logo
allArticlesConferencesPresentations

Know Your Dependencies: A Guide to Automating Dependency Assurance

Conference:  Cloud Native SecurityCon North America 2022

2022-10-25

Authors:   Steve Judd

Summary

The importance of understanding and assuring the trustworthiness of external dependencies in software applications
  • Modern software components contain a selection of external dependencies whose provenance is unknown
  • Assuring the trustworthiness of dependencies is often ignored by organizations and their engineering teams
  • Efficient, automated pipelines can be used to audit dependencies for vulnerabilities and license obligations, assess them against the organization’s security policies, and ultimately provide the ability to control which dependencies can be used and deployed within the organization
Software engineers lack knowledge about the dependencies they use within their software applications, including indirect transient dependencies. Jetstack cert manager products have around 1500 dependencies, of which only about 30 are direct. This makes it impractical to understand and have much knowledge about such a vast array of dependencies in typical applications.

Abstract

It is a truth universally acknowledged that almost every modern software component contains a selection of external dependencies whose provenance is unknown. Another truth is that no dependency should be trusted until proven trustworthy. This second truth, though, is often ignored by organisations and their engineering teams, who argue that assuring the trustworthiness of dependencies is too complex, too time-consuming and has a detrimental impact on development velocity. This talk will describe how Jetstack has worked with several clients in the financial services and defence sectors to help them develop dependency assurance mechanisms and processes that allow greater visibility and insight into the dependencies used and their impact on the clients’ risk and security postures. The audience will learn how modern tooling and practices can be used to create efficient, automated pipelines that audit dependencies for vulnerabilities and licence obligations, assess them against the organisation’s security policies and ultimately provide the ability to control which dependencies can be used and deployed within the organisation.
Materials:
Slides
Tags:
Dependencies
trust
Jetstack
Clients

Post a comment

Related work

Spicing up Container Image Security with SLSA & GUAC

Conference:  Cloud Native SecurityCon North America 2023
Authors: Ian Lewis

When Machines Can't Talk: Security and Privacy Issues of Machine-to-Machine Data Protocols

Conference:  BlackHat EU 2018
Authors:
2018-12-06

Building SLSA 3 Conforment Attestors for Artifacts Generated on GitHub

Conference:  KubeCon + CloudNativeCon Europe 2023
Authors: Ian Lewis, Asra Ali
2023-04-21

Off-Path Attacks Against PKI

Conference:  BlackHat EU 2018
Authors:
2018-12-06

See It to Believe It: Bringing Observability to Otherwise Opaque Container Builds

Conference:  Cloud Native SecurityCon North America 2022
Authors: Parth Patel, Shripad Nadgowda
2022-10-25

WAGGING THE TAIL—COVERT PASSIVE SURVEILLANCE AND HOW TO MAKE THEIR LIFE DIFFICULT

Conference:  Defcon 26
Authors:
2018-08-01