasi bukan sahaja mempercepatkan pengenalpastian dan pembetulan isu keselamatan tetapi juga memastikan proses ini, diikuti secara rutin oleh pasukan keselamatan, digunakan secara konsisten merentas semua peringkat kitaran hayat pembangunan perisian.

Kepentingan pengurusan kelemahan berterusan dalam domain tertentu

• Meningkatkan pergantungan pada komponen sumber terbuka: Komponen sumber terbuka telah menjadi wujud di mana-mana dalam pembangunan perisian moden. Walaupun komponen ini mempercepatkan pembangunan untuk pembangun aplikasi dan membantu mengurangkan kos, komponen ini juga memperkenalkan risiko keselamatan yang ketara. Serangan rantaian bekalan berprofil tinggi, seperti pintu belakang XZ dan pelanggaran SolarWinds, telah menyerlahkan potensi kerosakan yang meluas apabila kelemahan dalam kebergantungan sumber terbuka dan komponen dikawal vendor tertutup dieksploitasi.
• Penggunaan kod yang dijana AI yang semakin meningkat dalam pembangunan: Peningkatan AI Generatif (GenAI) dalam pembangunan perisian membawa kedua-dua peluang dan cabaran. GenAI boleh mempercepatkan tugas pengekodan dengan ketara, tetapi ia juga boleh memperkenalkan kelemahan baharu. Kod yang dijana AI mungkin kekurangan pertimbangan keselamatan yang biasanya disertakan oleh pembangun berpengalaman, yang membawa kepada potensi jurang keselamatan. Salah satu contoh perkara ini ialah GitHub Copilot memperkenalkan XSS dalam React.
• Pertumbuhan pesat aplikasi kontena: Aplikasi kontena telah menjadi kebiasaan untuk menggunakan perisian moden. Bekas menawarkan banyak faedah, termasuk konsistensi merentas persekitaran dan kemudahan penskalaan. Walau bagaimanapun, mereka juga memperkenalkan cabaran keselamatan baharu, terutamanya dalam menguruskan kelemahan dalam imej kontena. Oleh itu, pembangun boleh menggunakan bantuan dalam mendidik mereka tentang cara memilih imej kontena terbaik dan petua pro kontena umum, tetapi mengautomasikan kelemahan imej kontena docker adalah satu kemestian.

Mari kita pecahkan ini sedikit lagi... Satu lagi contoh serangan rantaian bekalan berprofil tinggi ialah serangan ke atas Codecov, di mana penyerang mendapat akses kepada data sensitif dengan mengeksploitasi kelemahan dalam alat liputan kod yang popular. Rutin pembangun termasuk mengurus risiko yang berkaitan dengan kebergantungan sumber terbuka. Kebergantungan sumber terbuka boleh memperkenalkan kedua-dua kelemahan langsung dan transitif ke dalam pangkalan kod anda. Kerentanan langsung ditemui dalam perpustakaan yang anda sertakan secara eksplisit, manakala kelemahan transitif wujud dalam kebergantungan perpustakaan tersebut. Menguruskan risiko ini secara manual adalah menakutkan, menjadikan automasi sebagai komponen penting dalam strategi keselamatan yang teguh.

Dengan GenAI, pembantu kod AI seperti GitHub Copilot atau ChatGPT memperkenalkan kelemahan sebenar yang berpotensi. GenAI secara tidak sengaja boleh memperkenalkan amalan pengekodan yang tidak selamat atau gagal mengenali keperluan keselamatan khusus konteks. Sebagai contoh, model AI mungkin menjana kod yang terdedah kepada suntikan SQL atau serangan skrip silang tapak (XSS). Oleh itu, pemantauan dan mendapatkan kod yang dijana AI adalah penting untuk mengekalkan keselamatan aplikasi. 

Kerumitan untuk mengikuti kelemahan kontena baharu juga tidak terlepas daripada pasukan keselamatan. Kepantasan kerentanan kontena baharu boleh menjadi sangat menggalakkan. Setiap kerentanan baharu memerlukan pengenalpastian dan pembaikan tepat pada masanya untuk mengelakkan potensi eksploitasi. Kerumitan ini memerlukan penyelesaian automatik dengan kepakaran keselamatan untuk mengurus keselamatan kontena dengan berkesan.

Kerentanan kontena boleh memberi kesan yang besar pada keselamatan keseluruhan aplikasi anda. Satu imej bekas yang terdedah boleh menjejaskan keseluruhan timbunan aplikasi. Alat seperti Snyk Container mengautomasikan proses mengenal pasti dan membetulkan kelemahan dalam imej kontena. Snyk Container boleh mencadangkan teg imej asas baharu yang meminimumkan kiraan kerentanan dan mengautomasikan Permintaan Tarik untuk mengemas kini repositori kod anda.

Bagaimanakah kita boleh mengurangkan semua ancaman keselamatan siber AppSec ini?

Proactive AppSec and Continuous Vulnerability Management with Snyk

To mitigate the risks associated with AI-generated code, consider using tools like Snyk Code. Powered by Snyk DeepCode AI, this fast SAST tool can be integrated directly into a developer's IDE through a plugin. It uses security-specific data training to recognize vulnerable and insecure code, ensuring that issues are identified and addressed early in development.

Getting started with Snyk DeepCode AI is straightforward. The plugin supports popular IDEs such as Visual Studio Code, IntelliJ IDEA, VS Code, and PyCharm. 

A quick guide to installing and integrating Snyk DeepCode AI in Visual Studio Code

1. Install the Snyk extension:

• Open Visual Studio Code.
• Navigate to the Extensions view by clicking on the Extensions icon in the Activity Bar on the side of the window.
• Search for "Snyk" and click "Install" on the Snyk extension.

1. Authenticate with Snyk:

• After installation, you will be prompted to authenticate with your Snyk account.
• Follow the on-screen instructions to log in or sign up here.

1. Enable Snyk DeepCode AI:

• Once authenticated, navigate to the Snyk view in the Activity Bar.
• Enable Snyk DeepCode AI to start scanning your code for vulnerabilities.

Once installed, the Snyk logo on the sidebar will feature vulnerabilities and security issues it found in your open-source dependencies, your own code (or GenAI-produced code), and IaC issues.

The benefits of SAST tools in identifying insecure code patterns right in the IDE for developers

1. Real-time feedback: As you write code, Snyk DeepCode AI analyzes it in real time, providing instant feedback on potential security issues. This allows developers to address vulnerabilities before they become ingrained in the codebase.
2. AI-driven insights: The AI model is trained on a vast dataset of security-specific data, enabling it to recognize insecure coding patterns, even those introduced by GenAI or poor programming practices.
3. Seamless integration: By integrating directly into the IDE, Snyk DeepCode AI fits naturally into the developer's workflow, minimizing disruption and maximizing productivity.

Let’s see an example of mitigating vulnerabilities introduced by GenAI. I used GitHub Copilot in this project to auto-complete the code which creates an Express POST endpoint route to query the OpenAI API and then used res.send() to send the response to the browser.

However, what if the response in this payload were to be rendered directly in the browser? If the default text/html Content Type header was used to send this request, a Cross-site Scripting vulnerability would impact the running application. What can we do about this?

Well as you can see in the annotation above line 31, Snyk proposes to fix this security issue. I clicked on it and within a few seconds, the Snyk DeepCode AI extension proposed a mitigation that replaced the res.send() with res.json as follows:

res.json(response.choices[0].message.content);

With this change, the Express application forces the content-type in the response to be application/json which is generic text and can allow for text such as alert().

By leveraging Snyk in their IDE, developers can proactively identify and mitigate vulnerabilities using the underlying Snyk DeepCode AI engine, ensuring that their code is secure from the outset. This proactive approach to application security is essential in today's environment, where the risks associated with open-source supply chains and GenAI-generated code are ever-present.

Automating dependency management with Snyk Open Source

Snyk Open Source is a powerful tool designed to help developers and security teams manage the risks associated with open-source dependencies. With the increasing reliance on open-source libraries, the need for robust and automated dependency management has never been more critical. Snyk Open Source provides comprehensive vulnerability scanning and remediation capabilities, ensuring that your projects remain secure and compliant.

In my previous Node.js application, I also use an SQLite dependency, which Snyk alerts me of a security issue as follows:

This vulnerability information is helpful to understand which transitive dependency is introducing the security risk and how to mitigate it, if at all possible. In this case, the transitive dependency inflight is detected to have a medium vulnerability.

Snyk detects that my lockfile and dependency is potentially out of date and so it can’t find a remediation path. However, let’s see the automation in practice when we import the GitHub code repository to Snyk. Doing so, shows the following information on the Snyk application:

From this point on, Snyk will automatically open new Pull Requests to suggest dependency upgrades when security vulnerabilities are detected in my package manifest.

Managing dependencies is not just about the libraries you directly include in your project. Transitive dependencies—those pulled in by your direct dependencies—can also introduce vulnerabilities. Snyk excels at identifying and remediating vulnerabilities in both direct and transitive dependencies.

Consider the following scenario:

{
  "dependencies": {
    "express": "^4.17.1",
    "lodash": "^4.17.20"
  }
}

In this example, express and lodash are direct dependencies. However, express might have its own set of dependencies, which in turn might have their own dependencies. Snyk will traverse this entire dependency tree, identifying and addressing vulnerabilities at every level.

When it comes to managing container vulnerabilities, Snyk Container helps remove the burden of keeping base image tags up-to-date with security patches.

Snyk Container is a comprehensive solution designed to help developers and security teams manage container vulnerabilities effectively. Containerized application workloads is prevalent at the Enterprise and as is the need to secure these environments. Snyk Container integrates seamlessly into your CI/CD pipeline, providing continuous monitoring and proactive remediation of vulnerabilities in your container images.

One of the standout features of Snyk Container is its ability to automate the creation of Pull Requests to address vulnerabilities in your container images. This automation is a game-changer for both developers and security teams, as it significantly reduces the manual effort required to keep container images secure.

Here's an example of how Snyk Container might automate a PR to update a vulnerable package in a Dockerfile:

FROM node:14.1.0
RUN npm install express
COPY . /app
CMD ["node", "/app/index.js"]

When Snyk Container detects a vulnerability, it automatically generates a PR with the necessary changes to mitigate the issue. This could include updating a vulnerable package or applying a security patch. By automating this process, Snyk Container ensures that vulnerabilities are addressed promptly, reducing the window of exposure.

By following these recommended base images, you can significantly reduce the number of vulnerabilities in your container images, enhancing the overall security of your applications.

Snyk Container identified multiple vulnerabilities in this base image and automatically generated PRs to update the image and associated dependencies. The team was able to review and merge these PRs quickly, reducing their vulnerability count by over 30% within seconds by merging the Pull Request and ensuring the CI/CD pipeline tests pass with flying colors.

This proactive approach not only improved the security posture of their applications but also freed up valuable time for developers to focus on building new features rather than managing vulnerabilities.

Atas ialah kandungan terperinci Pengurusan kerentanan berterusan AppSec proaktif untuk pembangun dan pasukan keselamatan. Untuk maklumat lanjut, sila ikut artikel berkaitan lain di laman web China PHP!