Security tools inspired by recent case where a package maintainer went rogue

JavaScript developers will be better equipped to prevent malicious packages from slipping into their applications thanks to a trio of tools released by JFrog, the software company claims.

The tools – npm-secure-install, package-checker, and npm_issues_statistic – are designed to address some of the thorniest security problems of using open-source software packages.

Among other things, they validate whether package versions can be trusted, secure installations, and monitor applications for potentially troublesome components.

Security trade-offs

Providing millions of open source JavaScript packages, NPM and has become a cornerstone of JavaScript application development.

However, the convenience of using open source packages comes with some security trade-offs. Recent security incidents involving vulnerabilities in open source software have raised concerns about who should take responsibility for controlling and securing the code of these packages and how.

The development of the new JFrog NPM security tools was prompted by a recent incident in which a developer intentionally made changes to two NPM packages and rendered them useless, which disrupted the applications that depended on them.


RELATED Open Source Security Foundation launches initiative to stem tide of software supply chain attacks


“This incident simply drew attention to the larger discussion taking place in the industry around software supply chain security in the modern software development world,” Ilya Khivrich, senior director of advanced technologies at JFrog Security Research, told The Daily Swig.

Developers often blindly trust NPM packages, while in many cases development tools pull code from them and integrate it into applications without the developer being aware. Those applications will thus inherit any vulnerabilities the packages contain.

Package-json.lock, a specification file that forces JavaScript applications to use a specific version of an NPM dependency, is highly recommended both for stability and security purposes. However, under certain circumstances this functionality can be circumvented and cause applications to run a malicious version of the package.

Jfrog-npm-tools

JFrog’s new suite of security tools is meant to secure the supply chain in regards to NPM dependencies. Package-checker verifies whether a specific version of an NPM package can be trusted. It looks for signs of packages used in supply-chain attacks and can identify potential risks with newly released versions.

Npm-secure-install, meanwhile, is a package installer that enforces secure practices, such as preventing global installation of packages unless they contain npm-shrinkwrap.json, a specification that ensures everyone gets the same version of all dependencies.


Read more of the latest DevSecOps news


And npm_issues_statistics monitors applications for problematic packages before they are reported to have breaking changes in updated versions.

“Of the three tools, two can be used directly in the development lifecycle,” Khivrich said. “Npm-secure-install may be directly used by the developers as a drop-in replacement for npm-install, and package_checker may be used either manually or automatically when the developer decides to bump the used dependency version.”

Npm_issues_statistics can be used when upgrading the dependencies as well, “but in this case only manually and not as a part of an automated process,” Khivrich added.

JFrog is considering integrating these and similar capabilities into its CLI tool to ensure the secure management of NPM repositories.

“Whether or not the tools will be maintained as a part of the JFrog CLI or in standalone form, we plan to improve the tools further and expand the set of intuitive shortcuts that facilitate problem-solving and probability judgments,” Khivrich said.


YOU MIGHT ALSO LIKE SnapFuzz: New fuzzing tool speeds up testing of network applications