Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Supporting you in dependency vulnerability checks

 

Supporting you in dependency vulnerability checks

How are you tracking security advisories in your dependencies? Silverstripe regularly publishes security fixes and there are various tools to get notified. Read all about them here.

Posted in Open Source, Developers

Tagged silverstripe cms, Dependencies, Vulnerability checks

Ingo Schommer

by Ingo Schommer

Posted 22 October 2020

Read post

Silverstripe CMS supports developers in secure coding practices and website owners in running secure websites and applications. A big part of this is rigour around security releases of our supported modules and communicating the impact of any vulnerabilities found there (see last year’s blog post: A better security classification for supported modules). But any website with our CMS will also pull in community modules as well as other dependencies not managed by us and dependencies which aren’t even in the PHP ecosystem. These are not covered by our releases or announcements so, what are your options to keep your sites secure across all of this?

Silverstripe CMS Maintenance Module

https://github.com/bringyourownideas/silverstripe-maintenance

The bringyourownideas/silverstripe-maintenance module periodically checks PHP modules on your website (incl. Silverstripe CMS modules) for security vulnerabilities. It relies on the FriendsOfPHP security issues database where our supported modules are publishing their vulnerabilities.

  • Pro: Visible to non-technical users in the CMS user interface.
  • Con: Limited to PHP dependencies (excl. NPM/JS)
  • Con: No notification abilities, requires manual checks in the CMS

GitHub Dependabot

https://github.com/security

GitHub auto-discovers dependencies for various languages in repositories hosted there, incl. Packagist/PHP and NPM/JS. You can opt-in to receive notifications about known vulnerabilities (docs).

Symfony Security Monitoring Service

https://security.symfony.com

The Symfony open source project operates a vulnerability monitoring service where you upload a composer.lock file, and it’ll send you email notifications about new vulnerabilities for the next three years. They take a small fee for this service, but we think it’s a great way to stay secure and support a great project. Silverstripe CMS also relies heavily on the great modules produced by Symfony.

  • Pro: Very convenient email updates
  • Pro: Provides full coverage of Silverstripe vulnerabilities (through FriendsOfPHP database)
  • Pro: Supports open source development!
  • Con: Limited to PHP dependencies (excl. NPM/JS)

SensioLabs Security Checker CLI

https://github.com/sensiolabs/security-checker

A CLI tool that uses the same vulnerability database (FriendsOfPHP).

  • Pro: Flexible workflow, can integrate into any CI process (including a convenient Github Action)
  • Pro: Provides full coverage of Silverstripe vulnerabilities (through FriendsOfPHP database)
  • Con: Limited to PHP dependencies (excl. NPM/JS)
  • Con: Needs set up to run periodically, it’s not enough to just perform this on CI builds triggered through new code changes

Snyk Intel Vulnerability Database

https://snyk.io/product/vulnerability-database/

Snyk is a security-focused service aiming to empower with trusted data and insights around open source code. They pride themselves in fast detection of newly disclosed vulnerabilities across the various databases and claim to have the best coverage across these databases. Searching for “silverstripe”, Snyk appears to cover the vulnerabilities disclosed by us through the FriendsOfPHP.

  • Pro: Free for 200 checks per month on private repositories
  • Pro: More comprehensive security offering and service levels
  • Pro: Better reporting across projects (all other tools here rely on per-project views)
  • Con: Relies on correct import process from FriendsOfPHP and CVE database (same as Github Dependabot)
  • Con: Expensive beyond the free checks. It’s hard to compete with “free” of course. We believe Snyk is providing a valuable service that is worth paying for.

In conclusion, there are a lot of tools to help your website stay secure, and they are vastly cheaper and more accessible than even a few years ago. Some of them are just a click away on tools you already use. It comes down to choosing to pay attention and creating processes within your team.

Here’s a handy overview of the different options:

Table comparing the different dependency vulnerability checkers

Make a comment

About the author
Ingo Schommer

Ingo joined SilverStripe with its 2.0 release, and has since become an integral member of the development team. He's from Germany, but admits that New Zealand beer is often quite tasty as well.

At SilverStripe, Ingo enjoys coming up with robust solutions for real business needs. He builds modern web applications, making sure they work well in browsers and mobile devices, not just on paper. As a core developer on SilverStripe's open source framework, he facilitates community involvement, and helps architect and implement core functionality. Ingo authored the first book about SilverStripe, and is still keen on keeping the documentation fresh.

Ingo graduated as Bachelor of Arts (Hons) in Media Production and has several years experience as a freelance PHP and Flash developer.

Away from the keyboard, Ingo is an avid gardener, debugging water flow and performance optimizing root growth instead of PHP.

Post your comment

Comments

No one has commented on this page yet.

RSS feed for comments on this page | RSS feed for all comments