DEV Community

Tanya Janca for Microsoft Azure

Posted on • Edited on

Pushing Left, Like a Boss — Part 5.2 — Use Safe Dependencies

This series, and my blog, have moved! !

According to many sources between 70–90% of application code is contained within libraries and other 3rd party components. When we use libraries, frameworks and other 3rd party components, we are accepting all of the risks that come with them (including vulnerabilities). Luckily for us, when security researchers find security vulnerabilities in products (including libraries, frameworks and other components) they often report them to Mitre, who log them in the Common Vulnerability Enumerator (CVE) database, a publicly searchable database containing all publicly-disclosed known vulnerabilities (note below). Using the CVE database either manually or (preferably) through use of an automated tool, to verify if your application is using known-vulnerable components is a key strategy to improve the security of your custom-built applications. There are many free and premium tools on the market (listed below), and I would suggest that you use at least one of them to ensure that the 3rd party code you are using is safe.

Automating this should be part of every CD/CI pipeline. You should also automate scanning of your source code repository on a regular basis. Everyone should do this, for every project, no matter how small. It’s so easy, and it’s such a huge win for the security of your applications, there is no excuse not to do it.

Read the rest of this article on my NEW blog!!

Top comments (3)

Collapse
 
koehntopp profile image
Frank Köhntopp

dependabot.com/ is worth mentioning - it auto-creates pull requests for new versions.

Security is not the only driver, there's a lot of commits making your packages better all the time that you don't want to miss. Applying updates regularly also makes sure you know what you need to do should you need to quickly update in case of a new critical vulnerabilty.

I have watched developers struggle to update from 5 year old versions, it's not a pretty sight ;)

Collapse
 
shehackspurple profile image
Tanya Janca

I've added Dependabot, nice! And I agree, 100%!

Collapse
 
syntaxseed profile image
SyntaxSeed (Sherri W)

For PHP there is the Sensio Labs Security Checker to scan for vulnerable Composer packages.