Nowadays, it is not enough if our servers and networks are sufficiently protected. A software used and the components used in it must also be regularly checked for vulnerabilities. We have seen countless examples in recent years when hackers took advantage of the vulnerability of a component - or rather the vulnerability of the update protocol - to lock systems and demand a ransom to unlock them. Such cases not only cause a loss of income, but also a serious loss of prestige and image, ruining what the given company has carefully built over the years. In order to avoid this, protection must be started already in the software development phase and then regularly checked in the maintenance phase. Our company's experts can help with this, assess the given vulnerabilities, and then make suggestions on how to handle certain cases.

PREVENTION DURING SOFTWARE DEVELOPMENT

Careful protection must be started during development. Fortunately, we have many tools and methods at our disposal. One such method, e.g. In the case of the Java programming language, we include a step in the translation process that regularly checks whether we are using a component that has been found to be vulnerable. Such devices, e.g. the Dependency Check made by OWASP and the other is the Snyk checking tool. Both tools check the project files, detect dependencies and then check the found common elements in the component vulnerability database.

The tools mentioned above have so-called extensions for many development environments - such as Eclipse or Jetbrains development tools.

In case we found a vulnerability, we need to consider how to handle it. In the best case, a new release of the given component has already been prepared and the situation can be remedied by changing a version. If this is not feasible, another method must be used - e.g. by restricting access to network ports within the network as well.

PREVENTION BEFORE INSTALLING THE SOFTWARE

If our developed application is independent and does not depend on any external service (e.g. database), then our task is simple, because we checked everything during the development. Otherwise, the dependent services should be checked for any known vulnerabilities. If so, then of course we have to deal with the situation.

PREVENTION FOR DOCKER CONTAINERS

Nowadays, with the spread of the use of docker containers, the software development, testing and installation itself has become more efficient and simpler. In that case, docker containers can be a source of many dangers if obtained from an untrusted source. In general, all software vendors (e.g. Oracle, Redhat, Apache, etc.) create and officially publish the docker image containing their applications. Of course, there are also releases that differ from the manufacturer's version, in which case we have to be very careful and check the dockerfile itself to see how it was implemented - avoiding hidden (Trojan) vulnerabilities.

We also need to check the generated docker image, because it is possible that the service we want to use (e.g. database server) is fine, but the operating system on which the given service runs may contain components that are vulnerable.

It is possible to check both the dockerfile and the finished docker image with the tools of OWASP and Snyk.

 

Even during the maintenance period, the vulnerability of the software in use and its components must be regularly checked. From a cost-effectiveness point of view, we tend to skip this step, as it is sufficient to operate the system and, if applicable, update the developed software. Unfortunately, this would be a big mistake, especially if the application also uses other services. Over time, the components of the operating system become obsolete, and it is not uncommon for some elements to reveal vulnerabilities. For this reason, if we do not update these docker images, but only maintain the state, we put the system at risk and can become an easy target for hacker attacks.

 

Our company's experts help in the development and release process to correctly design the use of detection tools, the management and prevention of discovered vulnerabilities, the automation of periodic checks during the maintenance period and the preparation and sending of reports and alerts.

 

If you are interested in our service, contact us on one of the communication channels.