How to defend against Account Takeovers
Learn about account takeover threats, protection strategies, and detection methods to secure your digital accounts and prevent unauthorised access.
The Challenge of Open-Source Security
Modern applications are built on a foundation of open-source and third-party libraries. While these dependencies accelerate development, they also introduce a significant security risk. A single vulnerability in a third-party package can compromise your entire application. This is known as a supply chain risk.
Effectively managing and remediating these vulnerabilities is a critical part of any DevSecOps practice. Here's a step-by-step guide to tackling the problem.
Step 1: Find Your Vulnerabilities with Software Composition Analysis (SCA)
You can't fix what you don't know you have. The first step is to get a complete inventory of all the third-party components in your application and identify which ones have known vulnerabilities.
- Use an SCA Tool: Software Composition Analysis (SCA) tools are designed for this purpose. They scan your project's manifest files (e.g.,
package.json,pom.xml,requirements.txt), generate a dependency graph, and cross-reference each component against a database of known vulnerabilities (like the National Vulnerability Database - NVD). - Popular SCA Tools:
- Open Source: OWASP Dependency-Check, Trivy.
- Commercial: Snyk, Mend (formerly WhiteSource), Veracode SCA, GitHub Advanced Security (Dependabot).
- Integrate into CI/CD: Run SCA scans automatically in your CI/CD pipeline on every build. This ensures you catch new vulnerabilities as soon as they are introduced. Configure the pipeline to fail if a new high-severity vulnerability is detected.
Step 2: Prioritize Vulnerabilities
Once your SCA tool generates a report, you might be faced with hundreds of vulnerabilities. Trying to fix them all at once is impractical. Prioritization is key.
- Severity Score (CVSS): The most common metric is the Common Vulnerability Scoring System (CVSS) score, which rates vulnerabilities on a scale of 0-10 (10 being most critical). Start with the "Critical" and "High" severity vulnerabilities.
- Exploitability: Is there known, public exploit code available for this vulnerability? A vulnerability with a readily available exploit is a much higher priority than a theoretical one. Many commercial SCA tools provide this "exploit maturity" data.
- Reachability: Is the vulnerable code actually reachable and executable in your application? If the vulnerable function in a library is never called by your code, the risk is lower. This is a more advanced analysis, but some modern SCA tools can help determine reachability.
- Business Impact: Consider the business context. A vulnerability in a non-critical internal admin tool is a lower priority than one in your public-facing payment processing service.
Step 3: Remediate the Vulnerability
Once you have a prioritized list, you can begin remediation. There are several ways to fix a vulnerable dependency.
1. The Easiest Fix: Update to a Patched Version
This is the most common and preferred method.
- Identify the Patched Version: Your SCA tool will typically tell you which version of the library contains the fix (e.g., "Upgrade
library-xfrom version1.2.3to1.2.4or higher"). - Update the Dependency: Update the version number in your manifest file (e.g.,
package.json) and run your package manager's update command (e.g.,npm install). - Test for Breaking Changes: After updating, run your application's full test suite (unit, integration, and end-to-end tests) to ensure the new version hasn't introduced any breaking changes or regressions. This is a critical step.
2. When You Can't Update: Patching
Sometimes, a direct update isn't possible. The patched version might introduce major breaking changes, or you might be stuck on an older version of a framework for other reasons.
- Apply a Patch: The library's maintainers may have provided a patch file that can be applied to the vulnerable version. Package managers like
npmhave tools (patch-package) that can help automate this. This is a temporary solution and should be used with caution.
3. When There's No Fix: Mitigate or Remove
In some cases, especially for newly discovered vulnerabilities, a patched version may not be available yet.
- Implement Mitigating Controls: Can you mitigate the risk in another way? For example, if the vulnerability is a Cross-Site Scripting (XSS) flaw, you might be able to mitigate it by adding stricter input validation and output encoding in your own code where you use the library.
- Remove the Dependency: Is the library still necessary? Sometimes, dependencies are added for a minor feature that is no longer used. If you can remove the dependency entirely, you eliminate the risk.
Step 4: Automate and Monitor
- Automated Pull Requests: Use tools like GitHub's Dependabot or Snyk to automatically create pull requests to update vulnerable dependencies as soon as a fix is available. This dramatically speeds up the remediation process.
- Continuous Monitoring: Security is a continuous process. Your SCA tool should be configured to monitor your deployed applications and alert you if a new vulnerability is discovered in a dependency that is already in production.
Related Articles
What is an Account Takeover?
An overview of Account Takeover Attacks
Anatomy of a Credential Stuffing Attack
A step-by-step breakdown of how credential stuffing attacks are carried out, from obtaining stolen credentials to bypassing defenses and taking over accounts.
What is Anycast DNS?
An introduction to Anycast DNS
What is an Apex Domain?
A quick description about what an Apex Domain is.
Best Practices for API Key Management and Rotation
Learn the essential best practices for managing and rotating API keys to enhance security, prevent unauthorized access, and minimize the impact of key compromise.