Keeping dependencies up to date is best practice. Applying security updates is a must. Not spending any time on it is what we want to do.
We have built dogmatic approaches, software, and processes around the topic of software dependencies.
We built whole companies and open-source automation chains around this problem. To handle what is essential dependency creep and over-use of libraries. Some applications install hundreds to thousands of libraries in various versions. Many times, only a very small amount of the library's functionality is used. The rest is just stuff that isn’t needed. But now, we must manage, update, and review if a scanner finds something.
How did we end up here?
Access to libraries and other people's codes has never been easier. There are multiple projects solving the same problem using a different approach or style. Something for everyone and anyone's needs.
It has never been easier to build and release new software products to the world. This is fantastic and enables people to create better lives for themselves and their families. Creating and maintaining open-source libraries has also become part of cultivating your resume as a developer.
But not all is great!
Very often, a small functionality is required to solve a problem. A quick search reveals a library. We add the library to our dependency management. The code snippet in the README.md solved the problem, and we moved on. Now, we have an extra universe of functionality, dependencies, and potential problems.
What could have been a different way?
Design and create the functionality yourself? Get inspired by the open-source project or piece of code on StackOverflow on how this could be implemented and write it ourselves. Is it worth it?
It depends on the dependency.
Software dependencies can help to create new products and functionality quickly and easily. But they come with many unknown and hidden problems we have to account for.
Being more in control of your code and product reduces the risks of dependencies disappearing, being compromised by malicious actors, or being exposed to security vulnerabilities in your dependency tree.
Dependencies do have their benefits.
Using popular open-source libraries helps to have potentially more secure code. Recreating your own authentication or cryptography systems might not be a great idea. With many eyes on the codebase, problems are quickly identified and fixed. The best is to operate in between.
Choose dependencies carefully and review how much extra is coming in. Consider building smaller functions yourself and base them on existing libraries. For libraries that provide more functionality or are core to the product, make sure to vet them correctly and follow updates closely. Wrap them where possible to have better interfaces to control them.
Reducing the dependencies makes it much easier to keep them up to date and ultimately reduces the risk of supply chain attacks.
Link Of The Week
GitHubs approach to delivering availability, security, and accessibility
Being a massive development organization, GitHub developed internal tooling to stay on top of fundamental and important traits of any application. This blog post outlines a good way to automate the metadata to be on top of the overall picture.
Working Together?
Thank you for reading along. If you have feedback or questions, message me anytime at andy@occamslabs.com. If you want to work together, here are a few different ways
I can help you:
Security audit of your systems
Improving the security of your current systems
Designing secure systems from the ground up