Proactively fixing vulnerabilities to maintain Java security and project hygiene with Snyk

As a developer, I spend a lot of time in my GitHub account. I write apps, little utilities, and proof of concepts for when I am learning something new. I like to think that, because I spend a lot of time on GitHub, the overall health of my account is pretty high. I pay attention to important things like having Yubikey based 2FA enabled on my account, making sure I don’t commit secrets or sensitive files, and regularly reviewing my account for GitHub security best practices for open source projects.

Checkpoint! Did you enable two-factor authentication in your source code repository? Another way you can level up as a security champion is by following secure code reviews.

However, just like the health and hygiene of any system, it is not only based on the things we actively do, but also things that might not be as apparent to us. This is particularly important for those repositories we are no longer working on. Even though that code stays static and might not be our primary focus, the world around us continues to move forwards and people we have never met will find those repositories and potentially use our code to learn from or as the basis for code they are writing today.

It is because of this that, we as developers, have a responsibility to make sure the code we write is the best it can be, not just at the time we wrote it but for the duration that code is available in our repositories.

Like I said above, the world moves on around our code. New versions of the dependencies we use are released and security issues are found in older versions of the frameworks and libraries we depend on. While always moving to the latest versions can have its own set of issues, we need to find a way to make these changes visible to us on an ongoing basis so we can give our repositories the love they need to stay up to date and secure.

Tip: If you’re a fan of GitHub Actions and built-in security for your repository’s code changes you might want to take a read on GitHub Security Code Scanning.

Vulnerability management is a world of its own with processes, standards, and tools that help create a better security posture for organizations. If you’re interested in further details on how to achieve that for legacy Java projects you maintain, as well as for streamlining a good security outlook we recommend reading up on vulnerability remediation process.

Finding and fixing vulnerabilities in legacy Java projects

This is where Snyk comes in. Snyk makes the otherwise invisible, both visible and actionable.  Allowing Snyk to monitor your repositories (whether that be in GitHub, GitLab, Bitbucket, or Azure) gives you the information you need to take action and keep your code secure. It does this in a number of ways:

• Reporting on vulnerabilities found in the frameworks and libraries we depend on

• Notifying us of new versions in the dependencies we use

Connecting Snyk to your account can be an eye-opening experience. I started out with the free Snyk plan and let it run over a few of my repositories. I was immediately presented with a number of High and Medium severity issues with some of my older Spring Boot apps. The sole reason for these issues was the apps being built with an older release of Spring Boot and I hadn’t had a reason to update them.

Thankfully, the fix was to simply update the version of Sprint Boot I was using, retest the application and push the change.

Obviously, it would be great if we could simply keep the dependencies in our applications up to date as a matter of course. This is where Snyk helps with our second point up above. Snyk not only informs us about when a new dependency version has been found, but it can also create a pull request on our repositories ready for us to review and test:

We can only improve the health and security of our GitHub accounts when we have visibility of all the factors that impact that health and hygiene. When the invisible becomes visible we can take corrective action and then maintain that action over the lifetime of our code. Snyk supports this by integrating with the tools we use on a daily basis and giving us the knowledge we need to decide what action to take. All while automating the parts that can be automated.

More Java security resources

I hope you found this post helpful for keeping your old projects maintained and secure. If you’re a Java developer and wish to level up your security game, here are a few resources you’ll find useful:

1. Java Security Explained

2. 10 best practices to build a Java container with Docker

3. Brian Vermeer and Jim Manico from OWASP have authored this great €‹ €‹10 Java security best practices

4. And finally, are you practicing secure deserialization coding practices? If you’re not sure, we recommend you browse through Vermeer’s Serialization and deserialization in Java: explaining the Java deserialize vulnerability.