Skip to content

Establishing Dependency Security: A Critical Component for Modern AppSec | Dana Crane | Jun, 2024

Original Post: The Need for a Dependency Security Discipline Within AppSec | by Dana Crane | Jun, 2024

The article discusses the differences between Application Security (AppSec) and Dependency Security (DepSec) in the context of modern software development. AppSec aims to identify, fix, and prevent security issues at the application level, typically focusing on proprietary code, third-party code, functional exploits, and infrastructure. In contrast, DepSec specifically addresses securing third-party components such as open source software (OSS).

Key points include:

  1. AppSec Challenges:

    • Proprietary Code: Security issues from poor coding practices.
    • Third-party Code: Vulnerabilities from third-party libraries.
    • Functional Exploits: Exploitable issues during application use.
    • Infrastructure: Security issues in development and deployment tools.

  2. DepSec Focus:

    • Differentiates from AppSec by focusing solely on third-party code.
    • Highlights the need to tackle OSS which comprises a significant portion of modern codebases but is not under the direct control of organizations.
    • Emphasizes trust issues and the exponential growth of OSS supply chain attacks.

  3. Complexity of DepSec:

    • Breadth: Multiple languages and repositories without industry-wide standards.
    • Depth: Extensive best practice controls requiring time and resources.
    • Change: Constantly evolving dependencies and the need for continuous monitoring.

  4. Current Landscape:

    • Increasing security budgets yet worse security outcomes indicate inefficiencies.
    • A significant percentage of dependencies downloaded are vulnerable.
    • Many organizations face software supply chain attacks.
  5. DepSec Methodology:
    • Proposes standardizing OSS handling to reduce costs and improve security outcomes.
    • Focus on enhancing processes and tools specific to OSS, distinct from AppSec.
    • Need for specialists in OSS security rather than generalists.

The article advocates for recognizing DepSec as a separate practice to improve software security and manage the complexities of third-party dependencies more effectively.

Go here to read the Original Post

Leave a Reply

Your email address will not be published. Required fields are marked *