Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Know your dependencies

231 views

Published on

My talk from V-day 2017, Budapest.
2017.11.07.

Published in: Technology
  • Be the first to comment

Know your dependencies

  1. 1. GraphAware® Know your dependencies It is a real risk in your software Janos Szendi-Varga GraphAware
  2. 2. Janos Szendi-Varga Senior Consultant @GraphAware Twitter: @szenyo Email: janos@graphaware.com About me GraphAware®
  3. 3. GraphAware Clients
  4. 4. What is this?
  5. 5. Jenga tower of JavaScript Azer Koçulu, 273 modules in NPM Kik module The story began with an email from a lawyer “Hahah, you’re actually being a d#%k,” “So, f#%k you. Don’t email me back.” NPM statement Change the ownership Leaving NPM Left-pad was fetched 2,486,696 downloads in just the last month Un-unpublishing Left-pad incident GraphAware®
  6. 6. GraphAware® Quote ”The fundamental act of friendship among programmers is the sharing of programs” Stallman wrote in his 1985 manifesto (GNU Manifesto).
  7. 7. Random LinkedIn Ad GraphAware®
  8. 8. If you develop your open or closed source software, 
 you must be aware of a few facts: In average 80 percent of the applications consists of third-party components, mostly open source Almost 50 percent of the third-party software components of those applications are outdated, a few years old A more secure version of the software component available in almost every case. “It’s estimated that only about 10% of the Fortune 100 companies monitor their use of open-source code” There’s something like a million different open-source projects on the internet, and any one piece of vulnerable code could be used by hundreds of companies. In a medium size project there are over 1,500 dependent software packages, not counting different versions of the same package or any packages developed internally for reuse. Not so Fun Facts GraphAware®
  9. 9. Technical issues, bugs New releases Legal compliance issues Security threats, vulnerabilities Bus factor for dependencies:
 https://en.wikipedia.org/wiki/Bus_factor Issues you involved GraphAware®
  10. 10. GraphAware® Quote ”You should have the visibility and the control over your software product dependency, to have the proper business continuity.” today’s takeaway from me
  11. 11. Many-many solutions Gitlinks https://www.gitlinks.com JFrog X-Ray https://www.jfrog.com/xray/ Sonatype Nexus http://www.sonatype.org/nexus/ … libraries.io https://libraries.io DIY Solutions GraphAware®
  12. 12. libraries.io GraphAware®
  13. 13. GraphAware®
  14. 14. Neo4j (Neo4j Platform) The Neo4j native graph database Graph analytics Data integration The Cypher graph query language is the bridge to big data analytic tooling Graph visualisation and discovery Enterprise architecture underlies and supports massive graph data GraphAware Databridge Graph Algorithms Neo4j plugin My DIY solution GraphAware®
  15. 15. Schema
  16. 16. ╒══════════════════════════════════════════════════════════════════════╤══════╕ !"Licenses" !”pcs" ! ╞══════════════════════════════════════════════════════════════════════╪══════╡ !"MIT" !756425! "######################################################################$######% !”” !677470! "######################################################################$######% !"Apache-2.0" !248775! "######################################################################$######% !"Other" !110012! "######################################################################$######% !"ISC" !104508! "######################################################################$######% !"BSD-3-Clause" !94043 ! "######################################################################$######% !"GPL-3.0" !35251 ! "######################################################################$######% !"BSD-2-Clause" !21201 ! "######################################################################$######% !"Artistic-1.0-Perl" !18516 ! "######################################################################$######% !"AGPL-3.0" !17405 ! "######################################################################$######% Licenses GraphAware®
  17. 17. Centralities: • Page Rank (algo.pageRank) • Betweenness Centrality (algo.betweenness) • Closeness Centrality (algo.closeness) Community Detection: • Louvain (algo.louvain) • Label Propagation (algo.labelPropagation) • (Weakly) Connected Components (algo.unionFind) • Strongly Connected Components (algo.scc) • Triangle Count / Clustering Coefficient (algo.triangleCount) Path Finding: • Minimum Weight Spanning Tree (algo.mst) • All Pairs- and Single Source - Shortest Path (algo.shortestPath, algo.allShortestPaths) The Graph Algorithms GraphAware®
  18. 18. GraphAware® rank url score 1 http://expressjs.com/ 8172.573038999997 2 http://junit.org/ 7709.026125499998 3 https://mochajs.org 7324.665977000001 4 https://github.com/ruby/rake 5209.688505499999 5 http://expressjs.com 6950.314272500002 6 http://gruntjs.com/ 3945.8917605000006 7 https://phpunit.de/ 3114.4085855 8 http://gulpjs.com 3021.2432475000005 9 http://github.com/rspec 2979.8457910000006 10 http://chaijs.com 2775.124208999999 PageRank example
  19. 19. Java backend, Maven 55 dependencies (32 external, 23 internal) 32 external project means 90 transitive 2nd degree dependencies 293 3rd degree dependencies compile, provided, runtime, test scopes Node.js frontend 121 dependencies (12 internal, 109 external) 109 external project means 1412 transitive 2nd degree dependencies 3600 different 3rd degree dependencies GraphAware® Random Corporate System (RCS)
  20. 20. GraphAware®
  21. 21. OWASP Top 10: "Using Components with Known Vulnerabilities” CVE: Common Vulnerabilities and Exposures CVE-2017-14359 NVD: National Vulnerability Database CSV files to download and ingest into our DB Possible defense or attack strategies: Top-down Bottom-up Security GraphAware®
  22. 22. ElasticSearch for full-text search on descriptions Security vulnerabilities ingestion NLP to create knowledge graphs Embed into releasing process More insights from the data Future improvements GraphAware®
  23. 23. Summary Your software looks rather like this than an individual node.
  24. 24. www.graphaware.com
 janos@graphaware.com Thank you! GraphAware®

×