13 Vulnerabilities in third-party code

 

In this chapter

  • How to protect against vulnerabilities in code written by others
  • How to avoid advertising what your tech stack is built from
  • How to secure your configuration

Here’s a thought that should keep you up at night: most of the code powering your web applications wasn’t written by you. How can you know it’s secure, then?

To build a modern web application is to stand on the shoulders of giants. Most of the running code that keeps the web application responding to HTTP requests will have been written by other people. This code includes the application server itself, the programming language runtime, all your dependencies and libraries, your supplementary applications (such as web servers, databases, queuing systems, and in-memory caches), the operating system itself, and any type of resource abstraction tools you deploy (such as virtual machines or containerization services). You can picture this stack of technologies as being geological strata.

That’s a whole lot of code that you didn’t write—and you won’t even have read most of it. Worse, pretty much all the vulnerabilities covered in this book so far (and some that are yet to be covered) appear frequently in third-party code. You can chart roughly how often each vulnerability crops up in code and at what layer of abstraction.

Dependencies

Dependency versions

Learning about vulnerabilities

Deploying patches

Farther down the stack

Information leakage

Removing server headers

Changing the session cookie name

Using clean URLs

Scrubbing DNS entries

Sanitizing template files

Server fingerprinting

Insecure configuration

Configuring your web root directory

Disabling client-side error reporting

Changing default passwords

Summary