Do you know what dependencies your app is using? All of them? We recently wrote about managing npm dependencies, but Node.js developers aren’t the only ones who rely on third-party libraries, APIs, and more in their applications.
We define dependency as anything that your app calls. This information is essential; knowing what you have is vital to keeping your application safe. The more outside dependencies there are, the greater the risk of security issues.
In this article, we take a look at how you can start tracking your app’s dependencies.
When you begin, mapping your application as a whole can be overwhelming. One way to make things easier is to start by looking at portions of your application. For example, you might focus on everything related to one feature or use-case (i.e., invoices, then payment processing).
Tracking app dependencies used to be done manually. Someone would audit the app and track all of the findings in spreadsheets and Visio diagrams. This process is labor-intensive, both in terms of creation and maintenance. Nevertheless, this is a low-cost and effective method for more straightforward applications.
If you use a dependency manager, these can be a great source of information: Composer is popular with PHP users, there’s poetry for Python, and for apps using the Objective-C runtime, there’s CocoaPods. These aren’t trackers, but they can help identify and keep on top of the dependencies you use. For larger applications or those seeking to streamline the process, automated and application inventory management tools can do this. For example, Microsoft offers Azure Application Insights.
Tribal knowledge refers to the knowledge that’s held by some people and isn’t documented well. For example, it might be evident to everybody that your data comes from a MySQL database. It might not be apparent where that data comes from, however.
Because tracking your application dependencies requires complete knowledge, make sure that you include all of the relevant people in your mapping project (e.g., architects, tech leadership, and developers).
Tracking your application’s dependencies can be difficult, but doing so is essential. Without this information, it’s tough for you to gauge and manage the risk posed to your application by security vulnerabilities.