Vulnerabilities are a fact of developer life. There really is no way to avoid them, but that doesn’t mean you can ignore them. Somewhere in the back of your mind, you know that when you import a package, you’re invariably importing its vulnerabilities — and its dependencies’ vulnerabilities, as well.
Traditionally, non-critical vulnerabilities in the development environment have rarely been concerning. But with an increasing rate of cyberattacks on development and test environments, organizations are beginning to take the security of their non-production environments as seriously as their production environments.
More and more developers are turning to Python to help them solve a broadening range of use cases, and finding more and more bugs and vulnerabilities in the process. Simply put, with increased use, more issues come to light. Although many Python packages and tools are well-coded and well-maintained, and exhibit few or no issues, others are not so robust.
For example, SafetyDB cites the following known vulnerability counts:
- Django (web framework): 119
- Pillow (image processing library): 46
- Plone (content management system): 38
- TensorFlow and TensorFlow-directml (ML and deep learning framework): 301
- Tutor (learning platform): 21
- OpenSSL (SSL encryption library): 7 vulnerabilities discovered this year alone
While these vulnerabilities are often just the result of bugs and poor coding practices, given the rise in Python supply chain attacks, some may also be from malicious actors inserting compromised code.
As a Python developer, you can’t always avoid using some packages — even when you know they’re vulnerable. For example, perhaps you want to train a deep learning model for a classification task. Without TensorFlow, you must create your algorithm from scratch, wasting time better spent improving your model.
Given the mounting threat from these vulnerabilities, developers should take steps to make projects less susceptible, including:
- Using the latest package version
- Assessing known vulnerabilities’ severity, and understanding how they affect your product
- Employing package management tools to quickly resolve vulnerabilities
Let’s break down these best practices to explore how you can work more securely without derailing your sprint deliverables.
Starting Secure
It’s best practice to start with a secure environment. It’s not always possible, but starting with the latest stable version of Python and required packages is the first step.
If the latest Python version is a minor release, it should be fine to use. Major releases are a different story, as there’s a higher chance of severe bugs and vulnerabilities will be unknown.
Some organizations prefer to wait before adopting the most recent version, so check that it’s acceptable for you to use updates immediately. Plus, be aware of the tradeoffs: gaining potentially improved security and features from the new version means giving up the relative certainty that comes with the old version.
When it comes to packages, the best practice is to use signed components from legitimate sources. Installing components directly from public repositories can be risky since they are prebuilt but unsigned, so they may contain compromised code. In any case, always ensure you download external code from secure links.
It’s also safer to choose frequently-updated packages that offer quick bug fixes, if possible, as it’s less likely your project will be exposed to a vulnerability for long. Of course, that also means implementing best practices for how often you upgrade packages. Consider establishing a policy around how long you’re willing to wait for a new version versus patching.
Speaking of patching, consider deploying a virtual patch if you need to use an older version with an unpatched vulnerability. Then, as your development progresses, make sure you remove packages and files that you don’t use.
Assessing the Severity of Known Vulnerabilities
The Common Vulnerability Scoring System (CVSS) scores vulnerabilities as one of:
- Low (score = 0.1-3.9)
- Medium (score = 4.0-6.9)
- High (score = 7.0-8.9)
- Critical (score = 9.0-10)
But vulnerabilities with the same score don’t always pose the same threat. Some vulnerabilities result from code errors affecting the runtime, while others, like hidden backdoors, can compromise your project’s integrity. You should understand which type of vulnerability you’re facing.
To figure out how and just how badly the vulnerabilities affect your project, you’ll need to investigate each vulnerability individually instead of making a judgment call based on the number of Common Vulnerabilities and Exposures (CVE) alone. Heavily-used packages like Django and TensorFlow tend to have a high vulnerability count because they’re employed in numerous use cases by many users who notice and report problems quickly. The takeaway is that switching in less-popular packages because they have a lower CVE count won’t necessarily make your product less vulnerable.
Once you know the vulnerabilities affecting your packages and have determined if they affect your product, you’ll need to determine how best to deal with them. Your organization likely already has a policy on remediating vulnerabilities, typically according to CVSS severity level and product risk. If you find that a package is unacceptably risky, you may need to look for alternatives.
But even if you can’t picture how known vulnerabilities may affect your use case, you should still proceed with caution.
Using Tools to Manage Your Vulnerabilities
When it comes to vulnerabilities, organizations can choose from dozens of third-party tools to stay abreast of emerging threats. These tools provide timely warnings and even suggest secure upgrade options. Typically, they offer the ability to:
- Stay informed about reported vulnerabilities on platforms like CVE Details and the National Vulnerability Database (NVD).
- Understand the threat of your Python dependencies. You must keep a consistently up-to-date inventory of every package and tool that you use, as well as their dependencies. This information should include both your client and server-side components and transitive dependencies.
- Understand if patches or upgrade versions exist to resolve the threat
However, none of these tools provide the ability to remediate the vulnerability then rebuild, test, and redeploy your environment. These are all necessary steps, but they’re time and resource-intensive, which is why most organizations only address critical vulnerabilities, and even then only in production environments.
ActiveState offers a cloud-based all-in-one package management solution to help you gain overarching visibility into your project’s vulnerabilities while innovatively managing your Python project’s packages and dependencies.
The ActiveState Platform automatically builds Python runtime environments from source code, including linked C and Fortran libraries, thereby providing enhanced security over installing prebuilt packages. Then, it checks all your dependencies (including transitive and shared dependencies) for vulnerabilities.
If the ActiveState Platform finds vulnerabilities, it flags them within the product and notifies you out-of-band by email. More importantly, it helps you efficiently remediate vulnerabilities and automatically rebuild a secure version of your environment in minutes. You can then update each affected environment across dev, test, and your CI/CD pipeline using a single command.
Conclusions – Automate Vulnerability Remediation
As more and more malicious actors target non-production environments, developers must learn to keep all their development environments secure. But without automating vulnerability remediation, the productivity costs will be just too high.
Luckily, you can employ some quick and easy solutions to keep your projects secure:
- Work with the latest Python and package version
- Understand the vulnerabilities present and how they affect your project
- Use package management tools like the ActiveState Platform to automatically remediate, rebuild, and redeploy secure runtimes to your dev, test, and CI/CD environments
You don’t have to manage vulnerabilities and exposures alone. Learn more about ActiveState’s innovative package management solution and sign up to try it out yourself for free.
If you’re interested in developing expert technical content that performs, let’s have a conversation today.
