Revolutionizing Cybersecurity: An enhanced approach to protect software from security threats in open-source libraries
Introduction:
Nowadays cyber threats increasingly stem from software dependencies, and maintaining robust cybersecurity practices around dependencies is paramount. One critical aspect of maintaining resilience is Software Composition Analysis (SCA) and the timely upgrading of 3rd-party packages. In this blog post, we will explore how organizations can tackle these challenges. By leveraging innovative techniques and methodologies, we are able to analyze the call-path as well as actively monitor the vulnerabilities once they are updated. This way, we can enhance security, mitigate risks, and ensure a stronger defense against potential vulnerabilities.
The Importance of Software Composition Analysis (SCA):
SCA involves analyzing the composition of applications and scanning for known vulnerabilities, outdated components, and security risks within third-party dependencies. This process generates a Software Bill of Materials (SBOM), which provides a detailed inventory of all the software components used in an application, including their versions, and known vulnerabilities. By leveraging SCA and the SBOM, organizations can effectively track and manage their dependencies, identify, and address vulnerabilities, and ensure a more secure software supply chain.
SCA challenges:
When integrating into the CI/CD pipeline, we are facing with two main challenges:
- SCA only updates new vulnerabilities at specified periods. This means organizations can detect newly released vulnerabilities in their next scheduled Vulnerability Assessment cycle which can cause delays in visibility for newly released vulnerabilities.
- Fixing open-source vulnerabilities typically comes in the form of a package update. Each package update comes with a cost of developer time for them to verify the update has not broken the workflow and rerun deployment test cases.
Overcoming these challenges can help organizations move faster to remediation and more effectively chase and remove vulnerabilities in their applications.
Advantages and Impact:
Accenture Labs proposes to shift left and create a faster process for vulnerability detection. Our approach would monitor Vulnerability Databases in a near real-time window to instantly alert when a vulnerability is released for an open-source package leveraged by the organization’s applications. This is called an Automated Security Check process, which will enable us to shorten the detection time from months to hours.
Not only can organizations improve their performance with visibility, they can also expedite and improve the process for fixing open-source vulnerabilities. This new capability can analyze the code used in the application and predict packages that can be upgraded to newer versions with fixed vulnerabilities without affecting the application’s performance. Additionally, it can predict the packages that may require rework and see the downstream effects of the package changes in the control flow to provide analysts with targeted information for potential rework locations.
Our Approach:
- Create the Software Bill of Materials (SBOM):
The approach at Accenture Labs starts with the foundation of open-source vulnerability management, the Software Bill of Materials (SBOM) for the targeted application repository. The SBOM provides a comprehensive inventory of all software components used in an application, including their versions and dependencies. SBOM can be generated manually or with third-party applications. - Enumerate correlated vulnerabilities:
Our solution then connects to an Open-Source Vulnerability Database as a vulnerability reference source. The Open-Source Vulnerability Database provides a repository and feed of open-source CVEs in a human and machine-readable data format in collaboration with the community. Combining the SBOM information and real-time monitoring of the Vulnerability Database, the alerting systems continuously scan for new vulnerabilities and potential threats. This proactive approach allows organizations to respond swiftly to emerging risks, minimizing the impact of security incidents. - Tailored vulnerability impact assessment:
Often with the publication of new vulnerabilities, there are patched or fixed versions of the packages mentioned by the CVE or threat feed. By analyzing the differences of functions, methods, and classes between the current vulnerable and patched packages, we will be able to identify if the callable nodes above are affected or impacted when upgraded. Even though there may be many impactful changes between package versions, usually there is only a small subset relevant to the organization’s application in question. Determining the usage of those impactful changes requires building a call graph of the application and mapping changed nodes such as functions, methods, classes, and modules to the call graph. The call graph is a relationship map that determines each caller-callee path and the invocation flowing directions within the application including the dependencies. - Package Upgrade Compatibility Detection:
Upon completion of the mapping of impacted functions, we can begin to model the effects of changes on the call graph. We use data flow and invocation analysis to find the usage of the vulnerable 3rd party packages, along with other changes that may affect package upgrades. This information is used to calculate an overall upgrade impact score so we can identify no-work upgrades, and lower rework upgrades can be prioritized.
Case Study: Ansible (python)
To test the package upgrade functionality, we ran a case study on one of the larger critical open-source applications, Ansible. Ansible is defined as a critical project by the Open-Source Security Foundation (OpenSSF) organization. For the Ansible case study, we cloned the Ansible repository (version 2.0.16) and rebuilt it locally. Then, we conducted a comprehensive Software Composition Analysis (SCA) approach, as well as a package upgrade assessment to identify any vulnerabilities within the software’s supply chain.
The SCA process successfully identified two vulnerabilities within Ansible’s software dependencies, specifically in the ‘cryptography’ library. The vulnerabilities were identified as GHSA-5cpq-8wj7-hf2v and CVE-2023–38325. The SCA vendor promptly generated alerts for the identified vulnerabilities and recommended to perform an upgrade to fix the issues. However, the report did not provide specific details on which portions of the code were affected by those vulnerabilities.
We ran our new package upgrade capability on the application source code to determine if upgrading the package to a newer version would cause any changes in the control flow for the Ansible application. We found that there was no function call flowing to the changed nodes in the vulnerable supply chain package. This means that the differences in the package versions (which include the two vulnerabilities) must not affect the control flow for our application and we can remediate them with a low probability of causing an impact. This results in reducing the time and effort required for vulnerability analysis and remediation.
Conclusion:
With cybersecurity threats becoming more sophisticated, organizations must embrace innovative solutions to fortify their defenses. By adopting this approach to Software Composition Analysis and 3rd-party package upgrades, businesses can significantly enhance their security posture, mitigate risks, and stay one step ahead of potential vulnerabilities. With real-time monitoring, automated vulnerability assessment, and automated package upgrade assessment, organizations can strengthen their cybersecurity foundation and safeguard their digital assets in today’s evolving threat landscape.
Contacts:
To learn more about the ongoing work at Accenture Cyber Labs, reach out to us:
Lisa O’Connor: lisa.oconnor@accenture.com
Global Lead of Cybersecurity Research and Development
Amin Hassanzadeh: amin.hassanzadeh@accenture.com
North America R&D Lead of Cybersecurity Research and Development Accenture Labs
