際際滷

際際滷Share a Scribd company logo

Know your dependencies

Janos Szendi-Varga
Janos Szendi-Varga

This document discusses the risks of dependencies in software and provides examples of dependency graphs that can include hundreds or thousands of nodes. It recommends using a solution like GraphAware to gain visibility into an application's full dependency network in order to identify security vulnerabilities or outdated packages. GraphAware uses Neo4j to map dependencies as a graph database for analysis.

1 of 24
Download to read offline
赫姻温沿鞄粥敬温姻艶速 Know your dependencies It is a real risk in your software Janos Szendi-Varga GraphAware
Janos Szendi-Varga Senior Consultant @GraphAware Twitter: @szenyo Email: janos@graphaware.com About me 赫姻温沿鞄粥敬温姻艶速
GraphAware Clients
What is this?
Jenga tower of JavaScript Azer Ko巽ulu, 273 modules in NPM Kik module The story began with an email from a lawyer Hahah, youre actually being a d#%k, So, f#%k you. Dont email me back. NPM statement Change the ownership Leaving NPM Left-pad was fetched 2,486,696 downloads in just the last month Un-unpublishing Left-pad incident 赫姻温沿鞄粥敬温姻艶速
赫姻温沿鞄粥敬温姻艶速 Quote The fundamental act of friendship among programmers is the sharing of programs Stallman wrote in his 1985 manifesto (GNU Manifesto).
Random LinkedIn Ad 赫姻温沿鞄粥敬温姻艶速
If you develop your open or closed source software, you must be aware of a few facts: In average 80 percent of the applications consists of third-party components, mostly open source Almost 50 percent of the third-party software components of those applications are outdated, a few years old A more secure version of the software component available in almost every case. Its estimated that only about 10% of the Fortune 100 companies monitor their use of open-source code Theres something like a million di鍖erent open-source projects on the internet, and any one piece of vulnerable code could be used by hundreds of companies. In a medium size project there are over 1,500 dependent software packages, not counting di鍖erent versions of the same package or any packages developed internally for reuse. Not so Fun Facts 赫姻温沿鞄粥敬温姻艶速
Technical issues, bugs New releases Legal compliance issues Security threats, vulnerabilities Bus factor for dependencies: https://en.wikipedia.org/wiki/Bus_factor Issues you involved 赫姻温沿鞄粥敬温姻艶速
赫姻温沿鞄粥敬温姻艶速 Quote You should have the visibility and the control over your software product dependency, to have the proper business continuity. todays takeaway from me
Many-many solutions Gitlinks https://www.gitlinks.com JFrog X-Ray https://www.jfrog.com/xray/ Sonatype Nexus http://www.sonatype.org/nexus/ libraries.io https://libraries.io DIY Solutions 赫姻温沿鞄粥敬温姻艶速
libraries.io 赫姻温沿鞄粥敬温姻艶速
赫姻温沿鞄粥敬温姻艶速
Neo4j (Neo4j Platform) The Neo4j native graph database Graph analytics Data integration The Cypher graph query language is the bridge to big data analytic tooling Graph visualisation and discovery Enterprise architecture underlies and supports massive graph data GraphAware Databridge Graph Algorithms Neo4j plugin My DIY solution 赫姻温沿鞄粥敬温姻艶速
Schema
も !"Licenses" !pcs" ! !"MIT" !756425! "######################################################################$######% ! !677470! "######################################################################$######% !"Apache-2.0" !248775! "######################################################################$######% !"Other" !110012! "######################################################################$######% !"ISC" !104508! "######################################################################$######% !"BSD-3-Clause" !94043 ! "######################################################################$######% !"GPL-3.0" !35251 ! "######################################################################$######% !"BSD-2-Clause" !21201 ! "######################################################################$######% !"Artistic-1.0-Perl" !18516 ! "######################################################################$######% !"AGPL-3.0" !17405 ! "######################################################################$######% Licenses 赫姻温沿鞄粥敬温姻艶速
Centralities: Page Rank (algo.pageRank) Betweenness Centrality (algo.betweenness) Closeness Centrality (algo.closeness) Community Detection: Louvain (algo.louvain) Label Propagation (algo.labelPropagation) (Weakly) Connected Components (algo.unionFind) Strongly Connected Components (algo.scc) Triangle Count / Clustering Coe鍖cient (algo.triangleCount) Path Finding: Minimum Weight Spanning Tree (algo.mst) All Pairs- and Single Source - Shortest Path (algo.shortestPath, algo.allShortestPaths) The Graph Algorithms 赫姻温沿鞄粥敬温姻艶速
赫姻温沿鞄粥敬温姻艶速 rank url score 1 http://expressjs.com/ 8172.573038999997 2 http://junit.org/ 7709.026125499998 3 https://mochajs.org 7324.665977000001 4 https://github.com/ruby/rake 5209.688505499999 5 http://expressjs.com 6950.314272500002 6 http://gruntjs.com/ 3945.8917605000006 7 https://phpunit.de/ 3114.4085855 8 http://gulpjs.com 3021.2432475000005 9 http://github.com/rspec 2979.8457910000006 10 http://chaijs.com 2775.124208999999 PageRank example
Java backend, Maven 55 dependencies (32 external, 23 internal) 32 external project means 90 transitive 2nd degree dependencies 293 3rd degree dependencies compile, provided, runtime, test scopes Node.js frontend 121 dependencies (12 internal, 109 external) 109 external project means 1412 transitive 2nd degree dependencies 3600 di鍖erent 3rd degree dependencies 赫姻温沿鞄粥敬温姻艶速 Random Corporate System (RCS)
赫姻温沿鞄粥敬温姻艶速
OWASP Top 10: "Using Components with Known Vulnerabilities CVE: Common Vulnerabilities and Exposures CVE-2017-14359 NVD: National Vulnerability Database CSV 鍖les to download and ingest into our DB Possible defense or attack strategies: Top-down Bottom-up Security 赫姻温沿鞄粥敬温姻艶速
ElasticSearch for full-text search on descriptions Security vulnerabilities ingestion NLP to create knowledge graphs Embed into releasing process More insights from the data Future improvements 赫姻温沿鞄粥敬温姻艶速
Summary Your software looks rather like this than an individual node.
www.graphaware.com janos@graphaware.com Thank you! 赫姻温沿鞄粥敬温姻艶速

More Related Content

Know your dependencies

  • 1. 赫姻温沿鞄粥敬温姻艶速 Know your dependencies It is a real risk in your software Janos Szendi-Varga GraphAware
  • 2. Janos Szendi-Varga Senior Consultant @GraphAware Twitter: @szenyo Email: janos@graphaware.com About me 赫姻温沿鞄粥敬温姻艶速
  • 5. Jenga tower of JavaScript Azer Ko巽ulu, 273 modules in NPM Kik module The story began with an email from a lawyer Hahah, youre actually being a d#%k, So, f#%k you. Dont email me back. NPM statement Change the ownership Leaving NPM Left-pad was fetched 2,486,696 downloads in just the last month Un-unpublishing Left-pad incident 赫姻温沿鞄粥敬温姻艶速
  • 6. 赫姻温沿鞄粥敬温姻艶速 Quote The fundamental act of friendship among programmers is the sharing of programs Stallman wrote in his 1985 manifesto (GNU Manifesto).
  • 8. If you develop your open or closed source software, you must be aware of a few facts: In average 80 percent of the applications consists of third-party components, mostly open source Almost 50 percent of the third-party software components of those applications are outdated, a few years old A more secure version of the software component available in almost every case. Its estimated that only about 10% of the Fortune 100 companies monitor their use of open-source code Theres something like a million di鍖erent open-source projects on the internet, and any one piece of vulnerable code could be used by hundreds of companies. In a medium size project there are over 1,500 dependent software packages, not counting di鍖erent versions of the same package or any packages developed internally for reuse. Not so Fun Facts 赫姻温沿鞄粥敬温姻艶速
  • 9. Technical issues, bugs New releases Legal compliance issues Security threats, vulnerabilities Bus factor for dependencies: https://en.wikipedia.org/wiki/Bus_factor Issues you involved 赫姻温沿鞄粥敬温姻艶速
  • 10. 赫姻温沿鞄粥敬温姻艶速 Quote You should have the visibility and the control over your software product dependency, to have the proper business continuity. todays takeaway from me
  • 11. Many-many solutions Gitlinks https://www.gitlinks.com JFrog X-Ray https://www.jfrog.com/xray/ Sonatype Nexus http://www.sonatype.org/nexus/ libraries.io https://libraries.io DIY Solutions 赫姻温沿鞄粥敬温姻艶速
  • 14. Neo4j (Neo4j Platform) The Neo4j native graph database Graph analytics Data integration The Cypher graph query language is the bridge to big data analytic tooling Graph visualisation and discovery Enterprise architecture underlies and supports massive graph data GraphAware Databridge Graph Algorithms Neo4j plugin My DIY solution 赫姻温沿鞄粥敬温姻艶速
  • 16. も !"Licenses" !pcs" ! !"MIT" !756425! "######################################################################$######% ! !677470! "######################################################################$######% !"Apache-2.0" !248775! "######################################################################$######% !"Other" !110012! "######################################################################$######% !"ISC" !104508! "######################################################################$######% !"BSD-3-Clause" !94043 ! "######################################################################$######% !"GPL-3.0" !35251 ! "######################################################################$######% !"BSD-2-Clause" !21201 ! "######################################################################$######% !"Artistic-1.0-Perl" !18516 ! "######################################################################$######% !"AGPL-3.0" !17405 ! "######################################################################$######% Licenses 赫姻温沿鞄粥敬温姻艶速
  • 17. Centralities: Page Rank (algo.pageRank) Betweenness Centrality (algo.betweenness) Closeness Centrality (algo.closeness) Community Detection: Louvain (algo.louvain) Label Propagation (algo.labelPropagation) (Weakly) Connected Components (algo.unionFind) Strongly Connected Components (algo.scc) Triangle Count / Clustering Coe鍖cient (algo.triangleCount) Path Finding: Minimum Weight Spanning Tree (algo.mst) All Pairs- and Single Source - Shortest Path (algo.shortestPath, algo.allShortestPaths) The Graph Algorithms 赫姻温沿鞄粥敬温姻艶速
  • 18. 赫姻温沿鞄粥敬温姻艶速 rank url score 1 http://expressjs.com/ 8172.573038999997 2 http://junit.org/ 7709.026125499998 3 https://mochajs.org 7324.665977000001 4 https://github.com/ruby/rake 5209.688505499999 5 http://expressjs.com 6950.314272500002 6 http://gruntjs.com/ 3945.8917605000006 7 https://phpunit.de/ 3114.4085855 8 http://gulpjs.com 3021.2432475000005 9 http://github.com/rspec 2979.8457910000006 10 http://chaijs.com 2775.124208999999 PageRank example
  • 19. Java backend, Maven 55 dependencies (32 external, 23 internal) 32 external project means 90 transitive 2nd degree dependencies 293 3rd degree dependencies compile, provided, runtime, test scopes Node.js frontend 121 dependencies (12 internal, 109 external) 109 external project means 1412 transitive 2nd degree dependencies 3600 di鍖erent 3rd degree dependencies 赫姻温沿鞄粥敬温姻艶速 Random Corporate System (RCS)
  • 21. OWASP Top 10: "Using Components with Known Vulnerabilities CVE: Common Vulnerabilities and Exposures CVE-2017-14359 NVD: National Vulnerability Database CSV 鍖les to download and ingest into our DB Possible defense or attack strategies: Top-down Bottom-up Security 赫姻温沿鞄粥敬温姻艶速
  • 22. ElasticSearch for full-text search on descriptions Security vulnerabilities ingestion NLP to create knowledge graphs Embed into releasing process More insights from the data Future improvements 赫姻温沿鞄粥敬温姻艶速
  • 23. Summary Your software looks rather like this than an individual node.