Our customer will use NodeJS/Javascript SDK to integrate their CRM with Genesys Cloud (from ClientSide/Browser), to receive conversation events (via Notification API websocket) – for implementing use-cases like keeping the CRM screen synch with the profile of the customer connected to the agent in Genesys Cloud. Our customer is interested in understanding our process for managing security and dependency vulnerabilities within the Node.js/JavaScript SDK. Specifically, they want to know how we identify, assess, and mitigate risks associated with security vulnerabilities or deprecations in our direct and transitive dependencies i.e. if our Platform Api Client SDK for Nodejs is using an package or library - which is deprecated or for which some vulnerability is detected - what are our practices for identifying & updating the SDK and its dependencies to maintain compatibility and address security concerns.
Hi Fais,
Our SDKs are scanned internally with vulnerability scanning software to identify vulnerabilities. When these vulnerabilities are identified we mitigate them. Sometimes, a vulnerability is not identified (e.g., we use different scanning methods than the customer does) and a customer's system identifies the issue. The customer can then raise a support ticket and we will determine if the vulnerability applies to us.
A couple of things to note:
-
Our SDKs are open source so if you feel there is a dependency that triggers a security check and we disagree, you are welcome to fork our SDKs and apply the fix.
-
Our SDKs are pretty lightweight wrappers around the API calls. There is very little business logic in them and if there is a situation where you feel the SDKs have an issue that is out of line with your needs, you can still directly call our REST apis.
I hope that provides some clarification.
Thanks,
John Carnell
Director, Developer Engagement
Which type of vulnerability scanning is performed on SDK's among Static application security testing (SAST) and Dynamic application security testing (DAST).
thanks @John_Carnell for your prompt response - I have shared this with the customer - and will update incase I have additional queries.
I have one followup question - do we know which nodejs packages we bundle in the minified js https://sdk-cdn.mypurecloud.com/javascript/latest/purecloud-platform-client-v2.min.js
- The ones we externalize can be found from platform-client-sdk-javascript/build/rollup-cjs-for-browserify.config.js at master · MyPureCloud/platform-client-sdk-javascript · GitHub
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.