SlideShare a Scribd company logo

Dependency-Check Ecosystem - OWASP Summit 2017

Download as PPTX, PDF
Steve Springett
Steve Springett

This is a presentation I gave at OWASP Summit 2017 talking about the Dependency-Check ecosystem, including Jenkins, SonarQube, and Dependency-Track. The presentation focused on the progress made over the course of the projects life, demos of currently unreleased features, and the future of the platform.

1 of 19
Dependency-Check Ecosystem OWASP Summit 2017
Introduction  20+ years software development experience  8 years software security experience  Principal Application Security Architect  Core contributor to OWASP Dependency-Check  Leader of Jenkins & SonarQube plugins  Leader of OWASP Dependency-Track about.me/stevespringett steve.springett@owasp.org
 Open Source – Licensed under Apache 2.0 license  Identify component using evidence-based analysis  Component name, vendor, version, etc.  Determines if evidence matches CVEs in National Vulnerability Database  Output report in HTML, JSON, CSV, and XML formats Introduction
Primary Use Cases  Continuous Security in CI/CD  Execution of CLI, Ant, Maven, Gradle, and/or Jenkins plugin during CI/CD with automatic visibility of newly discovered vulnerabilities  Software Security Assessment and Audit  Execution of Command Line interface against an installed application for the purpose of reconnaissance during security assessments
2013 (1.0) Java only Command line interface Ant plugin Maven plugin 2017 (2.0) 15+ languages/platforms Command line interface Ant plugin Maven plugin Gradle plugin Jenkins plugin SonarQube plugin Progress
 Open Source – Licensed under GNU GPLv3  Track third-party components across multiple applications and versions  Asset management application for components  Integrates Dependency-Check core engine  Can use asset database as sole source of evidence  Access to files or build system not required Introduction
Primary Use Cases  Project, Component, License, and Vulnerability Tracking  Source of truth for software BOM, component usage, & vulnerabilities  Ingestion of Dependency-Check results and BOM formats  Proactively monitor projects using vulnerable components  Increase efficiency of vulnerability intelligence & incident response
2013 (1.0) Static component management Partial Dependency-Check integration 2017 (3.0-dev) Static/dynamic component management Full Dependency-Check Integration Full mirror of the NVD API-first design with Swagger 2.0 Supports BOM via SPDX and CycloneDX Full SPDX license support Progress
The Ecosystem Defect Tracker CLI ResultsResults Results, BOM Evidence Ticket(s)
The Ecosystem Defect Tracker CLI Improved Visibility to Development Team Results, BOM Evidence ResultsResults Ticket(s)
The Ecosystem Defect Tracker CLI Improved Accuracy of Analysis Improved Visibility Across Portfolio Results, BOM Evidence ResultsResults Ticket(s)
Demo
Shortcomings  Evidence-based analysis will generate false positives and negatives  Metadata quality provided by component author is critical  NVD may not always be up-to-date  Doesn’t track security commits made without associated CVE published  Older components not usually tested by security researchers  Doesn’t track EOL/EOS
Contributing  Use and improve experimental analyzers  Create new analyzers for emerging languages and platforms  Help us improve developer visibility (IDE plugins, build plugins, CI servers)  Help us improve runtime visibility (Java/.NET/Node agents)  Define and implement algorithms for determining component age  Implement metrics and dashboards to measure risk and improvement  License identification and compliance
Contributing https://github.com/jeremylong/DependencyCheck https://groups.google.com/forum/#!forum/dependency-check https://github.com/stevespringett/dependency-track https://groups.google.com/forum/#!forum/dependency-track
Improve the Open Source Community  Use Dependency-Check or similar solution in your projects  Hold open-source projects accountable for self-reporting  Notify NVD of errors or omissions  Verify accuracy of component metadata  Use SPDX license IDs for all projects  Use SPDX or CycloneDX for defining software BOM for all projects
Feedback  Do you use Dependency-Check (or similar) if your projects/orgs?  What existing or in-progress features do you like/dislike?  What functionality is missing?  Areas of improvement?
Thank You
Q&A

Recommended

BOMs Away - Why everyone needs a BOM (AppSec Cali 2019)
BOMs Away - Why everyone needs a BOM (AppSec Cali 2019)BOMs Away - Why everyone needs a BOM (AppSec Cali 2019)
BOMs Away - Why everyone needs a BOM (AppSec Cali 2019)
Steve Springett
 
Dependency track v3.3 - What's New
Dependency track v3.3 - What's NewDependency track v3.3 - What's New
Dependency track v3.3 - What's New
Steve Springett
 
Find Out What's New With WhiteSource May 2018- A WhiteSource Webinar
Find Out What's New With WhiteSource May 2018- A WhiteSource WebinarFind Out What's New With WhiteSource May 2018- A WhiteSource Webinar
Find Out What's New With WhiteSource May 2018- A WhiteSource Webinar
WhiteSource
 
Fortify dev ops (002)
Fortify dev ops (002)Fortify dev ops (002)
Fortify dev ops (002)
Madhavan Marimuthu
 
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
Hui (Henry) Chen
 
WhiteSource Webinar What's New With WhiteSource in December 2018
WhiteSource Webinar What's New With WhiteSource in December 2018WhiteSource Webinar What's New With WhiteSource in December 2018
WhiteSource Webinar What's New With WhiteSource in December 2018
WhiteSource
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud
Suman Sourav
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
Agile Testing Alliance
 

Recommended

BOMs Away - Why everyone needs a BOM (AppSec Cali 2019)
BOMs Away - Why everyone needs a BOM (AppSec Cali 2019)BOMs Away - Why everyone needs a BOM (AppSec Cali 2019)
BOMs Away - Why everyone needs a BOM (AppSec Cali 2019)
Steve Springett
 
Dependency track v3.3 - What's New
Dependency track v3.3 - What's NewDependency track v3.3 - What's New
Dependency track v3.3 - What's New
Steve Springett
 
Find Out What's New With WhiteSource May 2018- A WhiteSource Webinar
Find Out What's New With WhiteSource May 2018- A WhiteSource WebinarFind Out What's New With WhiteSource May 2018- A WhiteSource Webinar
Find Out What's New With WhiteSource May 2018- A WhiteSource Webinar
WhiteSource
 
Fortify dev ops (002)
Fortify dev ops (002)Fortify dev ops (002)
Fortify dev ops (002)
Madhavan Marimuthu
 
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
Hui (Henry) Chen
 
WhiteSource Webinar What's New With WhiteSource in December 2018
WhiteSource Webinar What's New With WhiteSource in December 2018WhiteSource Webinar What's New With WhiteSource in December 2018
WhiteSource Webinar What's New With WhiteSource in December 2018
WhiteSource
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud
Suman Sourav
 
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
#ATAGTR2019 Presentation "DevSecOps with GitLab" By Avishkar Nikale
Agile Testing Alliance
 
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
WhiteSource
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Christian Schneider
 
DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019
Sonatype
 
Automating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSourceAutomating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSource
WhiteSource
 
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
WhiteSource
 
Your Framework for Success: introduction to JavaScript Testing at Scale
Your Framework for Success: introduction to JavaScript Testing at ScaleYour Framework for Success: introduction to JavaScript Testing at Scale
Your Framework for Success: introduction to JavaScript Testing at Scale
Sauce Labs
 
Doing Security Testing in Agile with ease
Doing Security Testing in Agile with easeDoing Security Testing in Agile with ease
Doing Security Testing in Agile with ease
Karundeep Gill
 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen Beal
Sonatype
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous Delivery
Tom Stiehm
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
Ulisses Albuquerque
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
Gene Gotimer
 
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCICI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
WhiteSource
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
sedukull
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014
Stephen de Vries
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Gene Gotimer
 
Echelon_Sibcon-2016
Echelon_Sibcon-2016Echelon_Sibcon-2016
Echelon_Sibcon-2016
Alexander Barabanov
 
swampUP - 2018 - The Divine and Felonious Nature of Cyber Security
swampUP - 2018 - The Divine and Felonious Nature of Cyber SecurityswampUP - 2018 - The Divine and Felonious Nature of Cyber Security
swampUP - 2018 - The Divine and Felonious Nature of Cyber Security
John Willis
 
Sandboxing in .NET CLR
Sandboxing in .NET CLRSandboxing in .NET CLR
Sandboxing in .NET CLR
Mikhail Shcherbakov
 
Automating security tests for Continuous Integration
Automating security tests for Continuous IntegrationAutomating security tests for Continuous Integration
Automating security tests for Continuous Integration
Stephen de Vries
 
Connect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionConnect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API Protection
DevOps.com
 
DevSecOps
DevSecOpsDevSecOps
DevSecOps
Spv Reddy
 
Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023
Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023
Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023
VMware Tanzu
 

More Related Content

What's hot

The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
WhiteSource
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Christian Schneider
 
DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019
Sonatype
 
Automating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSourceAutomating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSource
WhiteSource
 
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
WhiteSource
 
Your Framework for Success: introduction to JavaScript Testing at Scale
Your Framework for Success: introduction to JavaScript Testing at ScaleYour Framework for Success: introduction to JavaScript Testing at Scale
Your Framework for Success: introduction to JavaScript Testing at Scale
Sauce Labs
 
Doing Security Testing in Agile with ease
Doing Security Testing in Agile with easeDoing Security Testing in Agile with ease
Doing Security Testing in Agile with ease
Karundeep Gill
 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen Beal
Sonatype
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous Delivery
Tom Stiehm
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
Ulisses Albuquerque
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
Gene Gotimer
 
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCICI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
WhiteSource
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
sedukull
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014
Stephen de Vries
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Gene Gotimer
 
Echelon_Sibcon-2016
Echelon_Sibcon-2016Echelon_Sibcon-2016
Echelon_Sibcon-2016
Alexander Barabanov
 
swampUP - 2018 - The Divine and Felonious Nature of Cyber Security
swampUP - 2018 - The Divine and Felonious Nature of Cyber SecurityswampUP - 2018 - The Divine and Felonious Nature of Cyber Security
swampUP - 2018 - The Divine and Felonious Nature of Cyber Security
John Willis
 
Sandboxing in .NET CLR
Sandboxing in .NET CLRSandboxing in .NET CLR
Sandboxing in .NET CLR
Mikhail Shcherbakov
 
Automating security tests for Continuous Integration
Automating security tests for Continuous IntegrationAutomating security tests for Continuous Integration
Automating security tests for Continuous Integration
Stephen de Vries
 
Connect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionConnect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API Protection
DevOps.com
 

What's hot (20)

The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
 
DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019DevOps Days Columbus - Derek Weeks - 2019
DevOps Days Columbus - Derek Weeks - 2019
 
Automating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSourceAutomating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSource
 
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
 
Your Framework for Success: introduction to JavaScript Testing at Scale
Your Framework for Success: introduction to JavaScript Testing at ScaleYour Framework for Success: introduction to JavaScript Testing at Scale
Your Framework for Success: introduction to JavaScript Testing at Scale
 
Doing Security Testing in Agile with ease
Doing Security Testing in Agile with easeDoing Security Testing in Agile with ease
Doing Security Testing in Agile with ease
 
DevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen BealDevOps and All the Continuouses w/ Helen Beal
DevOps and All the Continuouses w/ Helen Beal
 
Integrating security into Continuous Delivery
Integrating security into Continuous DeliveryIntegrating security into Continuous Delivery
Integrating security into Continuous Delivery
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
 
Better Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous DeliveryBetter Security Testing: Using the Cloud and Continuous Delivery
Better Security Testing: Using the Cloud and Continuous Delivery
 
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCICI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014
 
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, CheaperTesting in a Continuous Delivery Pipeline - Better, Faster, Cheaper
Testing in a Continuous Delivery Pipeline - Better, Faster, Cheaper
 
Echelon_Sibcon-2016
Echelon_Sibcon-2016Echelon_Sibcon-2016
Echelon_Sibcon-2016
 
swampUP - 2018 - The Divine and Felonious Nature of Cyber Security
swampUP - 2018 - The Divine and Felonious Nature of Cyber SecurityswampUP - 2018 - The Divine and Felonious Nature of Cyber Security
swampUP - 2018 - The Divine and Felonious Nature of Cyber Security
 
Sandboxing in .NET CLR
Sandboxing in .NET CLRSandboxing in .NET CLR
Sandboxing in .NET CLR
 
Automating security tests for Continuous Integration
Automating security tests for Continuous IntegrationAutomating security tests for Continuous Integration
Automating security tests for Continuous Integration
 
Connect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API ProtectionConnect Ops and Security with Flexible Web App and API Protection
Connect Ops and Security with Flexible Web App and API Protection
 

Similar to Dependency-Check Ecosystem - OWASP Summit 2017

DevSecOps
DevSecOpsDevSecOps
DevSecOps
Spv Reddy
 
Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023
Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023
Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023
VMware Tanzu
 
Continuous Integration and development environment approach
Continuous Integration and development environment approachContinuous Integration and development environment approach
Continuous Integration and development environment approachAleksandr Tsertkov
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
Black Duck by Synopsys
 
Presentation 1 open source tools in continuous integration environment v1.0
Presentation 1 open source tools in continuous integration environment v1.0Presentation 1 open source tools in continuous integration environment v1.0
Presentation 1 open source tools in continuous integration environment v1.0
Jasmine Conseil
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
Continuous Integration (Jenkins/Hudson)
Continuous Integration (Jenkins/Hudson)Continuous Integration (Jenkins/Hudson)
Continuous Integration (Jenkins/Hudson)Dennys Hsieh
 
Devops - Continuous Integration And Continuous Development
Devops - Continuous Integration And Continuous DevelopmentDevops - Continuous Integration And Continuous Development
Devops - Continuous Integration And Continuous Development
SandyJohn5
 
Part 2 improving your software development v1.0
Part 2 improving your software development v1.0Part 2 improving your software development v1.0
Part 2 improving your software development v1.0
Jasmine Conseil
 
Functional Continuous Integration with Selenium and Hudson
Functional Continuous Integration with Selenium and HudsonFunctional Continuous Integration with Selenium and Hudson
Functional Continuous Integration with Selenium and Hudson
David Jellison
 
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
centralohioissa
 
Safeguarding artifact integrity in your Software Supply Chain
Safeguarding artifact integrity in your Software Supply ChainSafeguarding artifact integrity in your Software Supply Chain
Safeguarding artifact integrity in your Software Supply Chain
Giovanni Galloro
 
4 approaches to integrate dev secops in development cycle
4 approaches to integrate dev secops in development cycle4 approaches to integrate dev secops in development cycle
4 approaches to integrate dev secops in development cycle
Enov8
 
The story of SonarQube told to a DevOps Engineer
The story of SonarQube told to a DevOps EngineerThe story of SonarQube told to a DevOps Engineer
The story of SonarQube told to a DevOps Engineer
Manu Pk
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
James Wickett
 
SCALABLE CI CD DEVOPS
SCALABLE CI CD DEVOPSSCALABLE CI CD DEVOPS
SCALABLE CI CD DEVOPS
G R VISHAL
 
DevOps Illustrated - A practical approach
DevOps Illustrated - A practical approachDevOps Illustrated - A practical approach
DevOps Illustrated - A practical approach
David Oguntade
 
Let's banish "it works on my machine"
Let's banish "it works on my machine"Let's banish "it works on my machine"
Let's banish "it works on my machine"
Stephanie Locke
 
varun JENKINS.pptx
varun JENKINS.pptxvarun JENKINS.pptx
varun JENKINS.pptx
VgPolampalli
 
Part6 introducing the jas forge collaborative project
Part6 introducing the jas forge collaborative projectPart6 introducing the jas forge collaborative project
Part6 introducing the jas forge collaborative project
Jasmine Conseil
 

Similar to Dependency-Check Ecosystem - OWASP Summit 2017 (20)

DevSecOps
DevSecOpsDevSecOps
DevSecOps
 
Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023
Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023
Simplify and Scale Enterprise Spring Apps in the Cloud | March 23, 2023
 
Continuous Integration and development environment approach
Continuous Integration and development environment approachContinuous Integration and development environment approach
Continuous Integration and development environment approach
 
Software Security Assurance for DevOps
Software Security Assurance for DevOpsSoftware Security Assurance for DevOps
Software Security Assurance for DevOps
 
Presentation 1 open source tools in continuous integration environment v1.0
Presentation 1 open source tools in continuous integration environment v1.0Presentation 1 open source tools in continuous integration environment v1.0
Presentation 1 open source tools in continuous integration environment v1.0
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
 
Continuous Integration (Jenkins/Hudson)
Continuous Integration (Jenkins/Hudson)Continuous Integration (Jenkins/Hudson)
Continuous Integration (Jenkins/Hudson)
 
Devops - Continuous Integration And Continuous Development
Devops - Continuous Integration And Continuous DevelopmentDevops - Continuous Integration And Continuous Development
Devops - Continuous Integration And Continuous Development
 
Part 2 improving your software development v1.0
Part 2 improving your software development v1.0Part 2 improving your software development v1.0
Part 2 improving your software development v1.0
 
Functional Continuous Integration with Selenium and Hudson
Functional Continuous Integration with Selenium and HudsonFunctional Continuous Integration with Selenium and Hudson
Functional Continuous Integration with Selenium and Hudson
 
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
 
Safeguarding artifact integrity in your Software Supply Chain
Safeguarding artifact integrity in your Software Supply ChainSafeguarding artifact integrity in your Software Supply Chain
Safeguarding artifact integrity in your Software Supply Chain
 
4 approaches to integrate dev secops in development cycle
4 approaches to integrate dev secops in development cycle4 approaches to integrate dev secops in development cycle
4 approaches to integrate dev secops in development cycle
 
The story of SonarQube told to a DevOps Engineer
The story of SonarQube told to a DevOps EngineerThe story of SonarQube told to a DevOps Engineer
The story of SonarQube told to a DevOps Engineer
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
SCALABLE CI CD DEVOPS
SCALABLE CI CD DEVOPSSCALABLE CI CD DEVOPS
SCALABLE CI CD DEVOPS
 
DevOps Illustrated - A practical approach
DevOps Illustrated - A practical approachDevOps Illustrated - A practical approach
DevOps Illustrated - A practical approach
 
Let's banish "it works on my machine"
Let's banish "it works on my machine"Let's banish "it works on my machine"
Let's banish "it works on my machine"
 
varun JENKINS.pptx
varun JENKINS.pptxvarun JENKINS.pptx
varun JENKINS.pptx
 
Part6 introducing the jas forge collaborative project
Part6 introducing the jas forge collaborative projectPart6 introducing the jas forge collaborative project
Part6 introducing the jas forge collaborative project
 

Recently uploaded

May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
Adele Miller
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
rickgrimesss22
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
WSO2
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
Globus
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
Globus
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Anthony Dahanne
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
Georgi Kodinov
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
Juraj Vysvader
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
Tendenci - The Open Source AMS (Association Management Software)
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
Globus
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
Matt Welsh
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
NYGGS Automation Suite
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Globus
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
Cyanic lab
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
IES VE
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
Ortus Solutions, Corp
 
Graphic Design Crash Course for beginners
Graphic Design Crash Course for beginnersGraphic Design Crash Course for beginners
Graphic Design Crash Course for beginners
e20449
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Globus
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Globus
 

Recently uploaded (20)

May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
 
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
 
How to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good PracticesHow to Position Your Globus Data Portal for Success Ten Good Practices
How to Position Your Globus Data Portal for Success Ten Good Practices
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
 
Cyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdfCyaniclab : Software Development Agency Portfolio.pdf
Cyaniclab : Software Development Agency Portfolio.pdf
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
 
Graphic Design Crash Course for beginners
Graphic Design Crash Course for beginnersGraphic Design Crash Course for beginners
Graphic Design Crash Course for beginners
 
SOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar Research Team: Latest Activities of IntelBroker
SOCRadar Research Team: Latest Activities of IntelBroker
 
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...
 
Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...Developing Distributed High-performance Computing Capabilities of an Open Sci...
Developing Distributed High-performance Computing Capabilities of an Open Sci...
 

Dependency-Check Ecosystem - OWASP Summit 2017

  • 2. Introduction  20+ years software development experience  8 years software security experience  Principal Application Security Architect  Core contributor to OWASP Dependency-Check  Leader of Jenkins & SonarQube plugins  Leader of OWASP Dependency-Track about.me/stevespringett steve.springett@owasp.org
  • 3.  Open Source – Licensed under Apache 2.0 license  Identify component using evidence-based analysis  Component name, vendor, version, etc.  Determines if evidence matches CVEs in National Vulnerability Database  Output report in HTML, JSON, CSV, and XML formats Introduction
  • 4. Primary Use Cases  Continuous Security in CI/CD  Execution of CLI, Ant, Maven, Gradle, and/or Jenkins plugin during CI/CD with automatic visibility of newly discovered vulnerabilities  Software Security Assessment and Audit  Execution of Command Line interface against an installed application for the purpose of reconnaissance during security assessments
  • 5. 2013 (1.0) Java only Command line interface Ant plugin Maven plugin 2017 (2.0) 15+ languages/platforms Command line interface Ant plugin Maven plugin Gradle plugin Jenkins plugin SonarQube plugin Progress
  • 6.  Open Source – Licensed under GNU GPLv3  Track third-party components across multiple applications and versions  Asset management application for components  Integrates Dependency-Check core engine  Can use asset database as sole source of evidence  Access to files or build system not required Introduction
  • 7. Primary Use Cases  Project, Component, License, and Vulnerability Tracking  Source of truth for software BOM, component usage, & vulnerabilities  Ingestion of Dependency-Check results and BOM formats  Proactively monitor projects using vulnerable components  Increase efficiency of vulnerability intelligence & incident response
  • 8. 2013 (1.0) Static component management Partial Dependency-Check integration 2017 (3.0-dev) Static/dynamic component management Full Dependency-Check Integration Full mirror of the NVD API-first design with Swagger 2.0 Supports BOM via SPDX and CycloneDX Full SPDX license support Progress
  • 10. The Ecosystem Defect Tracker CLI Improved Visibility to Development Team Results, BOM Evidence ResultsResults Ticket(s)
  • 11. The Ecosystem Defect Tracker CLI Improved Accuracy of Analysis Improved Visibility Across Portfolio Results, BOM Evidence ResultsResults Ticket(s)
  • 12. Demo
  • 13. Shortcomings  Evidence-based analysis will generate false positives and negatives  Metadata quality provided by component author is critical  NVD may not always be up-to-date  Doesn’t track security commits made without associated CVE published  Older components not usually tested by security researchers  Doesn’t track EOL/EOS
  • 14. Contributing  Use and improve experimental analyzers  Create new analyzers for emerging languages and platforms  Help us improve developer visibility (IDE plugins, build plugins, CI servers)  Help us improve runtime visibility (Java/.NET/Node agents)  Define and implement algorithms for determining component age  Implement metrics and dashboards to measure risk and improvement  License identification and compliance
  • 16. Improve the Open Source Community  Use Dependency-Check or similar solution in your projects  Hold open-source projects accountable for self-reporting  Notify NVD of errors or omissions  Verify accuracy of component metadata  Use SPDX license IDs for all projects  Use SPDX or CycloneDX for defining software BOM for all projects
  • 17. Feedback  Do you use Dependency-Check (or similar) if your projects/orgs?  What existing or in-progress features do you like/dislike?  What functionality is missing?  Areas of improvement?
  • 19. Q&A