Code Security Testing

Dependency vulnerabilities

All our repos are dependent on other libraries – front-end and back-end. Vulnerabilities in these libraries can expose applications we create to be vulnerable.

To identify risks, we allow GitHub’s dependabot to have access to all our repos to scan for known vulnerable versions of libraries.

These are flagged in a weekly email and in the repo:

Dependabot alert in a GitHub repo

These might not be available to all users, depending on permissions, so we may need to adjust visibility as we go.

Responding to security vulnerabilities

Most identified vulnerabilities can be patched without any breaking changes in the application. These patches should always be applied as the first commit in any sprint.

When a patch will cause a breaking change, these should be flagged to the Product Owner for discussion with the client. The severity of the vulnerability and the opportunity for someone to carry out the exploit against our usage of the dependency will need to be assessed.

Manual assessment

Some third-party libraries are added to projects without using a package manager. These will not be picked up by dependabot and it will be necessary to manually verify that versions used do not have known vulnerabilities.