World is now on Opti ID! Learn more

AI OnAI Off
Daniel Ovaska
Daniel Ovaska
Jun 27, 2024
  54
(0 votes)

Keeping the website secure by updating external packages

Did you see the latest warning from Optimizely to update this package with a critical security warning?

https://world.optimizely.com/documentation/Release-Notes/ReleaseNote/?releaseNoteId=CMS-33553

No? 

Security vulnerabilities in third party components like nuget packages or npm modules are one of the top 10 vulnerabilities for website according to OWASP

What makes it even more serious is that hackers can often scan the website for these vulnerabilities and often use them to compromise the website. 

Fortunately the tools to keep the website up to date already exist but often the process is lacking and must be agreed upon with stakeholders to secure funding for it. Stakeholders and product owners are often focused on new features and it's easy to fall behind on non-functional requirements like performance and security if these are not part of the development process. One way is to set a fixed value like 25% of development time to allocate to these areas and let developments team and tech lead suggest best bang-for-the-buck in these areas.

For an ordinary Optimizely website I recommend the more structured approach to securing third party packages and integrate it into your development process:

  1. Update all Optimizely code packages to latest minor version at least every 6 months.
  2. Use Visual Studio 2022 nuget package manager to locate any other vulnerable dotnet packages.
    There is even a nice little checkbox to show all vulnerable packages.
  3. Use npm audit to get a list of vulnerable frontend packages. 
  4. Update all moderate or higher at least

For a more security concerned websites I recommend the more ambitious process:

  1. Update all Optimizely code packages to latest minor version at the start of every sprint or every month.
  2. Use Visual Studio 2022 nuget package manager to locate any other vulnerable dotnet packages.
    There is even a nice little checkbox to show all vulnerable packages 
  3. Use npm audit to get a list of vulnerable frontend packages. 
  4. Update all vulnerable packages
  5. Use Azure Advanced Security or similar code scanner in build pipeline
    Set it up as a separate pipeline and run it manually before every deploy. 
    For really large solutions it might require build agents with more than normal disk space I've noticed.

For more security related tips for Optimizely see my security checklist

Happy coding and stay safe!

Jun 27, 2024

Comments

Please login to comment.
Latest blogs
Make Global Assets Site- and Language-Aware at Indexing Time

I had a support case the other day with a question around search on global assets on a multisite. This is the result of that investigation. This co...

dada | Jun 26, 2025

The remote server returned an error: (400) Bad Request – when configuring Azure Storage for an older Optimizely CMS site

How to fix a strange issue that occurred when I moved editor-uploaded files for some old Optimizely CMS 11 solutions to Azure Storage.

Tomas Hensrud Gulla | Jun 26, 2025 |

Enable Opal AI for your Optimizely products

Learn how to enable Opal AI, and meet your infinite workforce.

Tomas Hensrud Gulla | Jun 25, 2025 |

Deploying to Optimizely Frontend Hosting: A Practical Guide

Optimizely Frontend Hosting is a cloud-based solution for deploying headless frontend applications - currently supporting only Next.js projects. It...

Szymon Uryga | Jun 25, 2025

World on Opti ID

We're excited to announce that world.optimizely.com is now integrated with Opti ID! What does this mean for you? New Users:  You can now log in wit...

Patrick Lam | Jun 22, 2025

Avoid Scandinavian Letters in File Names in Optimizely CMS

Discover how Scandinavian letters in file names can break media in Optimizely CMS—and learn a simple code fix to automatically sanitize uploads for...

Henning Sjørbotten | Jun 19, 2025 |

See all blogs