Web Security basics: Third-Party assets and Application Security

Tags: #<Tag:0x00007f76fc19b7c8> #<Tag:0x00007f76fc19b660> #<Tag:0x00007f76fc19b480> #<Tag:0x00007f76fc19b368>

Web Security: Third-Party assets and Application Security

Every engineer makes security mistakes, including security engineers. That is not a problem, as long as we learn and adapt.

Engineers in big tech companies make mistakes. Microsoft, Google, IBM, … Assuming that their security is “better” without verifying it, is a very common mistake.
I have worked for a big tech company, and so have lots of people. Of course, we always did out best but it was never perfect and there has always been a deadline…

Reproduceable builds

Use a lockfile: maybe you once wondered why npm and other NodeJS package managers have a lockfile:

(base) [email protected]:~/Source/somecode$ head package-lock.json 
{
  "name": "verynicelib",
  "version": "0.1.0",
  "lockfileVersion": 1,
  "requires": true,
  "dependencies": {
    "@babel/code-frame": {
      "version": "7.5.5",

With this, you can control the versions of the many many many dependencies that you are sourcing in. Expecting bleeding edge versions from many libs to build isn’t sane. Relying on them to be bug-free is crazy. Ship with defined versions Everyone does.

Lookout for LTS branches

Contrary to popular belief you do not need to have the latest versions.

Ember has got an LTS branch, that will get security fixes. Unless you need the latest features, this is the way to go.

CDN Assets

Keep in mind that you trust you should only trust one CDN at a time. In HTML the script tag has so-called subresource integrity attributes. Let’s say I want to use… JQuery.

<script
  src="https://code.jquery.com/jquery-3.4.1.min.js"
  integrity="sha256-CSXorXvZcTkaix6Yvo6HppcZGetbYMGWSFlBw8HfCJo="
  crossorigin="anonymous"></script>

The integrity and crossorigin attributes are used for Subresource Integrity (SRI) checking. This allows browsers to ensure that resources hosted on third-party servers have not been tampered with. Use of SRI is recommended as a best-practice, whenever libraries are loaded from a third-party source. Read more at srihash.org

  • crossorigin attribute: avoids that we pass credentials
  • integrity attribute: adds a hash that’s used to fence the application against silent updates

This way it does not matter if you use the version, “proudly provided” by ThisCDN or ThatCDN… where by accident or intention some derivatives may be hosted.

Of course not every third-party dependency will do that. Marketing fluff etc. usually doesn’t consider security. In such cases, you can generate the SHA256 hash yourself. Or even better… just host a copy of the file on your own.