Understanding Open Source Software Dependency Security Risks and Available Tools

Software Dependencies Are Often the Largest Attack Surface

Up to 90% of applications contain third‑party components, many of which are open‑source, and more than half of the Fortune 500 use vulnerable open‑source libraries. Organizations frequently assume that most risk comes from public‑facing web applications, but in reality each application contains many small components that can be exploited from anywhere in the code base.

High‑profile vulnerabilities such as Heartbleed, Shellshock, and DROWN draw attention, yet the majority of flaws discovered in dependencies go unnoticed because most organizations lack an accurate inventory of the libraries used by each application and receive only sparse notifications from upstream projects.

Open‑Source Vulnerability Information Is Fragmented

Most organizations search CVE and NIST databases, but these sources provide limited coverage of open‑source vulnerabilities. Information is scattered across many repositories, making it difficult to track. Even large databases like OSVDB have reduced support, and while niche projects such as Node Security Project and RubySec fill gaps, many ecosystems remain poorly covered.

Organizations Still Believe Open‑Source Code Is Safer

The myth that open‑source is inherently more secure, popularized by Linus' Law, is no longer valid; real‑world incidents like the long‑standing vulnerabilities in OpenSSL demonstrate the opposite. Security requires intentional effort—code reviews, dynamic scanning, and penetration testing—regardless of whether the code is open or closed.

"If there are enough eyes, all bugs are shallow." - Linus Torvalds

Open‑source ecosystems are more fragile than expected. A single malicious change in a widely used package can compromise the entire internet, as illustrated by a recent Node.js incident where an attacker could replace packages with malicious code.

Attempts to Solve the Problem

OWASP added “Using Components with Known Vulnerabilities” to its Top 10 in 2013, defining the risk of components that run with full privileges and can lead to data loss or server takeover. Numerous open‑source and commercial tools have emerged to address this, each with different approaches.

Node Security Project (NSP)

NSP scans Node.js modules and NPM dependencies against public vulnerability databases such as NVD and its own curated database.

RetireJS

RetireJS is an open‑source JavaScript dependency checker that integrates with build tools (Grunt, Gulp) and browsers (Chrome, Firefox) and provides a web service for developers to check for known vulnerable libraries.

OSSIndex

OSSIndex supports multiple ecosystems (NPM, NuGet, Maven, Bower, Chocolatey, MSI) and offers a free vulnerability API, pulling data primarily from NIST NVD.

Dependency‑Check

Dependency‑Check is an OWASP‑maintained command‑line tool that works with Java, .NET, JavaScript, and Ruby, retrieving vulnerability data directly from NIST NVD.

Bundler‑Audit

Bundler‑Audit is an open‑source Ruby Bundler scanner that pulls vulnerability information from NIST NVD and RubySec.

Hakiri

Hakiri is a commercial static analysis service for Ruby and Rails projects, offering a free tier for open‑source and paid plans for private code, using NVD and the Ruby Advisory Database.

Snyk

Snyk focuses on JavaScript npm dependencies, providing detection of known vulnerabilities and guided remediation through automated patches and upgrade suggestions, with data from NVD and NSP.

Gemnasium

Gemnasium is a commercial tool with a free starter plan, aggregating vulnerability data from multiple sources and offering smart dependency‑testing algorithms and Slack integration for real‑time alerts.

SourceClear (SRC:CLR)

SourceClear is a commercial solution that combines NVD data with additional sources, offering IDE plugins, CI integrations, and “vulnerable method identification” to reduce false positives.

Other Notable Solutions

Enterprise products such as BlackDuck, Sonatype Nexus, and Protecode provide end‑to‑end third‑party component management, covering licensing, security, inventory, and policy enforcement. SecurifyGraphs helps compare open‑source projects based on CVSS scores.

Original source: http://pub.intelligentx.net/13-tools-checking-security-risk-open-source-dependencies