SlideShare a Scribd company logo

OWASP - Dependency Check

V
Vandana Verma

OWASP - Dependency Check

Technology
1 of 22
The open source vulnerability scanner
Expectations. u History of Dependency Check u Importance of Dependency Check. u Why to care about the Dependencies which we use in our daily coding. u To understand what is Dependency Checker by u Supported Languages/tech. u Relation to OWASP top 10. u Reviewing How it works. u Vulnerability Data Source. u Library Identification and issues. u Evidence based identification, issues and Remediation. u Using Dependency Check. u Components of Dependency Check. u Use Cases of Dependency Check. u Enterprise Deployments. u How to read the reports. u Demo.
History of Dependency Check u Dependency-Check is developed by a team of volunteers. The primary contributors to date have been: u Jeremy Long u Steve Springett u Will Stranathan
Relation to OWASP top 10. u Most critical web application risks u A9 – Using components with known vulnerabilities u Prevalence: Widespread u Detectability: Difficult u Difficult for 3 reasons u Awareness u Visibility u Lack of tooling in 2012/2013
Importance of Dependency Check u CVE-2018-2815 – JAVA SE DOS via Serialization. u CVE-2016-5000 - Apache POI Information Disclosure via External Entity Expansion (XXE) u CVE-2016-4216 - Adobe XMP Toolkit for Java Information Disclosure via External Entity Expansion (XXE) u CVE-2016-3081 - Remote code execution vulnerability in Apache Struts when dynamic method invocation is enabled u CVE-2015-8103 - Remote code execution vulnerability in Jenkins remoting; related to the Apache commons-collections u 95% of applications include open source u 67% of applications contained open source vulnerabilities u Average age of open source vulnerability identified: 1,894 days
Patching Programs u Generally do not cover application dependencies u Lack of awareness of 3rd party or FOSS application dependencies u Patching teams cannot push patches u Patching application dependencies requires u Possible code changes u Full regression testing
Supported Languages/tech. u Fully supported: Java & .NET u Experimental Analyzers: u CocoaPods u Swift Package Manager u Python u PHP (composer) u Node.js u Ruby
Components of Dependency Check
How it works. u National Vulnerability Database (NVD) u https://nvd.nist.gov u Contains a listing of Common Vulnerability and Exposures (CVE) u Each CVE entry contains u A description of the vulnerability or exposure u A Common Vulnerability Scoring System (CVSS) score u A list of the affected platforms identified by their Common Platform Enumeration (CPE) Vulnerability Data Source.
Steps to run u Extract the bat file obtained from link. u Go to bin. u Execute the command : Dependency.bat --format <HTML or PDF> --out “<Location for extracting report>” --scan “<location of jar/dependent files>” --project <name of report.> e.g. Dependency.bat --format HTML --out “C:UsersAdministratorDesktopSecurity Testing” --scan “C:UsersAdministratorDesktopSecurity Testing*.*” --project SecurityScannerToolCommand
How to read the reports.
Evidence based identification, issues and Remediation. u Identification : u Evidence is extracted from dependencies u File name, manifest, POM, package names, etc. u Evidence is grouped into Vendor, Product, and Version collections u Local copy of the NVD CVE is maintained u Lucene Index of the CPE information is created u Evidence collected is used to search the index and identify the library by CPE
Evidence based identification, issues and Remediation. u Issues : u False Positives u Evidence extracted may cause incorrect identification u False Negatives u If key elements are not included in the dependency (e.g. jar, dll) the library will not be identified and may result in un- reported risk
Library Identification and issues. u Identification : Reporting on known/published vulnerabilities requires the correct identification of the libraries used u Issues : u Development & Security use different identifiers u Development (GAV coordinates): u org.springframework:spring-core:3.2.0.RELEASE u Security uses Common Platform Enumeration (CPE): u cpe:/a:springsource:spring_framework:3.2.0 u cpe:/a:pivotal:spring_framework:3.2.0 u cpe:/a:pivotal_software:spring_framework:3.2.0 u No publicly available database exists to map between the two
Dealing with False Positives u Invalid dependency identification can be resolved using a suppression file: <suppress> <notes><![CDATA[ This suppresses false positives identified on spring security. ]]></notes> <gav regex="true">org.springframework.security:spring.*</gav> <cpe>cpe:/a:mod_security:mod_security</cpe> <cpe>cpe:/a:springsource:spring_framework</cpe> <cpe>cpe:/a:vmware:springsource_spring_framework</cpe> </suppress>
Enterprise Deployments. u Use a centralized database to maintain the local copy of the NVD u Single instance of dependency-check used to update u Scanning instances do not need to update u Use an internal Nexus instead of Maven Central u Run dependency-check within their CI u Continuous monitoring/reporting using OWASP dependency-check sonar plugin, OWASP dependency-track, or ThreadFix
Use Cases for dependency-check u Prove the existence of the problem u Baseline test when conducting POCs with commercial solutions u OWASP dependency-check is used as the primary tool to identify known vulnerable components
DEMO
Questions? OWASP dependency-check
Appendix
Getting Involved u Involvement in the development and promotion of dependency-check is actively encouraged! You do not have to be a security expert in order to contribute. How you can help: • Use the tool • Provide feedback via the mailing list or by creating github issues (both bugs and feature requests are encouraged) • The project source code is hosted on github - if you are so inclined fork it and provide push requests!
References:- u https://www.owasp.org/index.php/OWASP_Dependency_Check u https://medium.com/@PrakhashS/checking-vulnerabilities-in-3rd-party- dependencies-using-owasp-dependency-check-plugin-in-jenkins-bedfe8de6ba8 u https://wiki.jenkins.io/display/JENKINS/OWASP+Dependency-Check+Plugin u OWASP dependency-check u http://jeremylong.github.io/DependencyCheck/ u OWASP dependency-track u https://github.com/stevespringett/dependency-track u OWASP dependency-check-sonar-plugin u https://github.com/stevespringett/dependency-check-sonar-plugin

Recommended

DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptxMohammadSaif904342
 
OWASP Dependency-Track Introduction
OWASP Dependency-Track IntroductionOWASP Dependency-Track Introduction
OWASP Dependency-Track IntroductionSergey Sotnikov
 
Secure Software Development with 3rd Party Dependencies
Secure Software Development with 3rd Party DependenciesSecure Software Development with 3rd Party Dependencies
Secure Software Development with 3rd Party Dependenciesthariyarox
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaMohammed A. Imran
 
DevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessDevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessPuma Security, LLC
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep DiveUlisses Albuquerque
 
CI-CD with AWS Developer Tools and Fargate_AWSPSSummit_Singapore
CI-CD with AWS Developer Tools and Fargate_AWSPSSummit_SingaporeCI-CD with AWS Developer Tools and Fargate_AWSPSSummit_Singapore
CI-CD with AWS Developer Tools and Fargate_AWSPSSummit_SingaporeAmazon Web Services
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsAmazon Web Services
 

Recommended

DEVSECOPS.pptx
DEVSECOPS.pptxDEVSECOPS.pptx
DEVSECOPS.pptxMohammadSaif904342
 
OWASP Dependency-Track Introduction
OWASP Dependency-Track IntroductionOWASP Dependency-Track Introduction
OWASP Dependency-Track IntroductionSergey Sotnikov
 
Secure Software Development with 3rd Party Dependencies
Secure Software Development with 3rd Party DependenciesSecure Software Development with 3rd Party Dependencies
Secure Software Development with 3rd Party Dependenciesthariyarox
 
Strengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaStrengthen and Scale Security Using DevSecOps - OWASP Indonesia
Strengthen and Scale Security Using DevSecOps - OWASP IndonesiaMohammed A. Imran
 
DevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessDevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessPuma Security, LLC
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep DiveUlisses Albuquerque
 
CI-CD with AWS Developer Tools and Fargate_AWSPSSummit_Singapore
CI-CD with AWS Developer Tools and Fargate_AWSPSSummit_SingaporeCI-CD with AWS Developer Tools and Fargate_AWSPSSummit_Singapore
CI-CD with AWS Developer Tools and Fargate_AWSPSSummit_SingaporeAmazon Web Services
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsAmazon Web Services
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Edureka!
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixDenim Group
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
Maturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsMaturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsAmazon Web Services
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseTonex
 
(ARC307) Infrastructure as Code
(ARC307) Infrastructure as Code(ARC307) Infrastructure as Code
(ARC307) Infrastructure as CodeAmazon Web Services
 
CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...
CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...
CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...Edureka!
 
infrastructure as code
infrastructure as codeinfrastructure as code
infrastructure as codeAmazon Web Services
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOpsDevOps Indonesia
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOpsOpsta
 
Installing and running Postfix within a docker container from the command line
Installing and running Postfix within a docker container from the command lineInstalling and running Postfix within a docker container from the command line
Installing and running Postfix within a docker container from the command linedotCloud
 
CI/CD on AWS
CI/CD on AWSCI/CD on AWS
CI/CD on AWSAmazon Web Services
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..Siddharth Joshi
 
Container Patching: Cloud Native Security Con 2023
Container Patching: Cloud Native Security Con 2023Container Patching: Cloud Native Security Con 2023
Container Patching: Cloud Native Security Con 2023Greg Castle
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOpsFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices Hendri Karisma
 
Dependency check
Dependency checkDependency check
Dependency checkDavid Karlsen
 
Managing Security in External Software Dependencies
Managing Security in External Software DependenciesManaging Security in External Software Dependencies
Managing Security in External Software Dependenciesthariyarox
 

More Related Content

What's hot

Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Edureka!
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixDenim Group
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD PipelineJames Wickett
 
Maturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsMaturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsAmazon Web Services
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and OpportunitiesMohammed A. Imran
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseTonex
 
CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...
CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...
CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...Edureka!
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOpsOpsta
 
Installing and running Postfix within a docker container from the command line
Installing and running Postfix within a docker container from the command lineInstalling and running Postfix within a docker container from the command line
Installing and running Postfix within a docker container from the command linedotCloud
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Mohammed A. Imran
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..Siddharth Joshi
 
Container Patching: Cloud Native Security Con 2023
Container Patching: Cloud Native Security Con 2023Container Patching: Cloud Native Security Con 2023
Container Patching: Cloud Native Security Con 2023Greg Castle
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices Hendri Karisma
 

What's hot (20)

Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
 
A New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFixA New View of Your Application Security Program with Snyk and ThreadFix
A New View of Your Application Security Program with Snyk and ThreadFix
 
DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline DevSecOps and the CI/CD Pipeline
DevSecOps and the CI/CD Pipeline
 
Maturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOpsMaturing your organization from DevOps to DevSecOps
Maturing your organization from DevOps to DevSecOps
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities[DevSecOps Live] DevSecOps: Challenges and Opportunities
[DevSecOps Live] DevSecOps: Challenges and Opportunities
 
DevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps CourseDevSecOps Training Bootcamp - A Practical DevSecOps Course
DevSecOps Training Bootcamp - A Practical DevSecOps Course
 
(ARC307) Infrastructure as Code
(ARC307) Infrastructure as Code(ARC307) Infrastructure as Code
(ARC307) Infrastructure as Code
 
CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...
CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...
CI CD Pipeline Using Jenkins | Continuous Integration and Deployment | DevOps...
 
infrastructure as code
infrastructure as codeinfrastructure as code
infrastructure as code
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
 
The State of DevSecOps
The State of DevSecOpsThe State of DevSecOps
The State of DevSecOps
 
Security Process in DevSecOps
Security Process in DevSecOpsSecurity Process in DevSecOps
Security Process in DevSecOps
 
Installing and running Postfix within a docker container from the command line
Installing and running Postfix within a docker container from the command lineInstalling and running Postfix within a docker container from the command line
Installing and running Postfix within a docker container from the command line
 
CI/CD on AWS
CI/CD on AWSCI/CD on AWS
CI/CD on AWS
 
Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1Practical DevSecOps Course - Part 1
Practical DevSecOps Course - Part 1
 
DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..DevOps to DevSecOps Journey..
DevOps to DevSecOps Journey..
 
Container Patching: Cloud Native Security Con 2023
Container Patching: Cloud Native Security Con 2023Container Patching: Cloud Native Security Con 2023
Container Patching: Cloud Native Security Con 2023
 
Benefits of DevSecOps
Benefits of DevSecOpsBenefits of DevSecOps
Benefits of DevSecOps
 
Slide DevSecOps Microservices
Slide DevSecOps Microservices Slide DevSecOps Microservices
Slide DevSecOps Microservices
 

Similar to OWASP - Dependency Check

Managing Security in External Software Dependencies
Managing Security in External Software DependenciesManaging Security in External Software Dependencies
Managing Security in External Software Dependenciesthariyarox
 
Managing Security in External Software Dependencies
Managing Security in External Software DependenciesManaging Security in External Software Dependencies
Managing Security in External Software DependenciesTharindu Edirisinghe
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureKaspersky
 
Доступная безопасность: смесь инструментов с данными. Советы архитектора Oracle
Доступная безопасность: смесь инструментов с данными. Советы архитектора OracleДоступная безопасность: смесь инструментов с данными. Советы архитектора Oracle
Доступная безопасность: смесь инструментов с данными. Советы архитектора OracleTimur Bagirov
 
Securing Open Source Code in Enterprise
Securing Open Source Code in EnterpriseSecuring Open Source Code in Enterprise
Securing Open Source Code in EnterpriseAsankhaya Sharma
 
Spring Boot & Spring Cloud on PAS- Nate Schutta (2/2)
Spring Boot & Spring Cloud on PAS- Nate Schutta (2/2)Spring Boot & Spring Cloud on PAS- Nate Schutta (2/2)
Spring Boot & Spring Cloud on PAS- Nate Schutta (2/2)VMware Tanzu
 
Say No to the Dependency Hell
Say No to the Dependency HellSay No to the Dependency Hell
Say No to the Dependency HellIvan Pashchenko
 
Security assessment of mediawiki web-application
Security assessment of mediawiki web-applicationSecurity assessment of mediawiki web-application
Security assessment of mediawiki web-applicationFlorin D. Tanasache
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Michael Man
 
PVS-Studio advertisement - static analysis of C/C++ code
PVS-Studio advertisement - static analysis of C/C++ codePVS-Studio advertisement - static analysis of C/C++ code
PVS-Studio advertisement - static analysis of C/C++ codePVS-Studio
 
20091112 - Mars Jug - Apache Maven
20091112 - Mars Jug - Apache Maven20091112 - Mars Jug - Apache Maven
20091112 - Mars Jug - Apache MavenArnaud Héritier
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Chetan Khatri
 
Vulners: Google for hackers
Vulners: Google for hackersVulners: Google for hackers
Vulners: Google for hackersKirill Ermakov
 
Opendaylight SDN Controller
Opendaylight SDN ControllerOpendaylight SDN Controller
Opendaylight SDN ControllerSumit Arora
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guideSudhanshu Chauhan
 
Vuls & VulsRepo: A Highly Flexible Vulnerability Scanner and Visualizer
Vuls & VulsRepo: A Highly Flexible Vulnerability Scanner and VisualizerVuls & VulsRepo: A Highly Flexible Vulnerability Scanner and Visualizer
Vuls & VulsRepo: A Highly Flexible Vulnerability Scanner and VisualizerAPNIC
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10OWASP
 

Similar to OWASP - Dependency Check (20)

Dependency check
Dependency checkDependency check
Dependency check
 
Managing Security in External Software Dependencies
Managing Security in External Software DependenciesManaging Security in External Software Dependencies
Managing Security in External Software Dependencies
 
Managing Security in External Software Dependencies
Managing Security in External Software DependenciesManaging Security in External Software Dependencies
Managing Security in External Software Dependencies
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
 
Доступная безопасность: смесь инструментов с данными. Советы архитектора Oracle
Доступная безопасность: смесь инструментов с данными. Советы архитектора OracleДоступная безопасность: смесь инструментов с данными. Советы архитектора Oracle
Доступная безопасность: смесь инструментов с данными. Советы архитектора Oracle
 
Securing Open Source Code in Enterprise
Securing Open Source Code in EnterpriseSecuring Open Source Code in Enterprise
Securing Open Source Code in Enterprise
 
Spring Boot & Spring Cloud on PAS- Nate Schutta (2/2)
Spring Boot & Spring Cloud on PAS- Nate Schutta (2/2)Spring Boot & Spring Cloud on PAS- Nate Schutta (2/2)
Spring Boot & Spring Cloud on PAS- Nate Schutta (2/2)
 
Say No to the Dependency Hell
Say No to the Dependency HellSay No to the Dependency Hell
Say No to the Dependency Hell
 
Security assessment of mediawiki web-application
Security assessment of mediawiki web-applicationSecurity assessment of mediawiki web-application
Security assessment of mediawiki web-application
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!
 
PVS-Studio advertisement - static analysis of C/C++ code
PVS-Studio advertisement - static analysis of C/C++ codePVS-Studio advertisement - static analysis of C/C++ code
PVS-Studio advertisement - static analysis of C/C++ code
 
AppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 PrimerAppSec & OWASP Top 10 Primer
AppSec & OWASP Top 10 Primer
 
20091112 - Mars Jug - Apache Maven
20091112 - Mars Jug - Apache Maven20091112 - Mars Jug - Apache Maven
20091112 - Mars Jug - Apache Maven
 
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-Framework
 
Vulners: Google for hackers
Vulners: Google for hackersVulners: Google for hackers
Vulners: Google for hackers
 
Opendaylight SDN Controller
Opendaylight SDN ControllerOpendaylight SDN Controller
Opendaylight SDN Controller
 
Web application penetration testing lab setup guide
Web application penetration testing lab setup guideWeb application penetration testing lab setup guide
Web application penetration testing lab setup guide
 
Vuls & VulsRepo: A Highly Flexible Vulnerability Scanner and Visualizer
Vuls & VulsRepo: A Highly Flexible Vulnerability Scanner and VisualizerVuls & VulsRepo: A Highly Flexible Vulnerability Scanner and Visualizer
Vuls & VulsRepo: A Highly Flexible Vulnerability Scanner and Visualizer
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
 

More from Vandana Verma

Building security into the pipelines
Building security into the pipelinesBuilding security into the pipelines
Building security into the pipelinesVandana Verma
 
Applying OWASP web security testing guide (OWSTG)
Applying OWASP web security testing guide (OWSTG)Applying OWASP web security testing guide (OWSTG)
Applying OWASP web security testing guide (OWSTG)Vandana Verma
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageVandana Verma
 
SARCON Talk - Vandana Verma Sehgal
SARCON Talk - Vandana Verma SehgalSARCON Talk - Vandana Verma Sehgal
SARCON Talk - Vandana Verma SehgalVandana Verma
 
Sacon 2020 living in the world of zero trust v1.0
Sacon 2020 living in the world of zero trust v1.0Sacon 2020 living in the world of zero trust v1.0
Sacon 2020 living in the world of zero trust v1.0Vandana Verma
 
Addo 2019 vandana_dev_secops_culturalchange
Addo 2019 vandana_dev_secops_culturalchangeAddo 2019 vandana_dev_secops_culturalchange
Addo 2019 vandana_dev_secops_culturalchangeVandana Verma
 
App Sec village DevSecOps as a culture
App Sec village DevSecOps as a cultureApp Sec village DevSecOps as a culture
App Sec village DevSecOps as a cultureVandana Verma
 
Web sockets - Pentesting
Web sockets - Pentesting Web sockets - Pentesting
Web sockets - Pentesting Vandana Verma
 
Story of http headers
Story of http headersStory of http headers
Story of http headersVandana Verma
 
Security audits & compliance
Security audits & complianceSecurity audits & compliance
Security audits & complianceVandana Verma
 
Basics of Server Side Template Injection
Basics of Server Side Template InjectionBasics of Server Side Template Injection
Basics of Server Side Template InjectionVandana Verma
 
SIEM Vendor Neutrality
SIEM Vendor NeutralitySIEM Vendor Neutrality
SIEM Vendor NeutralityVandana Verma
 
Getting started with android
Getting started with androidGetting started with android
Getting started with androidVandana Verma
 
Importance of Penetration Testing
Importance of Penetration TestingImportance of Penetration Testing
Importance of Penetration TestingVandana Verma
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access managementVandana Verma
 
Chariot generic presentation owaspwia_Infosecgirls
Chariot generic presentation owaspwia_InfosecgirlsChariot generic presentation owaspwia_Infosecgirls
Chariot generic presentation owaspwia_InfosecgirlsVandana Verma
 
Incident response in Cloud
Incident response in CloudIncident response in Cloud
Incident response in CloudVandana Verma
 

More from Vandana Verma (18)

Building security into the pipelines
Building security into the pipelinesBuilding security into the pipelines
Building security into the pipelines
 
Applying OWASP web security testing guide (OWSTG)
Applying OWASP web security testing guide (OWSTG)Applying OWASP web security testing guide (OWSTG)
Applying OWASP web security testing guide (OWSTG)
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageRunning an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec Village
 
SARCON Talk - Vandana Verma Sehgal
SARCON Talk - Vandana Verma SehgalSARCON Talk - Vandana Verma Sehgal
SARCON Talk - Vandana Verma Sehgal
 
Sacon 2020 living in the world of zero trust v1.0
Sacon 2020 living in the world of zero trust v1.0Sacon 2020 living in the world of zero trust v1.0
Sacon 2020 living in the world of zero trust v1.0
 
Addo 2019 vandana_dev_secops_culturalchange
Addo 2019 vandana_dev_secops_culturalchangeAddo 2019 vandana_dev_secops_culturalchange
Addo 2019 vandana_dev_secops_culturalchange
 
App Sec village DevSecOps as a culture
App Sec village DevSecOps as a cultureApp Sec village DevSecOps as a culture
App Sec village DevSecOps as a culture
 
Oscp - Journey
Oscp - JourneyOscp - Journey
Oscp - Journey
 
Web sockets - Pentesting
Web sockets - Pentesting Web sockets - Pentesting
Web sockets - Pentesting
 
Story of http headers
Story of http headersStory of http headers
Story of http headers
 
Security audits & compliance
Security audits & complianceSecurity audits & compliance
Security audits & compliance
 
Basics of Server Side Template Injection
Basics of Server Side Template InjectionBasics of Server Side Template Injection
Basics of Server Side Template Injection
 
SIEM Vendor Neutrality
SIEM Vendor NeutralitySIEM Vendor Neutrality
SIEM Vendor Neutrality
 
Getting started with android
Getting started with androidGetting started with android
Getting started with android
 
Importance of Penetration Testing
Importance of Penetration TestingImportance of Penetration Testing
Importance of Penetration Testing
 
Identity & access management
Identity & access managementIdentity & access management
Identity & access management
 
Chariot generic presentation owaspwia_Infosecgirls
Chariot generic presentation owaspwia_InfosecgirlsChariot generic presentation owaspwia_Infosecgirls
Chariot generic presentation owaspwia_Infosecgirls
 
Incident response in Cloud
Incident response in CloudIncident response in Cloud
Incident response in Cloud
 

Recently uploaded

Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 

Recently uploaded (20)

Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 

OWASP - Dependency Check

  • 1. The open source vulnerability scanner
  • 2. Expectations. u History of Dependency Check u Importance of Dependency Check. u Why to care about the Dependencies which we use in our daily coding. u To understand what is Dependency Checker by u Supported Languages/tech. u Relation to OWASP top 10. u Reviewing How it works. u Vulnerability Data Source. u Library Identification and issues. u Evidence based identification, issues and Remediation. u Using Dependency Check. u Components of Dependency Check. u Use Cases of Dependency Check. u Enterprise Deployments. u How to read the reports. u Demo.
  • 3. History of Dependency Check u Dependency-Check is developed by a team of volunteers. The primary contributors to date have been: u Jeremy Long u Steve Springett u Will Stranathan
  • 4. Relation to OWASP top 10. u Most critical web application risks u A9 – Using components with known vulnerabilities u Prevalence: Widespread u Detectability: Difficult u Difficult for 3 reasons u Awareness u Visibility u Lack of tooling in 2012/2013
  • 5. Importance of Dependency Check u CVE-2018-2815 – JAVA SE DOS via Serialization. u CVE-2016-5000 - Apache POI Information Disclosure via External Entity Expansion (XXE) u CVE-2016-4216 - Adobe XMP Toolkit for Java Information Disclosure via External Entity Expansion (XXE) u CVE-2016-3081 - Remote code execution vulnerability in Apache Struts when dynamic method invocation is enabled u CVE-2015-8103 - Remote code execution vulnerability in Jenkins remoting; related to the Apache commons-collections u 95% of applications include open source u 67% of applications contained open source vulnerabilities u Average age of open source vulnerability identified: 1,894 days
  • 6. Patching Programs u Generally do not cover application dependencies u Lack of awareness of 3rd party or FOSS application dependencies u Patching teams cannot push patches u Patching application dependencies requires u Possible code changes u Full regression testing
  • 7. Supported Languages/tech. u Fully supported: Java & .NET u Experimental Analyzers: u CocoaPods u Swift Package Manager u Python u PHP (composer) u Node.js u Ruby
  • 9. How it works. u National Vulnerability Database (NVD) u https://nvd.nist.gov u Contains a listing of Common Vulnerability and Exposures (CVE) u Each CVE entry contains u A description of the vulnerability or exposure u A Common Vulnerability Scoring System (CVSS) score u A list of the affected platforms identified by their Common Platform Enumeration (CPE) Vulnerability Data Source.
  • 10. Steps to run u Extract the bat file obtained from link. u Go to bin. u Execute the command : Dependency.bat --format <HTML or PDF> --out “<Location for extracting report>” --scan “<location of jar/dependent files>” --project <name of report.> e.g. Dependency.bat --format HTML --out “C:UsersAdministratorDesktopSecurity Testing” --scan “C:UsersAdministratorDesktopSecurity Testing*.*” --project SecurityScannerToolCommand
  • 11. How to read the reports.
  • 12. Evidence based identification, issues and Remediation. u Identification : u Evidence is extracted from dependencies u File name, manifest, POM, package names, etc. u Evidence is grouped into Vendor, Product, and Version collections u Local copy of the NVD CVE is maintained u Lucene Index of the CPE information is created u Evidence collected is used to search the index and identify the library by CPE
  • 13. Evidence based identification, issues and Remediation. u Issues : u False Positives u Evidence extracted may cause incorrect identification u False Negatives u If key elements are not included in the dependency (e.g. jar, dll) the library will not be identified and may result in un- reported risk
  • 14. Library Identification and issues. u Identification : Reporting on known/published vulnerabilities requires the correct identification of the libraries used u Issues : u Development & Security use different identifiers u Development (GAV coordinates): u org.springframework:spring-core:3.2.0.RELEASE u Security uses Common Platform Enumeration (CPE): u cpe:/a:springsource:spring_framework:3.2.0 u cpe:/a:pivotal:spring_framework:3.2.0 u cpe:/a:pivotal_software:spring_framework:3.2.0 u No publicly available database exists to map between the two
  • 15. Dealing with False Positives u Invalid dependency identification can be resolved using a suppression file: <suppress> <notes><![CDATA[ This suppresses false positives identified on spring security. ]]></notes> <gav regex="true">org.springframework.security:spring.*</gav> <cpe>cpe:/a:mod_security:mod_security</cpe> <cpe>cpe:/a:springsource:spring_framework</cpe> <cpe>cpe:/a:vmware:springsource_spring_framework</cpe> </suppress>
  • 16. Enterprise Deployments. u Use a centralized database to maintain the local copy of the NVD u Single instance of dependency-check used to update u Scanning instances do not need to update u Use an internal Nexus instead of Maven Central u Run dependency-check within their CI u Continuous monitoring/reporting using OWASP dependency-check sonar plugin, OWASP dependency-track, or ThreadFix
  • 17. Use Cases for dependency-check u Prove the existence of the problem u Baseline test when conducting POCs with commercial solutions u OWASP dependency-check is used as the primary tool to identify known vulnerable components
  • 18. DEMO
  • 21. Getting Involved u Involvement in the development and promotion of dependency-check is actively encouraged! You do not have to be a security expert in order to contribute. How you can help: • Use the tool • Provide feedback via the mailing list or by creating github issues (both bugs and feature requests are encouraged) • The project source code is hosted on github - if you are so inclined fork it and provide push requests!
  • 22. References:- u https://www.owasp.org/index.php/OWASP_Dependency_Check u https://medium.com/@PrakhashS/checking-vulnerabilities-in-3rd-party- dependencies-using-owasp-dependency-check-plugin-in-jenkins-bedfe8de6ba8 u https://wiki.jenkins.io/display/JENKINS/OWASP+Dependency-Check+Plugin u OWASP dependency-check u http://jeremylong.github.io/DependencyCheck/ u OWASP dependency-track u https://github.com/stevespringett/dependency-track u OWASP dependency-check-sonar-plugin u https://github.com/stevespringett/dependency-check-sonar-plugin