This is the story of my first serious side-project, IsMyDependencySafe.
It is a website that enables users to check if there are any known security issues for specific projects.
Some of you might know that there are many existing products that check dependencies for vulnerabilities, like bundler-audit, but they aim to be a step in continuous integration systems, and therefore don't have a website that easily allows checking specific projects. And even if they do, they are limited to a specific language, like ruby.
IsMyDependencySafe includes projects of all languages, and makes them and their vulnerabilities easily searchable.
By doing this I hope that it increases awareness of security issues, and that developers rely less often on unsafe dependencies.
But, lets back up a little...
One day, I talked to a friend, when he told me that he'd never use closed-source software, if at all possible. His reason is that it's impossible for outsiders to check for vulnerabilities, and the developers/company might have an incentive to keep them concealed.
My response was that while this might be nice, almost no one has the skills and time to audit software for security issues. Also, most development teams don't have those resources.
Then I did a quick search for a platform where security issues can be reported, and found nothing.
This led me to the idea to build one. A platform that makes reporting and searching those issues as easy as possible.
For IsMyDependencySafe to be useful, it needs data, especially about vulnerabilities. A website that tells you that every software on the planet is perfectly secure is not very believable.
At first, I thought users would enter the security issues, but then, I actually thought about that and realized that building a community is hard. Especially if the community provides absolutely no value at first.
So, then I looked at the vulnerability databases I knew of, if it is allowed to use their data, and how it could be imported.
During this process, I eventually stumbled upon the National Vulnerability Database (NVD), which is managed by the US government.
That's when the midlife crisis hit. The NVD does everything I wanted to achieve with my project, and a lot better than I could have done. And they are already known, and issues are reported to them.
How could I be so stupid and not find them before starting the project? How could I even think that something as important as security would not have a standardized process?
For a short period, I thought IsMyDependencySafe was done. But then, a thought hit me. There is already a community that can be leveraged!
At this point, I reshaped my view on the project. Now it was only about searching for vulnerabilities. The community aspect was unnecessary. That thought was incredibly liberating. Now its possible to create something that immediately provides value.
I threw out every piece of code that had to do with building a community.
The rest of the project was a breeze. The NVD allows using their data for free. Importing it didn't even take a day.
Right now, the project is at its bare minimum. It contains data of projects and their vulnerabilities, and lets users search for them.
There are many improvements planned though.
The next steps are
- searching for a project with a specific version number
- including other databases
- improve the UI
While temporarily I thought I was really dumb for not analyzing the market deeper, now I'm glad I didn't do it. Otherwise I probably would have never started the project. And now I believe it is something that does provide value to the developer community.
Well, that's it. Thank you for reading my story. I hope you found it interesting.
Now, it is your turn.
Did you have any similar experiences?
Have you built a project, only to find out that an existing one already does everything you planned?
Do you also also start with side-projects before doing a deep analysis of the market?