If it's an automated scan, I'd be skeptical. Currently dealing with some overzealous security folks who put adherence to their scan tool over common sense, and insist that we lock down Oracle PL/SQL vulnerabilities in an application that doesn't use any flavor of SQL...
I absolutely hate these kinds of "security" scans.
I once worked with a company that started using one of these. They said our "vulnerability scores" were significantly too high.
I looked at the report, turns out they were just looking at HTTP headers and throwing up every CVE that matched any version numbers they found. (One of the "worst offenders" on the system was a CVE about a vulnerability in PHP when using "magic quotes", a part of PHP that hadn't been used in many years, and our application never used)
We were officially instructed that the fix would be to hide the PHP and apache version numbers from the headers.
If I were the one running that scan, and someone "fixed" the problem by just hiding the version numbers, I'd be calling for that person to be fired for trying to hide the problem. But here they were instructing us to do just that. And once we did, the system was marked "secure"...
As annoying as that sort of ignorance is, I would say it's marginally better than the opposite attitude that security scanners are bullshit and therefore unnecessary. The fact is, scanners turn up real issues that slip through whatever manual patching process you have set up.
My feeling is similar to when I started unit testing aggressively a decade ago: it seems like this should be unnecessary, but every time I do it it never fails to pay dividends.
There was a fund raising website written 15 years ago that a team I was on was responsible for (I never actually worked on it).
There were fraudulent credit card donations for $1 which became really obvious when the zip code was garbage.
The “solution” was to disabled the credit card page until the month of the fund raising event when it was enabled again in hopes of the scammers would not try during that month.
That's not always what is going on. In some cases unscrupulous operators will run through large numbers of $1 transactions in order to lower their chargeback rate.
Scanning for vulnerable components is different. All the tool has to do is find out the site is using the specific library, the vulnerabilities themselves are manually validated.
It's a liability thing. If you get hacked after "addressing" all the vulnerabilities, its not your fault - its the scan tool's fault. Utter bull shit, but hey.
Needs some significant clarification on what it means to be 'vulnerable'. As an example, many static sites (such as blogs) can use jQuery, that doesn't necessarily mean there is an attack vector for those blogs or their visitors.
We run nsp on our production services in CI before merge. The number of false positives I have tracked down is infinitely higher than the number of vouln's found. I literally mean this, we have never seen one disclosure which resulted in a viable attack on our production services.
For example, recently a bunch of ReDOS voulns were reported in popular libraries. None of which were in code paths hit by our configurations.
So needless to say, I think this is a sensationalist headline.
I think it's an absolute statement about the lack of awareness to this risk.
Of course some of these site would not actually be vulnerable, but I would bet the vast majority of them don't even know they're using a library with a known vulnerability.
Agreed, but the tools (nsp) are there to make it simple to know. Devs who are not going to update/patch are not the target here, so making big claims like this does not strongly add to the conversation IMO.
Also, this is nothing new on the web, the amount of wordpress sites with known voulns is probably MUCH higher.
NOTE: I am NOT saying we have had no security voulns. Just that the snyk and nsp disclosures on packages do not mean that those applications are vulnerable.
Just because the library has a vulnerable code path doesn't mean the site itself is vulnerable. Especially with libs like jQuery, where there are many many functions.
The information "77% of 433,000" contains the sample size number (433k). "100% of 333,410" does not contain a sample size number. The lack of the sample size number makes the data (and title) less meaningful. I'd go as far saying it makes the data (and title) meaningless.
Their wording means "we checked X sites and 77% of them met some criteria", which can be extrapolated to higher values of X (assuming the proper statistical care is taken, etc).
Your wording implies the same, but that's not good because you can't extrapolate to a larger X. You chose the sites after knowing they already met the criteria, and that changes the meaning.
This means nothing unless they mention what the vulnerabilities are. We do security scans on our front-end javascript code as well; most of the hits we get are for "log injection". Meaning, we have a console.log somewhere and someone could fake our logs by overriding the output. Wow, such vulnerability!
I looked at what it would take to upgrade our Angular 1.5 to 1.6: weeks worth of trying to untangle dependency hell and testing. For a minor version number upgrade. Let's not pretend it's only the consumers of these libraries that are lagging. A lot of these libraries are maintained by teams who have no business maintaining software, open source or not. They can release all the security patches they want, it won't make a difference if their new version isn't backwards compatible (obviously Angular is egregious and by far the worst I know of where even their minor version numbers have huge incompatibilities, not to mention 3 major version releases in 11 months).
Even if we have better tooling to make updating dependencies easy, there's still the fact that there's a lot of applications in production that are not maintained. If there are no maintainers there will be no updates..
Of course this is click bait. But of course most companies don't invest what they should in website maintenance, code reviews, security audits, and upgrades. I'm OK with some clickbait if it helps raise awareness of the need for more recurring investment in technology.
> One of the discoveries the report mentions is that an analysis of around 433,000 sites found that 77% of them use at least one front-end JavaScript library with a known security vulnerability.
Does that even matter? No Front-End JS Library should actually make your backend vulnerable.
Not really. CORS headers are set by the destination of the XHR. In the case of XSS it would be an attacker controlled server used to exfiltrate user cookies, etc.
And there is a pretty good chance of that happening in most JS projects.
Anywhere you take or show input from the user (an input box, a URL query, displaying data stored by some other system on the DB, etc...) could be a vector for an XSS attack.
And it's not just data passed to JS, but data passed to HTML or any data that could make it's way into CSS in many cases!
> No Front-End JS Library should actually make your backend vulnerable.
FUD. Most SPAs keep the authentication token accessible to JavaScript so it can be sent to the API server. And XSS in the FE JS can permit an attacker to steal the user's authentication token and then the attacker could impersonate the user and take any action as the user.
Only if your front end is SPA and backend just serves through data via api. even in that case, xss in front-end can compromise admin's web sessions to pivot into backend services.
Is it better for a website to roll its own insecurity? I'd a lot rather people use libraries with significant adoption — hopefully being aware of and avoiding any security problems they may include — than write their own version where the security problems will never be exposed, at least for good.