SlideShare a Scribd company logo

Say No To Dependency Hell

Nicola Pedot
Nicola Pedot

This document discusses the problem of dependency hell in software development and proposes approaches to better manage software dependencies and their vulnerabilities. It notes that modern software projects have many interconnected dependencies and outlines challenges with current methods of manually tracking dependency updates and vulnerabilities. It then presents some current dependency analysis tools like GitHub alerts, Snyk, and SourceClear. The document observes that current direct/transitive dependency classifications do not accurately reflect what dependencies are within a developer's control. It proposes methods like filtering non-deployed dependencies, grouping dependencies by project, and identifying "halted" dependencies no longer receiving updates to provide a clearer picture of exposure and priorities for remediation. The approach aims to reduce false alerts and help developers focus on fixing vulnerabilities

Software
1 of 33
Download to read offline
Say No to the Dependency Hell: Proper Management of Software Dependencies IVAN PASHCHENKO Trento - 2019
whoami 2 Ivan Pashchenko • PhD candidate in Information Security at the University of Trento • Former Intern at SAP Security Research • Former Leading Security Engineer at Bashneft, Russia • Snowboarder, hiker, volleyball player
3 Software project Own code
Nowadays software projects are highly interconnected 4 • Own code • Dependencies Own code Dependencies Software project
Dependencies? 5
You are writing code… This is a typical functionality, I do not want to invent a wheel – I will use already developed functionality. 6
And you use just one dependency… 7
8 Welcome to the Dependency Hell
Open source software 9
10
11 Source: https://www.infoworld.com/article/2608895/open-source- software/open-source-software-does-government-finally-grok-open-source.html
12 Source: https://www.infoworld.com/article/2608895/open-source- software/open-source-software-does-government-finally-grok-open-source.html
The Equifax breach 13
When you have a dependency 14 𝑚1 𝑚2𝑦1𝑥1 𝑦2𝑢1 𝑧1 direct transitive Dependency tree
Current dependency analysis 15 0. Follow the updates in your software dependencies manually - Subscribe to mailing lists of your dependencies - Telegram channels - Analyze changelogs of the new releases - Receive a lot of spam…
Current dependency analysis tools 16 1. Github vulnerability alerts: Example: https://github.com/iluwatar/java-design-patterns/network/dependencies
Current dependency analysis tools 17 1. Github vulnerability alerts: Listing the packages that a repository depends on: https://help.github.com/articles/listing-the-packages-that-a-repository-depends-on/ Viewing and updating vulnerable dependencies in your repository: https://help.github.com/articles/viewing-and-updating-vulnerable-dependencies-in-your- repository/ About security alerts for vulnerable dependencies: https://help.github.com/articles/about-security-alerts-for-vulnerable-dependencies/
Current dependency analysis tools 18 2. Snyk.io: Home page: https://snyk.io/ Introduction video: https://youtu.be/4ng5usM6fd8
Current dependency analysis tools 19 2. Snyk.io – Vulnerability DB:
Current dependency analysis tools 20 2. Snyk.io – Vulnerability DB:
Current dependency analysis tools 21 3. SourceClear - https://www.sourceclear.com/ Advantages: - one of the biggest vulnerability databases Disadvantage: - fully commercial 4. Vulas - https://github.com/SAP/vulnerability-assessment-tool Advantages: - open-source - precise code base matching algorithm Disadvantage: - they do not publish the vulnerability database - they support only Java (Maven&Gradle) and partially Python
You will have such a report 22 What would you do? Ignore? Panic?
Observation 1 23 Some dependencies are non deployed, hence such vulnerabilities cannot be exploited 𝑚1:compile 𝑚2: 𝑐𝑜𝑚𝑝𝑖𝑙𝑒𝑦1: 𝑐𝑜𝑚𝑝𝑖𝑙𝑒𝑥1: 𝑡𝑒𝑠𝑡 𝑦2: 𝑐𝑜𝑚𝑝𝑖𝑙𝑒𝑢1: 𝑡𝑒𝑠𝑡 𝑧1: 𝑐𝑜𝑚𝑝𝑖𝑙𝑒
Observation 2 24 𝑚1 𝑚2 𝑦1𝑥1 𝑦2𝑢1 𝑧1 𝑀 𝑌 𝑋 𝑈 𝑍 Direct ‘Direct’ and ‘transitive’ notions do not represent which dependencies really can be controlled Transitive Own
Observation 2 25 𝑚1 𝑚2 𝑦1𝑥1 𝑦2𝑢1 𝑧1 𝑀 𝑌 𝑋 𝑈 𝑍 ‘Direct’ and ‘transitive’ notions do not represent which dependencies really can be controlled Own In direct control Out of direct control
Observation 3 26 𝑚1 𝑥1 𝑢1 𝑣1 𝑣2 𝑣1 𝑣1 𝑣2 𝑣3 𝑡0 𝑡1 There would be no version of x1: 1) to fix vulnerability in x1 2) adopt fixed version of u1 Fixing such a dependency would require a software company either to contribute to the halted library (make a new release) or maintain an own copy of the library Some libraries may become halted
Counting dependencies 27 Build dependency tree Maven goals: dependency:tree and dependency:resolve Filter non-deployed dependencies Exclude test and provided scopes Group dependencies by projects Group all GAVs with the same groupId within one path and substitute them in the path with the GAV, closest to the vulnerable GAV Identify halted dependencies •𝐿𝑎𝑠𝑡 𝑟𝑒𝑙𝑒𝑎𝑠𝑒 𝑖𝑛𝑡𝑒𝑟𝑣𝑎𝑙 = 𝛼 σ𝑖=0 𝑛 { 1 − 𝛼 𝑖 ∗ 𝑅𝑒𝑙𝑒𝑎𝑠𝑒 𝑡𝑖𝑚𝑒 𝑛−𝑖} •𝐸𝑥𝑝𝑒𝑐𝑡𝑒𝑑 𝑟𝑒𝑙𝑒𝑎𝑠𝑒 𝑑𝑎𝑡𝑒 = 𝐿𝑎𝑠𝑡 𝑟𝑒𝑙𝑒𝑎𝑠𝑒 + 𝐿𝑎𝑠𝑡 𝑟𝑒𝑙𝑒𝑎𝑠𝑒 𝑖𝑛𝑡𝑒𝑟𝑣𝑎𝑙 •𝐸𝑥𝑝𝑒𝑐𝑡𝑒𝑑 𝑟𝑒𝑙𝑒𝑎𝑠𝑒 𝑑𝑎𝑡𝑒 < 𝑇𝐼𝑀𝐸 ⇒ 𝐿𝑖𝑏𝑟𝑎𝑟𝑦 𝑖𝑠 ℎ𝑎𝑙𝑡𝑒𝑑 Map with known vulnerable GA S. E. Ponta, H. Plate, and A. Sabetta. Beyond metadata: Code-centric and usage based analysis of known vulnerabilities in open-source software. In Proc. of ICSME-18, 2018
Effects Filtering non-deployed Dependency grouping “Is halted” analysis 28 20% less false alerts to check Developers may have fixed 82% of vulns in their dependencies (45% increase) 14% of dependencies are halted, hence would not be fixed
Following our approach you will have the following report 29 A bit more clear what to do, isn’t it?
An example of our report 30
31 We are looking for your experience More details about our research are here: http://bit.ly/vuln-research-trento "Dependencies as you see it" (what the problems are, why people could, should, or won't update etc.). This can be a brief Skype/Hangout/etc interview at your convenience.
We bring order to the dependency hell 32
33 For any questions or suggestions do not hesitate to contact me: E-mail: ivan.pashchenko@unitn.it Skype: ivanpashchenko Web-site: http://disi.unitn.it/~pashchenko Let’s say No to the Dependency Hell Information about our research is here: http://bit.ly/vuln-research-trento

Recommended

Say No to the Dependency Hell
Say No to the Dependency HellSay No to the Dependency Hell
Say No to the Dependency Hell
Ivan Pashchenko
 
SFScon19 - Ivan Pashchenko - Say No to the Dependency Hell
SFScon19 - Ivan Pashchenko - Say No to the Dependency HellSFScon19 - Ivan Pashchenko - Say No to the Dependency Hell
SFScon19 - Ivan Pashchenko - Say No to the Dependency Hell
South Tyrol Free Software Conference
 
Mentors View: Aligning Your Team and Your Powers for Success
Mentors View: Aligning Your Team and Your Powers for SuccessMentors View: Aligning Your Team and Your Powers for Success
Mentors View: Aligning Your Team and Your Powers for Success
Sonatype
 
Supply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software DevelopmentSupply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software Development
Sonatype
 
A question of trust - understanding Open Source risks
A question of trust - understanding Open Source risksA question of trust - understanding Open Source risks
A question of trust - understanding Open Source risks
Tim Mackey
 
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon
 
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour... The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
WhiteSource
 
Purple is the New Black: Modern Approaches for Application Security
Purple is the New Black: Modern Approaches for Application SecurityPurple is the New Black: Modern Approaches for Application Security
Purple is the New Black: Modern Approaches for Application Security
Tanya Janca
 

Recommended

Say No to the Dependency Hell
Say No to the Dependency HellSay No to the Dependency Hell
Say No to the Dependency Hell
Ivan Pashchenko
 
SFScon19 - Ivan Pashchenko - Say No to the Dependency Hell
SFScon19 - Ivan Pashchenko - Say No to the Dependency HellSFScon19 - Ivan Pashchenko - Say No to the Dependency Hell
SFScon19 - Ivan Pashchenko - Say No to the Dependency Hell
South Tyrol Free Software Conference
 
Mentors View: Aligning Your Team and Your Powers for Success
Mentors View: Aligning Your Team and Your Powers for SuccessMentors View: Aligning Your Team and Your Powers for Success
Mentors View: Aligning Your Team and Your Powers for Success
Sonatype
 
Supply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software DevelopmentSupply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software Development
Sonatype
 
A question of trust - understanding Open Source risks
A question of trust - understanding Open Source risksA question of trust - understanding Open Source risks
A question of trust - understanding Open Source risks
Tim Mackey
 
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon
 
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour... The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
WhiteSource
 
Purple is the New Black: Modern Approaches for Application Security
Purple is the New Black: Modern Approaches for Application SecurityPurple is the New Black: Modern Approaches for Application Security
Purple is the New Black: Modern Approaches for Application Security
Tanya Janca
 
SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...
SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...
SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...
South Tyrol Free Software Conference
 
Hidden Speed Bumps on the Road to "Continuous"
Hidden Speed Bumps on the Road to "Continuous"Hidden Speed Bumps on the Road to "Continuous"
Hidden Speed Bumps on the Road to "Continuous"
Sonatype
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
lior mazor
 
RADAR - Le nouveau scanner de vulnérabilité par F-Secure
RADAR - Le nouveau scanner de vulnérabilité par F-SecureRADAR - Le nouveau scanner de vulnérabilité par F-Secure
RADAR - Le nouveau scanner de vulnérabilité par F-Secure
NRC
 
Chaos Engineering Without Observability ... Is Just Chaos
Chaos Engineering Without Observability ... Is Just ChaosChaos Engineering Without Observability ... Is Just Chaos
Chaos Engineering Without Observability ... Is Just Chaos
Charity Majors
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing Presentation
Chris Gates
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
Ulisses Albuquerque
 
Implementing Vulnerability Management
Implementing Vulnerability Management Implementing Vulnerability Management
Implementing Vulnerability Management
Argyle Executive Forum
 
Darktrace_Threat_Visualizer_User_Guide.pdf
Darktrace_Threat_Visualizer_User_Guide.pdfDarktrace_Threat_Visualizer_User_Guide.pdf
Darktrace_Threat_Visualizer_User_Guide.pdf
LeninHernnCortsLlang
 
U test whitepaper_10
U test whitepaper_10U test whitepaper_10
U test whitepaper_10
eshwar83
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...
WhiteSource
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gates
Eoin Keary
 
Penetration testing as an internal audit activity
Penetration testing as an internal audit activityPenetration testing as an internal audit activity
Penetration testing as an internal audit activity
Transcendent Group
 
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal orePHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
Alexander Leonov
 
Gimme shelter: Tips on protecting proprietary and open source code
Gimme shelter: Tips on protecting proprietary and open source codeGimme shelter: Tips on protecting proprietary and open source code
Gimme shelter: Tips on protecting proprietary and open source code
Rogue Wave Software
 
Decoding Software Composition Analysis (SCA) - Unveiling Pain Points in SCA -...
Decoding Software Composition Analysis (SCA) - Unveiling Pain Points in SCA -...Decoding Software Composition Analysis (SCA) - Unveiling Pain Points in SCA -...
Decoding Software Composition Analysis (SCA) - Unveiling Pain Points in SCA -...
owasplondon
 
ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...
ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...
ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...
Tunde Ogunkoya
 
Codebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the winCodebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the win
Tiago Henriques
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
Kaspersky
 
Mergebase dont-let-vulns-run-wild
Mergebase dont-let-vulns-run-wildMergebase dont-let-vulns-run-wild
Mergebase dont-let-vulns-run-wild
JaredHarris18
 
AI, ML e l'anello mancante
AI, ML e l'anello mancanteAI, ML e l'anello mancante
AI, ML e l'anello mancante
Nicola Pedot
 
Ethic clean
Ethic cleanEthic clean
Ethic clean
Nicola Pedot
 

More Related Content

Similar to Say No To Dependency Hell

SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...
SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...
SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...
South Tyrol Free Software Conference
 
Hidden Speed Bumps on the Road to "Continuous"
Hidden Speed Bumps on the Road to "Continuous"Hidden Speed Bumps on the Road to "Continuous"
Hidden Speed Bumps on the Road to "Continuous"
Sonatype
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
lior mazor
 
RADAR - Le nouveau scanner de vulnérabilité par F-Secure
RADAR - Le nouveau scanner de vulnérabilité par F-SecureRADAR - Le nouveau scanner de vulnérabilité par F-Secure
RADAR - Le nouveau scanner de vulnérabilité par F-Secure
NRC
 
Chaos Engineering Without Observability ... Is Just Chaos
Chaos Engineering Without Observability ... Is Just ChaosChaos Engineering Without Observability ... Is Just Chaos
Chaos Engineering Without Observability ... Is Just Chaos
Charity Majors
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing Presentation
Chris Gates
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
Ulisses Albuquerque
 
Implementing Vulnerability Management
Implementing Vulnerability Management Implementing Vulnerability Management
Implementing Vulnerability Management
Argyle Executive Forum
 
Darktrace_Threat_Visualizer_User_Guide.pdf
Darktrace_Threat_Visualizer_User_Guide.pdfDarktrace_Threat_Visualizer_User_Guide.pdf
Darktrace_Threat_Visualizer_User_Guide.pdf
LeninHernnCortsLlang
 
U test whitepaper_10
U test whitepaper_10U test whitepaper_10
U test whitepaper_10
eshwar83
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...
WhiteSource
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gates
Eoin Keary
 
Penetration testing as an internal audit activity
Penetration testing as an internal audit activityPenetration testing as an internal audit activity
Penetration testing as an internal audit activity
Transcendent Group
 
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal orePHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
Alexander Leonov
 
Gimme shelter: Tips on protecting proprietary and open source code
Gimme shelter: Tips on protecting proprietary and open source codeGimme shelter: Tips on protecting proprietary and open source code
Gimme shelter: Tips on protecting proprietary and open source code
Rogue Wave Software
 
Decoding Software Composition Analysis (SCA) - Unveiling Pain Points in SCA -...
Decoding Software Composition Analysis (SCA) - Unveiling Pain Points in SCA -...Decoding Software Composition Analysis (SCA) - Unveiling Pain Points in SCA -...
Decoding Software Composition Analysis (SCA) - Unveiling Pain Points in SCA -...
owasplondon
 
ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...
ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...
ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...
Tunde Ogunkoya
 
Codebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the winCodebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the win
Tiago Henriques
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
Kaspersky
 
Mergebase dont-let-vulns-run-wild
Mergebase dont-let-vulns-run-wildMergebase dont-let-vulns-run-wild
Mergebase dont-let-vulns-run-wild
JaredHarris18
 

Similar to Say No To Dependency Hell (20)

SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...
SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...
SFScon 2020 - Ivan Pashchenko - Learning from Developers How to Make Dependen...
 
Hidden Speed Bumps on the Road to "Continuous"
Hidden Speed Bumps on the Road to "Continuous"Hidden Speed Bumps on the Road to "Continuous"
Hidden Speed Bumps on the Road to "Continuous"
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
 
RADAR - Le nouveau scanner de vulnérabilité par F-Secure
RADAR - Le nouveau scanner de vulnérabilité par F-SecureRADAR - Le nouveau scanner de vulnérabilité par F-Secure
RADAR - Le nouveau scanner de vulnérabilité par F-Secure
 
Chaos Engineering Without Observability ... Is Just Chaos
Chaos Engineering Without Observability ... Is Just ChaosChaos Engineering Without Observability ... Is Just Chaos
Chaos Engineering Without Observability ... Is Just Chaos
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing Presentation
 
Software Composition Analysis Deep Dive
Software Composition Analysis Deep DiveSoftware Composition Analysis Deep Dive
Software Composition Analysis Deep Dive
 
Implementing Vulnerability Management
Implementing Vulnerability Management Implementing Vulnerability Management
Implementing Vulnerability Management
 
Darktrace_Threat_Visualizer_User_Guide.pdf
Darktrace_Threat_Visualizer_User_Guide.pdfDarktrace_Threat_Visualizer_User_Guide.pdf
Darktrace_Threat_Visualizer_User_Guide.pdf
 
U test whitepaper_10
U test whitepaper_10U test whitepaper_10
U test whitepaper_10
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gates
 
Penetration testing as an internal audit activity
Penetration testing as an internal audit activityPenetration testing as an internal audit activity
Penetration testing as an internal audit activity
 
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal orePHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
 
Gimme shelter: Tips on protecting proprietary and open source code
Gimme shelter: Tips on protecting proprietary and open source codeGimme shelter: Tips on protecting proprietary and open source code
Gimme shelter: Tips on protecting proprietary and open source code
 
Decoding Software Composition Analysis (SCA) - Unveiling Pain Points in SCA -...
Decoding Software Composition Analysis (SCA) - Unveiling Pain Points in SCA -...Decoding Software Composition Analysis (SCA) - Unveiling Pain Points in SCA -...
Decoding Software Composition Analysis (SCA) - Unveiling Pain Points in SCA -...
 
ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...
ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...
ISACA 2016 Annual Conference SA_State of Risk_Tunde Ogunkoya_DeltaGRiC_Consul...
 
Codebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the winCodebits 2014 - Secure Coding - Gamification and automation for the win
Codebits 2014 - Secure Coding - Gamification and automation for the win
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
 
Mergebase dont-let-vulns-run-wild
Mergebase dont-let-vulns-run-wildMergebase dont-let-vulns-run-wild
Mergebase dont-let-vulns-run-wild
 

More from Nicola Pedot

AI, ML e l'anello mancante
AI, ML e l'anello mancanteAI, ML e l'anello mancante
AI, ML e l'anello mancante
Nicola Pedot
 
Ethic clean
Ethic cleanEthic clean
Ethic clean
Nicola Pedot
 
Java al servizio della data science - Java developers' meeting
Java al servizio della data science - Java developers' meetingJava al servizio della data science - Java developers' meeting
Java al servizio della data science - Java developers' meeting
Nicola Pedot
 
Jakarta EE 2018
Jakarta EE 2018Jakarta EE 2018
Jakarta EE 2018
Nicola Pedot
 
Lazy Java
Lazy JavaLazy Java
Lazy Java
Nicola Pedot
 
Java 9-10 What's New
Java 9-10 What's NewJava 9-10 What's New
Java 9-10 What's New
Nicola Pedot
 
JavaEE6 my way
JavaEE6 my wayJavaEE6 my way
JavaEE6 my way
Nicola Pedot
 
Java 8 Overview
Java 8 OverviewJava 8 Overview
Java 8 Overview
Nicola Pedot
 
BDD & design paradoxes appunti devoxx2012
BDD & design paradoxes appunti devoxx2012BDD & design paradoxes appunti devoxx2012
BDD & design paradoxes appunti devoxx2012Nicola Pedot
 
Tom EE appunti devoxx2012
Tom EE appunti devoxx2012 Tom EE appunti devoxx2012
Tom EE appunti devoxx2012 Nicola Pedot
 
Eclipse Svn
Eclipse SvnEclipse Svn
Eclipse Svn
Nicola Pedot
 
Eclipse
EclipseEclipse
Eclipse
Nicola Pedot
 
Presentazione+Android
Presentazione+AndroidPresentazione+Android
Presentazione+AndroidNicola Pedot
 

More from Nicola Pedot (13)

AI, ML e l'anello mancante
AI, ML e l'anello mancanteAI, ML e l'anello mancante
AI, ML e l'anello mancante
 
Ethic clean
Ethic cleanEthic clean
Ethic clean
 
Java al servizio della data science - Java developers' meeting
Java al servizio della data science - Java developers' meetingJava al servizio della data science - Java developers' meeting
Java al servizio della data science - Java developers' meeting
 
Jakarta EE 2018
Jakarta EE 2018Jakarta EE 2018
Jakarta EE 2018
 
Lazy Java
Lazy JavaLazy Java
Lazy Java
 
Java 9-10 What's New
Java 9-10 What's NewJava 9-10 What's New
Java 9-10 What's New
 
JavaEE6 my way
JavaEE6 my wayJavaEE6 my way
JavaEE6 my way
 
Java 8 Overview
Java 8 OverviewJava 8 Overview
Java 8 Overview
 
BDD & design paradoxes appunti devoxx2012
BDD & design paradoxes appunti devoxx2012BDD & design paradoxes appunti devoxx2012
BDD & design paradoxes appunti devoxx2012
 
Tom EE appunti devoxx2012
Tom EE appunti devoxx2012 Tom EE appunti devoxx2012
Tom EE appunti devoxx2012
 
Eclipse Svn
Eclipse SvnEclipse Svn
Eclipse Svn
 
Eclipse
EclipseEclipse
Eclipse
 
Presentazione+Android
Presentazione+AndroidPresentazione+Android
Presentazione+Android
 

Recently uploaded

Graspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code AnalysisGraspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code Analysis
Aftab Hussain
 
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian CompaniesE-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
Quickdice ERP
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
Aftab Hussain
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
Hornet Dynamics
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
Green Software Development
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
Shane Coughlan
 
Empowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - DeugloEmpowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - Deuglo
Deuglo Infosystem Pvt Ltd
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
TheSMSPoint
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
Rakesh Kumar R
 
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
XfilesPro
 
Lecture 2 - software testing SE 412.pptx
Lecture 2 - software testing SE 412.pptxLecture 2 - software testing SE 412.pptx
Lecture 2 - software testing SE 412.pptx
TaghreedAltamimi
 
SQL Accounting Software Brochure Malaysia
SQL Accounting Software Brochure MalaysiaSQL Accounting Software Brochure Malaysia
SQL Accounting Software Brochure Malaysia
GohKiangHock
 
Artificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension FunctionsArtificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension Functions
Octavian Nadolu
 
Odoo ERP Vs. Traditional ERP Systems – A Comparative Analysis
Odoo ERP Vs. Traditional ERP Systems – A Comparative AnalysisOdoo ERP Vs. Traditional ERP Systems – A Comparative Analysis
Odoo ERP Vs. Traditional ERP Systems – A Comparative Analysis
Envertis Software Solutions
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Crescat
 
Oracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptxOracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptx
Remote DBA Services
 
SMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API ServiceSMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API Service
Yara Milbes
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
Remote DBA Services
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Łukasz Chruściel
 
What is Master Data Management by PiLog Group
What is Master Data Management by PiLog GroupWhat is Master Data Management by PiLog Group
What is Master Data Management by PiLog Group
aymanquadri279
 

Recently uploaded (20)

Graspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code AnalysisGraspan: A Big Data System for Big Code Analysis
Graspan: A Big Data System for Big Code Analysis
 
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian CompaniesE-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian Companies
 
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeA Study of Variable-Role-based Feature Enrichment in Neural Models of Code
A Study of Variable-Role-based Feature Enrichment in Neural Models of Code
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
 
openEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain SecurityopenEuler Case Study - The Journey to Supply Chain Security
openEuler Case Study - The Journey to Supply Chain Security
 
Empowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - DeugloEmpowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - Deuglo
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
 
Fundamentals of Programming and Language Processors
Fundamentals of Programming and Language ProcessorsFundamentals of Programming and Language Processors
Fundamentals of Programming and Language Processors
 
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...
 
Lecture 2 - software testing SE 412.pptx
Lecture 2 - software testing SE 412.pptxLecture 2 - software testing SE 412.pptx
Lecture 2 - software testing SE 412.pptx
 
SQL Accounting Software Brochure Malaysia
SQL Accounting Software Brochure MalaysiaSQL Accounting Software Brochure Malaysia
SQL Accounting Software Brochure Malaysia
 
Artificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension FunctionsArtificia Intellicence and XPath Extension Functions
Artificia Intellicence and XPath Extension Functions
 
Odoo ERP Vs. Traditional ERP Systems – A Comparative Analysis
Odoo ERP Vs. Traditional ERP Systems – A Comparative AnalysisOdoo ERP Vs. Traditional ERP Systems – A Comparative Analysis
Odoo ERP Vs. Traditional ERP Systems – A Comparative Analysis
 
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...
 
Oracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptxOracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptx
 
SMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API ServiceSMS API Integration in Saudi Arabia| Best SMS API Service
SMS API Integration in Saudi Arabia| Best SMS API Service
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
 
What is Master Data Management by PiLog Group
What is Master Data Management by PiLog GroupWhat is Master Data Management by PiLog Group
What is Master Data Management by PiLog Group
 

Say No To Dependency Hell

  • 1. Say No to the Dependency Hell: Proper Management of Software Dependencies IVAN PASHCHENKO Trento - 2019
  • 2. whoami 2 Ivan Pashchenko • PhD candidate in Information Security at the University of Trento • Former Intern at SAP Security Research • Former Leading Security Engineer at Bashneft, Russia • Snowboarder, hiker, volleyball player
  • 4. Nowadays software projects are highly interconnected 4 • Own code • Dependencies Own code Dependencies Software project
  • 6. You are writing code… This is a typical functionality, I do not want to invent a wheel – I will use already developed functionality. 6
  • 7. And you use just one dependency… 7
  • 8. 8 Welcome to the Dependency Hell
  • 10. 10
  • 14. When you have a dependency 14 𝑚1 𝑚2𝑦1𝑥1 𝑦2𝑢1 𝑧1 direct transitive Dependency tree
  • 15. Current dependency analysis 15 0. Follow the updates in your software dependencies manually - Subscribe to mailing lists of your dependencies - Telegram channels - Analyze changelogs of the new releases - Receive a lot of spam…
  • 16. Current dependency analysis tools 16 1. Github vulnerability alerts: Example: https://github.com/iluwatar/java-design-patterns/network/dependencies
  • 17. Current dependency analysis tools 17 1. Github vulnerability alerts: Listing the packages that a repository depends on: https://help.github.com/articles/listing-the-packages-that-a-repository-depends-on/ Viewing and updating vulnerable dependencies in your repository: https://help.github.com/articles/viewing-and-updating-vulnerable-dependencies-in-your- repository/ About security alerts for vulnerable dependencies: https://help.github.com/articles/about-security-alerts-for-vulnerable-dependencies/
  • 18. Current dependency analysis tools 18 2. Snyk.io: Home page: https://snyk.io/ Introduction video: https://youtu.be/4ng5usM6fd8
  • 19. Current dependency analysis tools 19 2. Snyk.io – Vulnerability DB:
  • 20. Current dependency analysis tools 20 2. Snyk.io – Vulnerability DB:
  • 21. Current dependency analysis tools 21 3. SourceClear - https://www.sourceclear.com/ Advantages: - one of the biggest vulnerability databases Disadvantage: - fully commercial 4. Vulas - https://github.com/SAP/vulnerability-assessment-tool Advantages: - open-source - precise code base matching algorithm Disadvantage: - they do not publish the vulnerability database - they support only Java (Maven&Gradle) and partially Python
  • 22. You will have such a report 22 What would you do? Ignore? Panic?
  • 23. Observation 1 23 Some dependencies are non deployed, hence such vulnerabilities cannot be exploited 𝑚1:compile 𝑚2: 𝑐𝑜𝑚𝑝𝑖𝑙𝑒𝑦1: 𝑐𝑜𝑚𝑝𝑖𝑙𝑒𝑥1: 𝑡𝑒𝑠𝑡 𝑦2: 𝑐𝑜𝑚𝑝𝑖𝑙𝑒𝑢1: 𝑡𝑒𝑠𝑡 𝑧1: 𝑐𝑜𝑚𝑝𝑖𝑙𝑒
  • 24. Observation 2 24 𝑚1 𝑚2 𝑦1𝑥1 𝑦2𝑢1 𝑧1 𝑀 𝑌 𝑋 𝑈 𝑍 Direct ‘Direct’ and ‘transitive’ notions do not represent which dependencies really can be controlled Transitive Own
  • 25. Observation 2 25 𝑚1 𝑚2 𝑦1𝑥1 𝑦2𝑢1 𝑧1 𝑀 𝑌 𝑋 𝑈 𝑍 ‘Direct’ and ‘transitive’ notions do not represent which dependencies really can be controlled Own In direct control Out of direct control
  • 26. Observation 3 26 𝑚1 𝑥1 𝑢1 𝑣1 𝑣2 𝑣1 𝑣1 𝑣2 𝑣3 𝑡0 𝑡1 There would be no version of x1: 1) to fix vulnerability in x1 2) adopt fixed version of u1 Fixing such a dependency would require a software company either to contribute to the halted library (make a new release) or maintain an own copy of the library Some libraries may become halted
  • 27. Counting dependencies 27 Build dependency tree Maven goals: dependency:tree and dependency:resolve Filter non-deployed dependencies Exclude test and provided scopes Group dependencies by projects Group all GAVs with the same groupId within one path and substitute them in the path with the GAV, closest to the vulnerable GAV Identify halted dependencies •𝐿𝑎𝑠𝑡 𝑟𝑒𝑙𝑒𝑎𝑠𝑒 𝑖𝑛𝑡𝑒𝑟𝑣𝑎𝑙 = 𝛼 σ𝑖=0 𝑛 { 1 − 𝛼 𝑖 ∗ 𝑅𝑒𝑙𝑒𝑎𝑠𝑒 𝑡𝑖𝑚𝑒 𝑛−𝑖} •𝐸𝑥𝑝𝑒𝑐𝑡𝑒𝑑 𝑟𝑒𝑙𝑒𝑎𝑠𝑒 𝑑𝑎𝑡𝑒 = 𝐿𝑎𝑠𝑡 𝑟𝑒𝑙𝑒𝑎𝑠𝑒 + 𝐿𝑎𝑠𝑡 𝑟𝑒𝑙𝑒𝑎𝑠𝑒 𝑖𝑛𝑡𝑒𝑟𝑣𝑎𝑙 •𝐸𝑥𝑝𝑒𝑐𝑡𝑒𝑑 𝑟𝑒𝑙𝑒𝑎𝑠𝑒 𝑑𝑎𝑡𝑒 < 𝑇𝐼𝑀𝐸 ⇒ 𝐿𝑖𝑏𝑟𝑎𝑟𝑦 𝑖𝑠 ℎ𝑎𝑙𝑡𝑒𝑑 Map with known vulnerable GA S. E. Ponta, H. Plate, and A. Sabetta. Beyond metadata: Code-centric and usage based analysis of known vulnerabilities in open-source software. In Proc. of ICSME-18, 2018
  • 28. Effects Filtering non-deployed Dependency grouping “Is halted” analysis 28 20% less false alerts to check Developers may have fixed 82% of vulns in their dependencies (45% increase) 14% of dependencies are halted, hence would not be fixed
  • 29. Following our approach you will have the following report 29 A bit more clear what to do, isn’t it?
  • 30. An example of our report 30
  • 31. 31 We are looking for your experience More details about our research are here: http://bit.ly/vuln-research-trento "Dependencies as you see it" (what the problems are, why people could, should, or won't update etc.). This can be a brief Skype/Hangout/etc interview at your convenience.
  • 32. We bring order to the dependency hell 32
  • 33. 33 For any questions or suggestions do not hesitate to contact me: E-mail: ivan.pashchenko@unitn.it Skype: ivanpashchenko Web-site: http://disi.unitn.it/~pashchenko Let’s say No to the Dependency Hell Information about our research is here: http://bit.ly/vuln-research-trento