What are Software Dependencies?

We thought it would be good to start at the top before we dive into a later post on GitHub Dependabot. For those unfamiliar, Software dependencies are a code library or package that is reused in a new piece of software.

These software dependencies can come in two forms:
Direct: Libraries or packages your code calls directly (ie. a binary calls a method or function of another binary)

Transitive: Libraries or packages your dependencies call. These are dependencies of dependencies (ie. a binary makes a call to another through an intermediary).

These both require a significant amount of management in order to control the risk that is introduced by dependencies. But, if looking to prioritize remediation efforts, focus on direct dependencies first, because transitive dependencies can be hard to control, may or may not be relevant, and are highly noisy.

Recently, we saw a lack of dependency visibility and management play out with Log4j.

Benefits of Software Dependencies

The adoption of cloud-native applications and infrastructure has propelled DevOps and a self-service culture where developers are expected to go from code-to-cloud in a matter of hours. Software dependencies allow developers to more quickly deliver software by building on previous work, making software dependencies a key ingredient of modern applications.

By using pre-built software dependencies, developers can deliver software faster and on shorter release cycles. Yet dependencies introduce risks that are often overlooked. Including external software as a dependency means you’re relying on its developers to correctly write, test, and maintain that code.

Risks Introduced via Software Dependencies

Software dependencies have so many advantages for the modern Software Development Life Cycle (SDLC), like:

• Improved performance
• Faster bug fixes
• Cheaper overall upgrade costs
• Adaptability

However, software dependencies have also introduced significant risks that are frequently overlooked because there is very little visibility or control. The other disadvantages to not having visibility and control over software dependencies are:

• Outdated software (3rd party)
• Unknown bugs
• Potential legal or liability issues

Organizations are using GitHub Dependabot, Snyk, or WhiteSource Renovate for dependency management.

How Tromzo Helps with Software Dependencies

There are various sources of dependencies, like source control systems (e.g. GitHub), Software Composition Analysis (SCA) tools (e.g. Snyk, Blackduck, Mend), and container scanners (Aqua). These silos of data can create massive blindspots when it comes to dependency visibility, hygiene, and vulnerability management.

Tromzo enables organizations with a unified developer-first application security management platform to:

• Aggregate all dependencies (GitHub, Snyk, Aqua, etc.), associate that context with ownership metadata, allowing your AppSec team to know which developers and what teams own dependencies. Additionally, we pull in licensing data and how relevant/fresh they are.
• Implement security guardrails in CI/CD to enforce policies, guaranteeing proper hygiene of dependencies and ensuring every repository or container is scanned by a dependency/container scanner.
• Automate vulnerability management by preventing insecure versions of dependencies being introduced and automatically triage vulnerabilities based on data that indicates whether it is a direct or transitive dependency, in a high risk code repository, or an unused internal code repository.