OWASP IDE Vulscanner is now listed on G2!! share us a review on how you find it!

Component scanning (CVE, NVD & CVSS)

Eighty per cent of the code in today’s applications comes from libraries and frameworks, but the risk of vulnerabilities in these components is widely ignored and underappreciated.

APPSEC

7/1/20241 min read

Photo by Robin Glauser on Unsplash
Photo by Robin Glauser on Unsplash

Eighty per cent of the code in today’s applications comes from libraries and frameworks, but the risk of vulnerabilities in these components is widely ignored and underappreciated.

A vulnerable library can allow an attacker to exploit the full privilege of the application, including accessing any data, executing transactions, stealing files, and communicating with the Internet. Organizations trust their business to the libraries they use.

Industry standards

  • CVSS - The Common Vulnerability Scoring System (CVSS) is a system widely used in vulnerability management programs. CVSS indicates the severity of an information security vulnerability and is an integral component of many vulnerability scanning tools.

  • CVE - Common Vulnerabilities and Exposures (CVE) is a list of publicly disclosed vulnerabilities and exposures that is maintained by MITRE.

  • NVD - The National Vulnerability Database (NVD) is a database, maintained by NIST, that is fully synchronised with the MITRE CVE list.

Illustration

Let's try and evaluate how one can leverage both CVE & NVD to fetch the following details of a vulnerable component

  • Component - The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1, are linked to the famous `Heartbleed Bug`

  • Search in CVE - Load CVE List in your browser and search the entire string i.e. `The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1`

  • Check out the CVE detail - Look out for the following information once the search result is loaded. Some of the key details to look for are an identification number, a description, and at least one public reference—for publicly known cybersecurity vulnerabilities.

  • Know more from NVD - Click on the link which takes you to the NVD site to learn about CVSS rating, fix information and impact ratings

Our offering

There are now several commercial and open-source tools to help manage component scanning challenges:

  • Sonatype – management for development organization policy enforcement

  • OWASP Dependency Check – open source tool to analyse an application’s components

At DestinJiDee, we are working on a product accredited by OWASP called `OWASP IDE-VulScanner`. The intent is to enable developers to scan their applications at an early stage of the development cycle i.e. within their IDEs.