Component scanning (CVE, NVD & CVSS)
Eighty per cent of the code in today’s applications comes from libraries and frameworks, but the risk of vulnerabilities in these components is widely ignored and underappreciated.
APPSEC
7/1/20241 min read
Eighty per cent of the code in today’s applications comes from libraries and frameworks, but the risk of vulnerabilities in these components is widely ignored and underappreciated.
A vulnerable library can allow an attacker to exploit the full privilege of the application, including accessing any data, executing transactions, stealing files, and communicating with the Internet. Organizations trust their business to the libraries they use.
Industry standards
CVSS - The Common Vulnerability Scoring System (CVSS) is a system widely used in vulnerability management programs. CVSS indicates the severity of an information security vulnerability and is an integral component of many vulnerability scanning tools.
CVE - Common Vulnerabilities and Exposures (CVE) is a list of publicly disclosed vulnerabilities and exposures that is maintained by MITRE.
NVD - The National Vulnerability Database (NVD) is a database, maintained by NIST, that is fully synchronised with the MITRE CVE list.
Illustration
Let's try and evaluate how one can leverage both CVE & NVD to fetch the following details of a vulnerable component
Component - The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1, are linked to the famous `Heartbleed Bug`
Search in CVE - Load CVE List in your browser and search the entire string i.e. `The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1`
Check out the CVE detail - Look out for the following information once the search result is loaded. Some of the key details to look for are an identification number, a description, and at least one public reference—for publicly known cybersecurity vulnerabilities.
Know more from NVD - Click on the link which takes you to the NVD site to learn about CVSS rating, fix information and impact ratings
Our offering
There are now several commercial and open-source tools to help manage component scanning challenges:
Sonatype – management for development organization policy enforcement
OWASP Dependency Check – open source tool to analyse an application’s components
At DestinJiDee, we are working on a product accredited by OWASP called `OWASP IDE-VulScanner`. The intent is to enable developers to scan their applications at an early stage of the development cycle i.e. within their IDEs.