SlideShare a Scribd company logo

Fire alarms vs. Fire hoses: Keeping up with Dependencies

WhiteSource
WhiteSource

Today no one can claim ignorance about the need for an open source vulnerability strategy, so what is yours? Are you the fire alarm type, who prefers to sit tight unless a vulnerability alert is ringing in your inbox? Or are you the fire hose type, staying ahead of the game with a never-ending stream of open source updates to apply? Join Rhys as he discusses the pros and cons of these two approaches, as well as whether there's a magical middle ground between the two which doesn't involve a fire analogy.

Software
1 of 24
Download to read offline
Fire Alarms vs. Fire Hoses: Keeping Up with Dependencies Rhys Arkins, Director of Product Management 1
Dependency Management 2 Future Approaches The Vulnerabilities Challenge 1 2 3
3 1Dependency Management
Company Confidential & Proprietary 4 Old School Dependencies 1. Find useful third party code 2. Copy and paste it into your project 3. Move onPlease put Slides 4, 5 and 6 into three pillars on one slide
Company Confidential & Proprietary 5 The CDN Approach 1. Find useful third party code 2. Find a CDN that hosts it 3. Copy/paste a link into your website headers 4. Move on
Company Confidential & Proprietary 6 Early Package Management 1. Browse registry, select a package 2. Add dependency to a package file 3. Stay always up to date because every time you install you get the newest version
AKA Dependency Roulette ▪ Always installs the latest version ▪ Team members might run different versions ▪ It usually works, sometimes doesn’t Add better image of Roulette
Company Confidential & Proprietary 8 Modern Package Management 1. Declare dependencies like before 2. Commit a lock file 3. Get same results every install
9 2The Vulnerabilities Challenge
10 Open Source Vulnerabilities Are Rising Replace with 2019 version
Company Confidential & Proprietary ▪ Scans your source code regularly to detect third party code (“dependencies”) ▪ Cross-matches that against a database of known vulnerabilities ▪ Notifies you/your team of any new vulnerability ▪ May include expert advice on how to fix ▪ May even offer a Pull Request to fix it 11 How Vulnerability Alert Services Work
Company Confidential & Proprietary ▪ The vulnerability might be VERY important ▪ Your company might rely on you remediating the vulnerability immediately ▪ However, you are 18 months and 10 releases out of date 12 The Dependency Fire Alarm Routine
“I wish it was just a patch.. -- Every developer when facing a vulnerability in a long-forgotten dependency 13
Company Confidential & Proprietary ▪ Your computer and phone keep themselves automatically up-to- date, so why can’t your software project? 14 Dependency Automation Automation icon
Company Confidential & Proprietary ▪ Scans your software project for dependency declarations ▪ Checks if updated versions exist ▪ Submits Pull Requests including Release Notes ▪ Supports grouping and scheduling according to user preferences 15 How Dependency Automation Tools Work
Company Confidential & Proprietary ▪ Being “relatively” up-to-date with dependencies significantly reduces the time and risk of remediating vulnerable dependencies ▪ Staying up-to-date may even mean patching vulnerabilities before they’re even announced ▪ Naturally, any bug fixes are an added bonus ▪ However, there can really be a lot of updates in any week or month 16 Dependency Fire Hoses Better image of fire hoses
Company Confidential & Proprietary ▪ Vulnerabilities: ▪ Know what you’re using, and if any are vulnerable ▪ Have a process for managing vulnerability remediation ▪ Automatically remediate when available ▪ Updates: ▪ Use an automated tool for processing dependency updates ▪ Adjust the schedule according to your team’s needs ▪ More up-to-date = less vulnerability risk 17 Current Best Practices
18 3Future Approaches
Company Confidential & Proprietary ▪ Copy/paste third party code ▪ Very high risk. Likely never updated, may have vulnerabilities and bugs ▪ Use dependency ranges ▪ High risk. Different versions could be installed on every machine ▪ Use lock files ▪ Medium risk. Predictable builds but dependencies won’t “update themselves” ▪ Use automated dependency updates ▪ Lowest risk (when combined with lock files) ▪ Know whenever there’s an update, and review the Release Notes 19 Recapping Dependency Maturity Levels
Company Confidential & Proprietary ▪ It can be quite a lot of work to continuously update dependencies ▪ The earlier you adopt a new version after release, the higher chance it has an undiscovered bug that you get to discover 20 What’s Left To Do?
Company Confidential & Proprietary ▪ “Have good test coverage” is a common suggestion, but it’s not your job to test the entirely of your dependencies either ▪ If your tests pass with a new version, how confident are you that nothing will go wrong? ▪ What if you could know that tests also passed for 200 other companies using the same dependency? 21 Safety Through Crowd Testing
Company Confidential & Proprietary ▪ Passing everyone’s tests is a very good sign, but sometimes bugs can still slip through ▪ What if you could wait until X companies or Y% of companies have already upgraded for a week? ▪ What if you could skip any upgrade that saw multiple users roll back the new version? 22 Safety Through Crowd Adoption
Company Confidential & Proprietary ▪ At its core, an open source project: https://github.com/renovatebot/renovate ▪ Over 100+ contributors, daily releases ▪ Very wide platform support (GitHub, GitLab, Bitbucket, Azure DevOps) ▪ 40+ package managers supported (npm, Yarn, Gradle, Maven, Poetry, Go Modules, Dockerfile, etc) ▪ Thousands of participating users and companies to gather “safe” dependency data from 23 WhiteSource Renovate – Safe Dependency Updates Add Renovate Icon
Thank You! 24

Recommended

Security as Code
Security as CodeSecurity as Code
Security as Code
Ed Bellis
 
PALETTE BUSINESS SOLUTION DOCUMENTATION
PALETTE BUSINESS SOLUTION DOCUMENTATIONPALETTE BUSINESS SOLUTION DOCUMENTATION
PALETTE BUSINESS SOLUTION DOCUMENTATION
Onwubiko Emmanuel
 
SecOps - Bringing Agility into Security
SecOps - Bringing Agility into SecuritySecOps - Bringing Agility into Security
SecOps - Bringing Agility into Security
Atlassian
 
Its just a flesh wound
Its just a flesh woundIts just a flesh wound
Its just a flesh wound
Brett Gravois
 
Cloud Needs Devops
Cloud Needs DevopsCloud Needs Devops
Cloud Needs Devops
Kris Buytaert
 
Introduction to Backups and Security
Introduction to Backups and SecurityIntroduction to Backups and Security
Introduction to Backups and Security
Suzette Franck
 
2015 contens präsentation_hunting_bugs
2015 contens präsentation_hunting_bugs2015 contens präsentation_hunting_bugs
2015 contens präsentation_hunting_bugs
CONTENS Software GmbH
 
10 Reasons Why You Fix Bugs As Soon As You Find Them
10 Reasons Why You Fix Bugs As Soon As You Find Them10 Reasons Why You Fix Bugs As Soon As You Find Them
10 Reasons Why You Fix Bugs As Soon As You Find Them
Rosie Sherry
 

Recommended

Security as Code
Security as CodeSecurity as Code
Security as Code
Ed Bellis
 
PALETTE BUSINESS SOLUTION DOCUMENTATION
PALETTE BUSINESS SOLUTION DOCUMENTATIONPALETTE BUSINESS SOLUTION DOCUMENTATION
PALETTE BUSINESS SOLUTION DOCUMENTATION
Onwubiko Emmanuel
 
SecOps - Bringing Agility into Security
SecOps - Bringing Agility into SecuritySecOps - Bringing Agility into Security
SecOps - Bringing Agility into Security
Atlassian
 
Its just a flesh wound
Its just a flesh woundIts just a flesh wound
Its just a flesh wound
Brett Gravois
 
Cloud Needs Devops
Cloud Needs DevopsCloud Needs Devops
Cloud Needs Devops
Kris Buytaert
 
Introduction to Backups and Security
Introduction to Backups and SecurityIntroduction to Backups and Security
Introduction to Backups and Security
Suzette Franck
 
2015 contens präsentation_hunting_bugs
2015 contens präsentation_hunting_bugs2015 contens präsentation_hunting_bugs
2015 contens präsentation_hunting_bugs
CONTENS Software GmbH
 
10 Reasons Why You Fix Bugs As Soon As You Find Them
10 Reasons Why You Fix Bugs As Soon As You Find Them10 Reasons Why You Fix Bugs As Soon As You Find Them
10 Reasons Why You Fix Bugs As Soon As You Find Them
Rosie Sherry
 
Load testing housekeeping_newtemplate_q12015
Load testing housekeeping_newtemplate_q12015Load testing housekeeping_newtemplate_q12015
Load testing housekeeping_newtemplate_q12015
Acquia
 
CakePHP mistakes made 2015
CakePHP mistakes made 2015CakePHP mistakes made 2015
CakePHP mistakes made 2015
markstory
 
Wordpress security best practices - WordCamp Waukesha 2017
Wordpress security best practices - WordCamp Waukesha 2017Wordpress security best practices - WordCamp Waukesha 2017
Wordpress security best practices - WordCamp Waukesha 2017
vdrover
 
Reasons you should start using cloud storage immediately
Reasons you should start using cloud storage immediatelyReasons you should start using cloud storage immediately
Reasons you should start using cloud storage immediately
House of IT
 
Casino In The Clouds
Casino In The CloudsCasino In The Clouds
Casino In The Clouds
gojkoadzic
 
451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?
Adrian Sanabria
 
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Nick Galbreath
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security Solutions
SeniorStoryteller
 
Chaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsChaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient Systems
C4Media
 
How Not to be a Cranky DBA
How Not to be a Cranky DBAHow Not to be a Cranky DBA
How Not to be a Cranky DBA
Mike Hillwig
 
Cloud Computing @ CeBIT 2015 - Dez Blanchfield ( Day #2 )
Cloud Computing @ CeBIT 2015 - Dez Blanchfield ( Day #2 )Cloud Computing @ CeBIT 2015 - Dez Blanchfield ( Day #2 )
Cloud Computing @ CeBIT 2015 - Dez Blanchfield ( Day #2 )
Dez Blanchfield
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps Overview
Adrian Sanabria
 
Sage run error checking
Sage run error checkingSage run error checking
Sage run error checking
Ian Marshall
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Nick Galbreath
 
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...
mdevtalk
 
Introduction to Chaos Engineering
Introduction to Chaos EngineeringIntroduction to Chaos Engineering
Introduction to Chaos Engineering
Raymond Adrian (Rad) Butalid
 
Testing software
Testing softwareTesting software
Testing software
Ajay Jassi
 
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
OWASP Russia
 
Secure your jenkins
Secure your jenkinsSecure your jenkins
Secure your jenkins
Loves Cloud
 
What's new in Meteor 1.3?
What's new in Meteor 1.3?What's new in Meteor 1.3?
What's new in Meteor 1.3?
Rick Wehrle
 
DevSecOps: Closing the Loop from Detection to Remediation
DevSecOps: Closing the Loop from Detection to RemediationDevSecOps: Closing the Loop from Detection to Remediation
DevSecOps: Closing the Loop from Detection to Remediation
WhiteSource
 
Dependency Health: Removing the Barriers to Keeping Projects in Shape
Dependency Health: Removing the Barriers to Keeping Projects in ShapeDependency Health: Removing the Barriers to Keeping Projects in Shape
Dependency Health: Removing the Barriers to Keeping Projects in Shape
DevOps.com
 

More Related Content

What's hot

Load testing housekeeping_newtemplate_q12015
Load testing housekeeping_newtemplate_q12015Load testing housekeeping_newtemplate_q12015
Load testing housekeeping_newtemplate_q12015
Acquia
 
Casino In The Clouds
Casino In The CloudsCasino In The Clouds
Casino In The Clouds
gojkoadzic
 
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Nick Galbreath
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Nick Galbreath
 
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
OWASP Russia
 

What's hot (20)

Load testing housekeeping_newtemplate_q12015
Load testing housekeeping_newtemplate_q12015Load testing housekeeping_newtemplate_q12015
Load testing housekeeping_newtemplate_q12015
 
CakePHP mistakes made 2015
CakePHP mistakes made 2015CakePHP mistakes made 2015
CakePHP mistakes made 2015
 
Wordpress security best practices - WordCamp Waukesha 2017
Wordpress security best practices - WordCamp Waukesha 2017Wordpress security best practices - WordCamp Waukesha 2017
Wordpress security best practices - WordCamp Waukesha 2017
 
Reasons you should start using cloud storage immediately
Reasons you should start using cloud storage immediatelyReasons you should start using cloud storage immediately
Reasons you should start using cloud storage immediately
 
Casino In The Clouds
Casino In The CloudsCasino In The Clouds
Casino In The Clouds
 
451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?451 AppSense Webinar - Why blame the user?
451 AppSense Webinar - Why blame the user?
 
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
Fraud Engineering, from Merchant Risk Council Annual Meeting 2012
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security Solutions
 
Chaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient SystemsChaos Engineering: Why the World Needs More Resilient Systems
Chaos Engineering: Why the World Needs More Resilient Systems
 
How Not to be a Cranky DBA
How Not to be a Cranky DBAHow Not to be a Cranky DBA
How Not to be a Cranky DBA
 
Cloud Computing @ CeBIT 2015 - Dez Blanchfield ( Day #2 )
Cloud Computing @ CeBIT 2015 - Dez Blanchfield ( Day #2 )Cloud Computing @ CeBIT 2015 - Dez Blanchfield ( Day #2 )
Cloud Computing @ CeBIT 2015 - Dez Blanchfield ( Day #2 )
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps Overview
 
Sage run error checking
Sage run error checkingSage run error checking
Sage run error checking
 
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013
 
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...
Anastasiia Vixentael: 10 things you need to know before implementing cryptogr...
 
Introduction to Chaos Engineering
Introduction to Chaos EngineeringIntroduction to Chaos Engineering
Introduction to Chaos Engineering
 
Testing software
Testing softwareTesting software
Testing software
 
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
 
Secure your jenkins
Secure your jenkinsSecure your jenkins
Secure your jenkins
 
What's new in Meteor 1.3?
What's new in Meteor 1.3?What's new in Meteor 1.3?
What's new in Meteor 1.3?
 

Similar to Fire alarms vs. Fire hoses: Keeping up with Dependencies

DevSecOps: Closing the Loop from Detection to Remediation
DevSecOps: Closing the Loop from Detection to RemediationDevSecOps: Closing the Loop from Detection to Remediation
DevSecOps: Closing the Loop from Detection to Remediation
WhiteSource
 
Dependency Health: Removing the Barriers to Keeping Projects in Shape
Dependency Health: Removing the Barriers to Keeping Projects in ShapeDependency Health: Removing the Barriers to Keeping Projects in Shape
Dependency Health: Removing the Barriers to Keeping Projects in Shape
DevOps.com
 
Dependency Health: Removing the Barriers to Keeping Projects in Shape
Dependency Health: Removing the Barriers to Keeping Projects in ShapeDependency Health: Removing the Barriers to Keeping Projects in Shape
Dependency Health: Removing the Barriers to Keeping Projects in Shape
DevOps.com
 
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskInnocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
WhiteSource
 
What do the "Cool Kids" know about DevOps?
What do the "Cool Kids" know about DevOps?What do the "Cool Kids" know about DevOps?
What do the "Cool Kids" know about DevOps?
Bill Holtshouser
 
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskInnocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
DevOps.com
 

Similar to Fire alarms vs. Fire hoses: Keeping up with Dependencies (20)

DevSecOps: Closing the Loop from Detection to Remediation
DevSecOps: Closing the Loop from Detection to RemediationDevSecOps: Closing the Loop from Detection to Remediation
DevSecOps: Closing the Loop from Detection to Remediation
 
Dependency Health: Removing the Barriers to Keeping Projects in Shape
Dependency Health: Removing the Barriers to Keeping Projects in ShapeDependency Health: Removing the Barriers to Keeping Projects in Shape
Dependency Health: Removing the Barriers to Keeping Projects in Shape
 
Dependency Health: Removing the Barriers to Keeping Projects in Shape
Dependency Health: Removing the Barriers to Keeping Projects in ShapeDependency Health: Removing the Barriers to Keeping Projects in Shape
Dependency Health: Removing the Barriers to Keeping Projects in Shape
 
How to Fix Quicken Server Error.pptx
How to Fix Quicken Server Error.pptxHow to Fix Quicken Server Error.pptx
How to Fix Quicken Server Error.pptx
 
The Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOpsThe Challenges of Scaling DevSecOps
The Challenges of Scaling DevSecOps
 
How to Overcome the 5 Barriers to Production App Security Testing
How to Overcome the 5 Barriers to Production App Security TestingHow to Overcome the 5 Barriers to Production App Security Testing
How to Overcome the 5 Barriers to Production App Security Testing
 
Patterns and Antipatterns for Software updates
Patterns and Antipatterns for Software updatesPatterns and Antipatterns for Software updates
Patterns and Antipatterns for Software updates
 
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskInnocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
 
CHAI by Wanclouds for OpenStack Operations
CHAI by Wanclouds for OpenStack OperationsCHAI by Wanclouds for OpenStack Operations
CHAI by Wanclouds for OpenStack Operations
 
What do the "Cool Kids" know about DevOps?
What do the "Cool Kids" know about DevOps?What do the "Cool Kids" know about DevOps?
What do the "Cool Kids" know about DevOps?
 
Dual-Track Agile at Scale
Dual-Track Agile at ScaleDual-Track Agile at Scale
Dual-Track Agile at Scale
 
A quick guide on how to work with Maven and Git
A quick guide on how to work with Maven and GitA quick guide on how to work with Maven and Git
A quick guide on how to work with Maven and Git
 
Cyber Security Magazine
Cyber Security MagazineCyber Security Magazine
Cyber Security Magazine
 
Windows 10 Rapid Release Management - Featuring Adaptiva
Windows 10 Rapid Release Management - Featuring AdaptivaWindows 10 Rapid Release Management - Featuring Adaptiva
Windows 10 Rapid Release Management - Featuring Adaptiva
 
Disconnected Pipelines: The Missing Link
Disconnected Pipelines: The Missing LinkDisconnected Pipelines: The Missing Link
Disconnected Pipelines: The Missing Link
 
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskInnocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
 
Simple Techniques To Fix Quickbooks Error Code 12029
Simple Techniques To Fix Quickbooks Error Code 12029Simple Techniques To Fix Quickbooks Error Code 12029
Simple Techniques To Fix Quickbooks Error Code 12029
 
How to Build a DevOps Toolchain
How to Build a DevOps ToolchainHow to Build a DevOps Toolchain
How to Build a DevOps Toolchain
 
XebiaLabs & codecentric Webinar: Deploy Higher Quality Applications Faster (G...
XebiaLabs & codecentric Webinar: Deploy Higher Quality Applications Faster (G...XebiaLabs & codecentric Webinar: Deploy Higher Quality Applications Faster (G...
XebiaLabs & codecentric Webinar: Deploy Higher Quality Applications Faster (G...
 
Protecting Against Disaster: Plan for the Inevitable Before it Happens
Protecting Against Disaster: Plan for the Inevitable Before it HappensProtecting Against Disaster: Plan for the Inevitable Before it Happens
Protecting Against Disaster: Plan for the Inevitable Before it Happens
 

More from WhiteSource

From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
WhiteSource
 
Empowering Financial Institutions to Use Open Source With Confidence
Empowering Financial Institutions to Use Open Source With ConfidenceEmpowering Financial Institutions to Use Open Source With Confidence
Empowering Financial Institutions to Use Open Source With Confidence
WhiteSource
 
Tackling the Container Iceberg:How to approach security when most of your sof...
Tackling the Container Iceberg:How to approach security when most of your sof...Tackling the Container Iceberg:How to approach security when most of your sof...
Tackling the Container Iceberg:How to approach security when most of your sof...
WhiteSource
 
Securing Container-Based Applications at the Speed of DevOps
Securing Container-Based Applications at the Speed of DevOpsSecuring Container-Based Applications at the Speed of DevOps
Securing Container-Based Applications at the Speed of DevOps
WhiteSource
 
The State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementThe State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities Management
WhiteSource
 
Open Source Security at Scale- The DevOps Challenge 
Open Source Security at Scale- The DevOps Challenge Open Source Security at Scale- The DevOps Challenge 
Open Source Security at Scale- The DevOps Challenge 
WhiteSource
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure Culture
WhiteSource
 
Barriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome ThemBarriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome Them
WhiteSource
 
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCICI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
WhiteSource
 

More from WhiteSource (20)

From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
 
Empowering Financial Institutions to Use Open Source With Confidence
Empowering Financial Institutions to Use Open Source With ConfidenceEmpowering Financial Institutions to Use Open Source With Confidence
Empowering Financial Institutions to Use Open Source With Confidence
 
Tackling the Container Iceberg:How to approach security when most of your sof...
Tackling the Container Iceberg:How to approach security when most of your sof...Tackling the Container Iceberg:How to approach security when most of your sof...
Tackling the Container Iceberg:How to approach security when most of your sof...
 
Taking Open Source Security to the Next Level
Taking Open Source Security to the Next LevelTaking Open Source Security to the Next Level
Taking Open Source Security to the Next Level
 
Securing Container-Based Applications at the Speed of DevOps
Securing Container-Based Applications at the Speed of DevOpsSecuring Container-Based Applications at the Speed of DevOps
Securing Container-Based Applications at the Speed of DevOps
 
The State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementThe State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities Management
 
Open Source Security at Scale- The DevOps Challenge 
Open Source Security at Scale- The DevOps Challenge Open Source Security at Scale- The DevOps Challenge 
Open Source Security at Scale- The DevOps Challenge 
 
Tackling the Risks of Open Source Security: 5 Things You Need to Know
Tackling the Risks of Open Source Security: 5 Things You Need to KnowTackling the Risks of Open Source Security: 5 Things You Need to Know
Tackling the Risks of Open Source Security: 5 Things You Need to Know
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure Culture
 
Deep Dive into Container Security
Deep Dive into Container SecurityDeep Dive into Container Security
Deep Dive into Container Security
 
Barriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome ThemBarriers to Container Security and How to Overcome Them
Barriers to Container Security and How to Overcome Them
 
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...Winning open source vulnerabilities without loosing your deveopers - Azure De...
Winning open source vulnerabilities without loosing your deveopers - Azure De...
 
SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...
SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...
SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...
 
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
 
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
 
Automating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSourceAutomating Open Source Security: A SANS Review of WhiteSource
Automating Open Source Security: A SANS Review of WhiteSource
 
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCICI/CD pipeline security from start to finish with WhiteSource & CircleCI
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
 
Top Open Source Licenses Explained
Top Open Source Licenses ExplainedTop Open Source Licenses Explained
Top Open Source Licenses Explained
 
WhiteSource Webinar What's New With WhiteSource in December 2018
WhiteSource Webinar What's New With WhiteSource in December 2018WhiteSource Webinar What's New With WhiteSource in December 2018
WhiteSource Webinar What's New With WhiteSource in December 2018
 

Recently uploaded

Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
chiefasafspells
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
masabamasaba
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 

Recently uploaded (20)

WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
 
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...
 

Fire alarms vs. Fire hoses: Keeping up with Dependencies

  • 1. Fire Alarms vs. Fire Hoses: Keeping Up with Dependencies Rhys Arkins, Director of Product Management 1
  • 4. Company Confidential & Proprietary 4 Old School Dependencies 1. Find useful third party code 2. Copy and paste it into your project 3. Move onPlease put Slides 4, 5 and 6 into three pillars on one slide
  • 5. Company Confidential & Proprietary 5 The CDN Approach 1. Find useful third party code 2. Find a CDN that hosts it 3. Copy/paste a link into your website headers 4. Move on
  • 6. Company Confidential & Proprietary 6 Early Package Management 1. Browse registry, select a package 2. Add dependency to a package file 3. Stay always up to date because every time you install you get the newest version
  • 7. AKA Dependency Roulette ▪ Always installs the latest version ▪ Team members might run different versions ▪ It usually works, sometimes doesn’t Add better image of Roulette
  • 8. Company Confidential & Proprietary 8 Modern Package Management 1. Declare dependencies like before 2. Commit a lock file 3. Get same results every install
  • 10. 10 Open Source Vulnerabilities Are Rising Replace with 2019 version
  • 11. Company Confidential & Proprietary ▪ Scans your source code regularly to detect third party code (“dependencies”) ▪ Cross-matches that against a database of known vulnerabilities ▪ Notifies you/your team of any new vulnerability ▪ May include expert advice on how to fix ▪ May even offer a Pull Request to fix it 11 How Vulnerability Alert Services Work
  • 12. Company Confidential & Proprietary ▪ The vulnerability might be VERY important ▪ Your company might rely on you remediating the vulnerability immediately ▪ However, you are 18 months and 10 releases out of date 12 The Dependency Fire Alarm Routine
  • 13. “I wish it was just a patch.. -- Every developer when facing a vulnerability in a long-forgotten dependency 13
  • 14. Company Confidential & Proprietary ▪ Your computer and phone keep themselves automatically up-to- date, so why can’t your software project? 14 Dependency Automation Automation icon
  • 15. Company Confidential & Proprietary ▪ Scans your software project for dependency declarations ▪ Checks if updated versions exist ▪ Submits Pull Requests including Release Notes ▪ Supports grouping and scheduling according to user preferences 15 How Dependency Automation Tools Work
  • 16. Company Confidential & Proprietary ▪ Being “relatively” up-to-date with dependencies significantly reduces the time and risk of remediating vulnerable dependencies ▪ Staying up-to-date may even mean patching vulnerabilities before they’re even announced ▪ Naturally, any bug fixes are an added bonus ▪ However, there can really be a lot of updates in any week or month 16 Dependency Fire Hoses Better image of fire hoses
  • 17. Company Confidential & Proprietary ▪ Vulnerabilities: ▪ Know what you’re using, and if any are vulnerable ▪ Have a process for managing vulnerability remediation ▪ Automatically remediate when available ▪ Updates: ▪ Use an automated tool for processing dependency updates ▪ Adjust the schedule according to your team’s needs ▪ More up-to-date = less vulnerability risk 17 Current Best Practices
  • 19. Company Confidential & Proprietary ▪ Copy/paste third party code ▪ Very high risk. Likely never updated, may have vulnerabilities and bugs ▪ Use dependency ranges ▪ High risk. Different versions could be installed on every machine ▪ Use lock files ▪ Medium risk. Predictable builds but dependencies won’t “update themselves” ▪ Use automated dependency updates ▪ Lowest risk (when combined with lock files) ▪ Know whenever there’s an update, and review the Release Notes 19 Recapping Dependency Maturity Levels
  • 20. Company Confidential & Proprietary ▪ It can be quite a lot of work to continuously update dependencies ▪ The earlier you adopt a new version after release, the higher chance it has an undiscovered bug that you get to discover 20 What’s Left To Do?
  • 21. Company Confidential & Proprietary ▪ “Have good test coverage” is a common suggestion, but it’s not your job to test the entirely of your dependencies either ▪ If your tests pass with a new version, how confident are you that nothing will go wrong? ▪ What if you could know that tests also passed for 200 other companies using the same dependency? 21 Safety Through Crowd Testing
  • 22. Company Confidential & Proprietary ▪ Passing everyone’s tests is a very good sign, but sometimes bugs can still slip through ▪ What if you could wait until X companies or Y% of companies have already upgraded for a week? ▪ What if you could skip any upgrade that saw multiple users roll back the new version? 22 Safety Through Crowd Adoption
  • 23. Company Confidential & Proprietary ▪ At its core, an open source project: https://github.com/renovatebot/renovate ▪ Over 100+ contributors, daily releases ▪ Very wide platform support (GitHub, GitLab, Bitbucket, Azure DevOps) ▪ 40+ package managers supported (npm, Yarn, Gradle, Maven, Poetry, Go Modules, Dockerfile, etc) ▪ Thousands of participating users and companies to gather “safe” dependency data from 23 WhiteSource Renovate – Safe Dependency Updates Add Renovate Icon