You certainly remember Heartbleed: Back in 2014, this vulnerability in the OpenSSL crypto library put many TLS-enabled websites at risk. It was an eye-opener demonstrating to what extent we all depend on the security of open source software components. Or remember the Equifax data breach in 2017: Personal data of 148 Mio US citizens was compromised due to a vulnerable version of Apache Struts.
To compensate for the lack of tool support, SAP Security Research started in 2014 to develop a new approach for detecting whether Java applications depend on vulnerable open source code and, using static and dynamic program analysis techniques, whether such vulnerable code is actually or potentially reachable in a given application context.
The code-centricity of the so-called vulnerability assessment tool represents a significant advantage over other tools that have been developed in the meantime. Many of those rely to a significant extent on human-provided meta-data associated to software packages and vulnerabilities, which leads to imprecise analyses including both false-positives and false-negatives.
Accordingly, following a comparative study, SAP made the vulnerability assessment tool the officially recommended open source scan tool for all its Java and Python applications. By now, 800+ applications have been analyzed in more than 1 Mio. scans.
Late 2018, SAP decided to open source the vulnerability assessment tool so that other users of open source – be it individual software developers or commercial development organizations – can consume open source more securely. Source code and Dockerfiles needed for its operation have been released on GitHub under Apache License v2, and we aim at building a lively community of individuals and organizations using the tool and contributing to it.
Check out the following links to learn more:
- Tool homepage and sources
- Technical approach: Serena Ponta, Henrik Plate, Antonino Sabetta, Beyond Metadata: Code-centric and Usage-based Analysis of Known Vulnerabilities in Open-source Software, 34th International Conference on Software Maintenance and Evolution (ICSME), 2018
I hope I succeeded making you interested in the vulnerability assessment tool – stay tuned for more blog posts explaining selected aspects and features in more detail.