Packages and Vulnerabilities
Packages are software modules that perform operations which, when compiled together, make up an application. Though applications are built for many purposes, most of them rely on familiar functionality, such as authentication or compression. As a result, it is common practice for developers to build applications by writing some of their own packages (first party code) and by incorporating existing packages (third party code) to handle these routine operations.
Benefits of Packages
These existing packages allow for faster application development and access to highly specialized operations that application developers rarely want to rewrite, but they come with risk. That’s because they are written and maintained by someone outside of your organization, or a community of individuals (open source code), so it is impossible to know if packages were developed with security in mind. Since many of these third party packages are available for free, attackers have access to them and can discover mechanisms to exploit their vulnerabilities. While leveraging third party packages helps organizations go to market faster, they also introduce application-layer attack vectors.
Risks of Packages
Many organizations do not enforce which third party packages their development teams leverage, so they do not have visibility into which third party packages are deployed in their applications. In addition, even if an organization were able to catalog these packages, comparing them against the list of known vulnerabilities in the National Vulnerability Database (NVD) would involve hours of manual labor.
tCell by Rapid7, in partnership with Snyk, provides a means for detecting third party packages which contain known vulnerabilities.
What you'll learn in this article
- Learn about tCell's Packages and Vulnerabilities feature
- Get started
- Assess data and set alerts
- Learn about our partnership with Snyk
What makes tCell's Packages and Vulnerabilities feature different?
Because tCell agents run inside applications, our agents have access to the application’s information, including what third party and open source packages the application leverages. During startup time, the tCell agent sends package information to the tCell cloud. The tCell cloud then communicates with a threat database, populated in partnership with Snyk, to match the packages reported in the application with any known vulnerabilities in the database. This allows tCell to provide a comprehensive view of an application’s package-level risk without manual review. Customers can then configure tCell to send alerts when new packages and vulnerable packages are detected.
Unlike other tools that conduct third party package analysis during build time, our Packages and Vulnerabilities feature inspects applications at runtime. As a result, you have the assurance that any packages reported are being loaded by the application, leading to more accurate analysis. Our Packages and Vulnerabilities feature provides visibility into:
- Third party packages in your application
- Versions for each third party packages
- Newer versions available for your third party packages
- Common known vulnerabilities and exposures (CVEs) that exist in your third party packages
- Any applications which are using different versions of the same package
How does Packages and Vulnerabilities work?
tCell gets an application’s package information from the application and sends it to the tCell Cloud, which is part of the Rapid7 Insight Platform. Our cloud service sources a variety of threat data from many places, including Snyk, which we surface in tCell’s Packages and Vulnerabilities dashboard.
Before you begin
This feature is not applicable to WSAs. We currently support Java, Python, Ruby, and Node.js as long as one is leveraging our Application Server Agent (ASA) instrumentation.
Log into tCell.
Choose the application that you want to learn more about its packages.
Click Packages and Vulns from the left-hand navigation menu.
On the next page, you’ll see a list of packages that are running in your environment, as well as some high-level details, such as the dates and times a package was first and last active, the latest version, the versions found, and any vulnerabilities through the Snyk integration.
**Unknown** status in the Version(s) Found column
If you see an unknown status in the Versions Found column, it is likely because the package has been modified or is private. tCell can only look up the version for publically available packages.
Click on the blue dot (arrow) at the far right to see more detailed information and vulnerability cards.
How do I assess data?
If a package has a vulnerability, you’ll find more information about it on the detailed view. The card will tell you the vulnerability type, publish date, CVE ID, Severity, a brief description, and a list of the other places or applications where you can be impacted by the same vulnerability. Use the Agents dashboard to see other places affected by a specific vulnerability.
You can compare the packages that are running in your production environment and the latest versions, so you can determine if you want to upgrade. Click the URL link to see even more vulnerability details, such as CVSS Score, attack types, affected environments, and remediation steps, if available.
Every time tCell finds a vulnerability, it will automatically post an alert in the Newsfeed on the home page. If you do not want to be notified for that package vulnerability, click Ignore.
How do I set up alerts?
You can set up alerts to notify you when new package vulnerabilities are discovered.
- In the tCell console, choose the application you want to set up an alert for.
- Click Settings in the left hand navigation menu.
- Click Alerts.
- In the Alerts section, click + Add to add an alert.
- In the dropdown, select New package vulnerability detected.
- Check the appropriate boxes for your preferred alert mechanism.
- Click Save.
Our partnership with Snyk allows us to gain visibility into risk without the need for manual review by leveraging their comprehensive Vulnerability Database. If you are a Snyk customer, you can leverage their Open Source Security Management to accelerate fixing of third party risk throughout your development process by leveraging their CI/CD pipeline integrations to automatically patch your application by updating a package to the most recent, less-vulnerable version. To learn more, visit the Snyk website.