How to address security in white label software
-
I just started working with a business that made a web application that has a nodejs-expressjs backend api and a react front end. The business wants to sell its software as a white label solution to some enterprise sized businesses. My manager says that the customers will be expecting a detailed report to convince them that our solution is "secure". I need to determine steps to producing such a security report. My first thoughts are to follow these steps: 1. Run the npm audit command on our backend and front end projects to identify all known vulnerabilities. And then fixed them according to recommended approaches I read about on the internet. This step has been done. The npm audit command shows no vulnerabilities or issues of any kind. 2. We upload our code as docker images to dockerhub.com. Dockerhub shows a list of vulnerabilities for us to address. I am currently in this step, and I have some issues which I will elaborate further down in this post. 3. Hire a 3rd party cyber security firm to test our solution. This firm will give us a report of issues to address. That's my overall plan. However, I am currently stuck on step 2. Dockerhub is showing me MANY Critical and High priority vulnerabilities such as the following: cve-2021-44906 - An Uncontrolled Resource Consumption flaw was found in minimist https://access.redhat.com/security/cve/cve-2021-44906 CVE-2022-37434 - zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. https://nvd.nist.gov/vuln/detail/CVE-2022-37434 ...etc... According to dockerhub, there are about 100 of these types of vulnerabilities, where maybe 10% are critical, 15% are high, rest are medium or low. These issues look very difficult to address, because they are used by modules of modules that I don't directly access in my own software. Trying to replace these modules of modules basically means a complete rewrite of our software to not depend on ANY open source solutions at all! And I'm sure if I were to scan packages with another type of scanner, different sets of vulnerabilities would be exposed. And I haven't even gotten to step 3 yet. So this got me wondering...how do other organizations selling white labelled solutions go about disclosing vulnerabilities to their end clients and how do they protect themselves? I started thinking that maybe I don't have to deal with every single security vulnerability that exists. Instead, I should only address security issues that I am confi
-
I just started working with a business that made a web application that has a nodejs-expressjs backend api and a react front end. The business wants to sell its software as a white label solution to some enterprise sized businesses. My manager says that the customers will be expecting a detailed report to convince them that our solution is "secure". I need to determine steps to producing such a security report. My first thoughts are to follow these steps: 1. Run the npm audit command on our backend and front end projects to identify all known vulnerabilities. And then fixed them according to recommended approaches I read about on the internet. This step has been done. The npm audit command shows no vulnerabilities or issues of any kind. 2. We upload our code as docker images to dockerhub.com. Dockerhub shows a list of vulnerabilities for us to address. I am currently in this step, and I have some issues which I will elaborate further down in this post. 3. Hire a 3rd party cyber security firm to test our solution. This firm will give us a report of issues to address. That's my overall plan. However, I am currently stuck on step 2. Dockerhub is showing me MANY Critical and High priority vulnerabilities such as the following: cve-2021-44906 - An Uncontrolled Resource Consumption flaw was found in minimist https://access.redhat.com/security/cve/cve-2021-44906 CVE-2022-37434 - zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. https://nvd.nist.gov/vuln/detail/CVE-2022-37434 ...etc... According to dockerhub, there are about 100 of these types of vulnerabilities, where maybe 10% are critical, 15% are high, rest are medium or low. These issues look very difficult to address, because they are used by modules of modules that I don't directly access in my own software. Trying to replace these modules of modules basically means a complete rewrite of our software to not depend on ANY open source solutions at all! And I'm sure if I were to scan packages with another type of scanner, different sets of vulnerabilities would be exposed. And I haven't even gotten to step 3 yet. So this got me wondering...how do other organizations selling white labelled solutions go about disclosing vulnerabilities to their end clients and how do they protect themselves? I started thinking that maybe I don't have to deal with every single security vulnerability that exists. Instead, I should only address security issues that I am confi
(Duplicate post). If you're getting a "third party" to "certify" your software, you should be consulting with them, not the public.
"Before entering on an understanding, I have meditated for a long time, and have foreseen what might happen. It is not genius which reveals to me suddenly, secretly, what I have to say or to do in a circumstance unexpected by other people; it is reflection, it is meditation." - Napoleon I
-
I just started working with a business that made a web application that has a nodejs-expressjs backend api and a react front end. The business wants to sell its software as a white label solution to some enterprise sized businesses. My manager says that the customers will be expecting a detailed report to convince them that our solution is "secure". I need to determine steps to producing such a security report. My first thoughts are to follow these steps: 1. Run the npm audit command on our backend and front end projects to identify all known vulnerabilities. And then fixed them according to recommended approaches I read about on the internet. This step has been done. The npm audit command shows no vulnerabilities or issues of any kind. 2. We upload our code as docker images to dockerhub.com. Dockerhub shows a list of vulnerabilities for us to address. I am currently in this step, and I have some issues which I will elaborate further down in this post. 3. Hire a 3rd party cyber security firm to test our solution. This firm will give us a report of issues to address. That's my overall plan. However, I am currently stuck on step 2. Dockerhub is showing me MANY Critical and High priority vulnerabilities such as the following: cve-2021-44906 - An Uncontrolled Resource Consumption flaw was found in minimist https://access.redhat.com/security/cve/cve-2021-44906 CVE-2022-37434 - zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. https://nvd.nist.gov/vuln/detail/CVE-2022-37434 ...etc... According to dockerhub, there are about 100 of these types of vulnerabilities, where maybe 10% are critical, 15% are high, rest are medium or low. These issues look very difficult to address, because they are used by modules of modules that I don't directly access in my own software. Trying to replace these modules of modules basically means a complete rewrite of our software to not depend on ANY open source solutions at all! And I'm sure if I were to scan packages with another type of scanner, different sets of vulnerabilities would be exposed. And I haven't even gotten to step 3 yet. So this got me wondering...how do other organizations selling white labelled solutions go about disclosing vulnerabilities to their end clients and how do they protect themselves? I started thinking that maybe I don't have to deal with every single security vulnerability that exists. Instead, I should only address security issues that I am confi
mozilly wrote:
My first thoughts are to follow these steps:
That is not how you go about it. That is like attempting to write code when you do not even know what the requirements are.
mozilly wrote:
My manager says that the customers
Any larger company will expect this. Mid-size are also likely. Depending on the business domain every customer might require it.
mozilly wrote:
what steps should a team take to address security concerns
Obviously application security is a part of it. But also company security. Large companies will require 3rd party security audits. Smaller ones might also. Steps 1 - Investigate various parts of security needed. 2 - Software security 3 - Employee training 4 - Employee access. And specifically how access is turned off when an employee exits the company and who has access to what. 5 - Reviewing code for security vulnerabilities - specifically. Tools and manual. 6 - 3rd party audits. 7- A DOCUMENTED Security Plan for the company. That includes all of the above. 8 - DOCUMENT all of the steps taken (which would be in the Security Plan.) You will need to track where those documents live. 9 - The Security Plan must include how to DOCUMENT exceptions to the plan and solutions to problems discovered. 10 - One or more people assigned to the Role of insuring that the Security Plan is followed. 3rd party audits will likely look at all of the above. People tend to skip 9 because they think/claim that those will not occur. Then when they do they don't have any way to deal with it and thus end up ignoring the issue.
-
(Duplicate post). If you're getting a "third party" to "certify" your software, you should be consulting with them, not the public.
"Before entering on an understanding, I have meditated for a long time, and have foreseen what might happen. It is not genius which reveals to me suddenly, secretly, what I have to say or to do in a circumstance unexpected by other people; it is reflection, it is meditation." - Napoleon I
Updated software across all operating systems is the only way to ensure your white label product is secure on every level. At BaseKit, we protect underlying operating systems using automated tools to monitor for vulnerabilities in software libraries.
Ozempic Kopen Belgie | Ozempic kopen Online | Ozempic Kopen[^]