Dependency Awareness

tag: [Engineer/Developer, Security Specialist]

Dependency awareness is the practice of understanding and managing all the external libraries, frameworks, and components that a software project relies on. Dependencies can introduce vulnerabilities and risks, which means it's important to keep track of them and ensure they are secure.

Importance of Dependency Awareness

1. Security Risks

   • Dependencies can contain vulnerabilities that may be exploited by threat actors.

2. Compliance

   • Ensuring that dependencies comply with licensing and regulatory requirements is essential to avoid legal issues.

3. Maintainability

   • Understanding dependencies and their impact on the project will help understand if it's possible to update a dependency used by your application.

Best Practices for Dependency Awareness

1. Use Dependency Management Tools

   • Leverage tools that can automatically track and manage dependencies. Examples include:
     • Web2:
       • Snyk: Monitors and fixes vulnerabilities in dependencies.
       • Dependabot: Automatically updates dependencies in GitHub projects.
     • Solidity:
       • Ethlint: Analyzes and lints Solidity code, including dependencies.
       • MythX: Scans for vulnerabilities in smart contract dependencies.

2. Regularly Update Dependencies

   • Regularly update dependencies to the latest secure versions after verifying them.

3. Monitor for Vulnerabilities

   • Continuously monitor dependencies for known vulnerabilities using tools like Snyk, npm audit, and GitHub Security Alerts.

4. Audit Dependencies

   • Perform regular audits of dependencies to ensure they are necessary and secure. Remove unused or outdated dependencies.

5. Use Trusted Sources

   • Only use dependencies from trusted and reputable sources. Avoid using unverified or poorly maintained libraries.