OWASP category:
MASVS-CODE: Code Quality
Overview
Using insecure APIs or libraries significantly reduces an application's security
posture. A security breach in any of these dependencies would allow an attacker
to leverage a number of vectors to conduct a broad set of attacks such as man-
in-the-middle (MitM) and remote code execution (RCE).
The threat of implementing insecure dependencies arises when developers don't
integrate security assessments and vulnerability testing into the Software
Development Lifecycle (SDLC) or, in some cases, don't implement an automated
update policy for application dependencies.
Dependency exploitation usually starts by analyzing application binary (.apk) to
search for vulnerable libraries. At this point, Open Source Intelligence (OSINT)
is performed to unearth previously discovered potentially exploitable
vulnerabilities. Attackers can then leverage publicly disclosed vulnerability
information such as common vulnerabilities and exposures (CVEs) to perform
further attacks.
Impact
The successful exploitation of insecure dependencies can lead to a broad set of
attacks such as remote code execution (RCE), SQL injections (SQLi), or cross-
site scripting (XSS).
Therefore, the overall impact is directly related to the type of vulnerability
that third-party software introduces and that attackers can exploit.
Possible consequences of a successful exploitation of vulnerable dependencies
are data breaches or service unavailability, which may lead to a significant
impact on reputation and economic turnover.
Mitigations
Defense in depth
Note that the mitigations listed below have to be implemented in combination to
ensure a stronger security posture, and reduce the application's attack surface.
The exact approach should always be evaluated on a case-by-case basis.
Dependency vulnerability assessments
Implement dependency verification at the beginning of the development lifecycle
to detect vulnerabilities within third-party code. This phase tests whether the
code that is not built in-house is secure before being rolled out in production
environments.
Verification could be complemented by implementing static application security
testing (SAST) and dynamic application security testing (DAST) tools within the
software development lifecycle to improve the security posture of the
application.
Continuously update dependencies
Always be careful to continuously update any dependency embedded within the
code. For this purpose, it is recommended to implement automatic updates that
are pushed to production whenever a third-party component releases a new
security patch.
Conduct regular penetration tests. These kinds of tests aim to uncover any well-
known vulnerability that could affect proprietary code and, or third-party
dependencies.
Additionally, security assessments frequently uncover unknown vulnerabilities
(0-days).
Penetration tests are helpful for developers, as they provide them with a
snapshot of the application's current security posture and help them prioritize
exploitable security issues that have to be addressed.
Resources