Unit 1
Collaborative discussion post
Open source tools are available to create UML diagrams, some are listed below. This list is not exhaustive. The benefit of using such tools is that they ensure that the recognised UML components are used to represent the parts of the model correctly.
Choose an open-source UML tool from the list above. Select one of the coding weaknesses which have been identified by OWASP and create a flowchart of the steps which may have led to the weakness occurring. Which UML models might you use to present the design of your proposed software, and why are they the most appropriate choice(s)?
Open Web Application Security Project (OWASP) in its latest revision lists the ten most critical security risks that might affect software systems (OWASP Top 10 team, 2021b). From all of them, I’d like to take a closer look at A06: Vulnerable and Outdated Components.
A06 doesn’t focus on a software product’s functionality itself, but rather on the practice of using external libraries during development. These dependencies can introduce new attack vectors and compromise the integrity of the final product (OWASP Top 10 team, 2021a). Unlike most other risks, A06 affects not only end users and system operators, but also developers. If a dependency contains vulnerable or malicious code, it could be executed on development machines.
There are different ways in which vulnerabilities described in A06 can occur. One of them is accidental like the Heartbleed bug in the cryptographic library OpenSSL. Introduced unintentionally by a contributor to the library and missed during code review, this flaw exposed a vast number of servers worldwide and led to significant costs to patch the issue (Durumeric et al., 2014; Hern, 2014).
Another scenario is a deliberate attack. For example, attackers have exploited the npm package manager by publishing typo-squatted packages. Developers who mistyped a command in the terminal would unknowingly install and run malicious code (Phylum Research, 2024). Malicious actors can also introduce backdoors into existing libraries, which then get installed during routine updates.
A good example for that is the XZ Utils backdoor incident. Over the course of a few years, a malicious actor known as “Jia Tan” gradually gained trust of the project maintainer Lasse Colin. Eventually, “Jia Tan” was granted permissions to edit the source code and release new versions of XZ Utils, thus allowing them to insert a backdoor to the library. This version was published, downloaded, and later included in some Linux distributions. Once installed, the modified version of the library allowed the perpetrators to run arbitrary code on affected machines (Lins et al., 2024). The following flowchart visualizes how the vulnerable package affects the software system.
Figure 1. Attack by means of a compromised library
A sequence diagram can help better illustrate how attacks similar to XZ Utils backdoor affect software solutions. It shows the interactions — or lack thereof — between developers, maintainers, attackers, and compromised components, highlighting how an impacted library can introduce an threat into otherwise secure piece of software with little to no developer involvement.
Figure 2. Events and actions that lead to compromising a software solution
OWASP suggests several strategies to mitigate A06 risks: regularly reviewing the dependencies and removing them once they are no longer necessary, staying up to date on the known vulnerabilities, and only using components from trusted sources (OWASP Top 10 team, 2021a). Many developer tools support dependency management and notify the developers once the packages get old or vulnerabilities are discovered (JetBrains, 2024; GitHub, no date). Other common practices include locking dependencies’ versions, verifying packages’ integrity by with checksums, and implementing proxy repositories (Palo Alto Networks, no date).
When working on a software solution, several UML models can aid in mitigating A06 risks. A component diagram can illustrate what external dependencies the modules of the solution require, thus allowing to understand the need for including each of them in the project. From the operational side of software development, if an organization has a policy and a process for evaluating new dependencies and their versions, an activity or a sequence diagram can document that workflow.
References
Durumeric, Z. et al. (2014) ‘The Matter of Heartbleed’, in Proceedings of the 2014 Conference on Internet Measurement Conference. IMC ’14: Internet Measurement Conference, Vancouver BC Canada: ACM, pp. 475–488. Available at: https://doi.org/10.1145/2663716.2663755.
GitHub (no date) About Dependabot alerts, GitHub Docs. Available at: https://docs-internal.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts (Accessed: 12 May 2025).
Hern, A. (2014) ‘Heartbleed: developer who introduced the error regrets “oversight”’, The Guardian, 11 April. Available at: https://www.theguardian.com/technology/2014/apr/11/heartbleed-developer-error-regrets-oversight (Accessed: 12 May 2025).
JetBrains (2024) Find vulnerable and malicious dependencies | IntelliJ IDEA Documentation, IntelliJ IDEA Help. Available at: https://www.jetbrains.com/help/idea/package-analysis.html (Accessed: 12 May 2025).
Lins, M. et al. (2024) ‘On the critical path to implant backdoors and the effectiveness of potential mitigation techniques: Early learnings from XZ’. arXiv. Available at: https://doi.org/10.48550/arXiv.2404.08987.
OWASP Top 10 team (2021a) A06 Vulnerable and Outdated Components - OWASP Top 10:2021. Available at: https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/ (Accessed: 11 May 2025).
OWASP Top 10 team (2021b) OWASP Top 10:2021. Available at: https://owasp.org/Top10/ (Accessed: 11 May 2025).
Palo Alto Networks (no date) What Is Dependency Chain Abuse?, Palo Alto Networks. Available at: https://www.paloaltonetworks.com/cyberpedia/dependency-chain-abuse-cicd-sec3 (Accessed: 12 May 2025).
Phylum Research (2024) Typosquat Campaign Targeting npm Developers, Phylum Research | Software Supply Chain Security. Available at: https://blog.phylum.io/supply-chain-security-typosquat-campaign-targeting-puppeteer-users/ (Accessed: 12 May 2025).