1

I have a problem where I have too many vulnerabilities on a few hundred repositories introduced with outdated npm packages. The issue is that I need to find a way to prioritize this. The biggest pain in the butt for me is that the engineering team wants proof of vulnerability exploitation so that they patch the package.

Is there any tool that could be used to check if a vulnerable package actually poses a threat to the app? I know Snyk has --reachable but it is used only for Java projects, and I need something for nodejs.

schroeder
  • 123,438
  • 55
  • 284
  • 319
4tire
  • 11
  • 1
  • 1
    Analyzing JavaScript code is way more complicated as Java code because JavaScript is non-typed and highly changeable at run-time. If the engineering team wants a "proof of vulnerability exploitation" for every vulnerable package they don't understand that working out an exploit can take several dozen hours or more per exploit. Usually just fixing the outdated packages is cheaper. Or try to turn it around, the engineering team should know their apps better, so they have to prove that an app is not affected by a vulnerable package. – Robert Apr 28 '22 at 15:00
  • Proof of vulnerability is usually a strawman. It's often claimed that pathcing takes away dev effort, but applying the patch is often more efficient than proving exploitability. As these issues are rooted in libraries, the code can be a single function call away from becoming exploitable, so for this "proof" to matter then all code changes to affected repos would have to receive security reviews which tends to be even less effective. Perhaps you should formulate a case for priority based on criticality per the answer below and present it to someone above the engineering team to decide on – wireghoul Apr 28 '22 at 23:11

1 Answers1

1

The standard approach to prioritize vulnerability management is to focus on severity level. You should focus on Critical vulnerabilities first,then High etc.

As suggested by Robert, it's not practical to actually prove a vulnerability is exploitable when running a vulnerability management program. That's the goal in a penetration test, but not for mitigation of found vulnerability. The job there for the engineering team is to upgrade to the package version that fixes the vulnerability, and then test the software to be sure the upgrade doesn't break the system, and rescan to make sure it's been remediated.

If you don't have one consider a Vulnerability Management Policy which would set frequency, responsibilities and timelines for resolving vulnerabilities when found in critical IT systems. Standard best practice vulnerability management policies do not require proof of exploitation to accept their severity, potential risk, applicability and need for remediation.

Rodrigo Murillo
  • 1,927
  • 11
  • 17