Why You Should Scan Packages in Ruby Applications
Know if Your Application is Safe. It’s critical!
Introduction
Open source is the driving force on which most modern software is built. It’s hard to think of developing any solution today without open source. Nowadays, developers don’t think twice before using open source to solve their problems.
When you install a package, it runs in the context of your app. A malicious or vulnerable package can cause severe implications like the penetration of your server. There have been instances of malware code hiding in the open source packages.
As a developer, we battle on many fronts every day. Open source libraries and packages come in handy to solve our problems. But any of these packages can have vulnerabilities. And, being problem solvers, we don’t have time to look into the source of the packages.
For example, there have been several reports of vulnerabilities found in Ruby gems.
In December 2020, RubyGems removed a couple of gems that had malware code. These vulnerabilities were serious. These gems contained malicious code that replaced the cryptocurrency wallet address in the clipboard with an attacker-supplied one. Hence, the attacker could access the user’s transactions and steal the funds.
You can easily find a gem that can solve the problem at hand just by Googling it. Generally, you look at the license, the number of stars on GitHub and add the gem to your project. Developers don’t try to understand the gem code as long as it solves their problem.
Well, you are running blind with the open source packages if you don’t have insight into the vulnerabilities they bring.
Here are some threats, facts and numbers, and ways to mitigate your risks.
Major Threats
By using open source packages or gems blindly, you put yourself at risk. There are numerous mistakes that can lead to an attack:
- Using aging and not-maintained open source packages.
- Underestimating the impact that open source vulnerabilities can cause.
- Upgrading the packages without understanding the changes.
- Not using a tool to find out the vulnerabilities your application can possess due to open source.
Facts and Numbers
The 2020 State of the OCTOVERSE report gives you great insights into the vulnerabilities that can harm you if you use the wrong package:
- 17% of vulnerabilities are intentionally malicious. This clearly shows that open source developers hide the malware in the packages deliberately. However, this also shows that 83% of vulnerabilities are not intentional. But, they still are vulnerabilities.
- Many vulnerabilities go undetected for years.
- Active Ruby repositories with a supported package ecosystem have an 81% chance of getting a security alert in the next one year.
Risk Mitigation
Well, there are ways to mitigate such vulnerabilities before they hit you hard. These ways are simple yet cumbersome.
- Regularly check for vulnerabilities in the gems you use. Get a tool that can find vulnerabilities and malware and warn you.
- Keep up with gem updates as sometimes they fix the vulnerabilities in newer versions.
- If you have a fix, don’t forget to contribute. This will help others.
- Build a monitoring system that keeps a check on any attacks happening on your back-end and raises an alert if you are under attack.
Tools
There are many tools available in the market that scan open source packages, detect vulnerabilities, and reduce cyber risk through vulnerability remediation.
Here are a few of the popular tools in the market:
- Vulcan: Vulcan orchestrates the remediation lifecycle. It finds the vulnerabilities in open source and fixes them as well.
- AppTrana: AppTrana is a Web application firewall. It scans Web applications to find vulnerabilities. It also provides WAF, Managed DDOS and Bot Mitigation service, and CDN.
- Netsparker: Netsparker web application security scanner detects vulnerabilities like SQL Injection, Cross-site Scripting (XSS).
I have been using WhiteSource Diffend to find vulnerabilities in the packages I use in various projects, be it Ruby or any other Language. The tool is used and trusted by many prominent organizations like Microsoft, Comcast, and Nokia. It’s also free, which is great.
Particularly for Ruby, whenever I add a new gem or update existing gems, I run WhiteSource Diffend to scan for vulnerabilities or malicious software.
I have found quite a few vulnerabilities using Diffend and so have been able to remove them and find alternatives before hitting production.
WhiteSource Diffend protects you from numerous kinds of attacks, like malicious takeovers, ATO attacks, makefile pollution, Bitcoin mining, accidental injections, etc.
Before updating the gems in your application, you can scan the changes and decide whether you want to upgrade or not.
At first, I started with the free version to see how useful it is. Since then, I have moved to the paid version, which provides a flexible pricing model.
Final Words
You can not dismiss the vital role open source plays in software development today. But, at the same time, you should not ignore the vulnerabilities open source can bring along. As open source adoption is sky-rocketing, you should be diligent while adding new packages or gems or upgrading packages.
It’s not easy for the developer to find vulnerabilities. However, there are various tools that do the job for you. You can mitigate the risk by running these tools every time you add/upgrade a package or a gem. You get the best results when vulnerability scans are integrated into your CI/CD process.
