know your dependencies
TRANSCRIPT
GraphAware®
Know your dependenciesIt is a real risk in your software
Janos Szendi-Varga
GraphAware
Janos Szendi-Varga
Senior Consultant @GraphAware
Twitter: @szenyo
Email: [email protected]
About me
GraphAware®
GraphAware Clients
What is this?
Jenga tower of JavaScript
Azer Koçulu, 273 modules in NPM
Kik module
The story began with an email from a lawyer
“Hahah, you’re actually being a d#%k,” “So, f#%k you. Don’t email me back.”
NPM statement
Change the ownership
Leaving NPM
Left-pad was fetched 2,486,696 downloads in just the last month
Un-unpublishing
Left-pad incident
GraphAware®
GraphAware®
Quote
”The fundamental act of friendship among programmers is the sharing of programs”
Stallman wrote in his 1985 manifesto (GNU Manifesto).
Random LinkedIn Ad
GraphAware®
If you develop your open or closed source software, you must be aware of a few facts:
In average 80 percent of the applications consists of third-party components, mostly open source
Almost 50 percent of the third-party software components of those applications are outdated, a few years old
A more secure version of the software component available in almost every case.
“It’s estimated that only about 10% of the Fortune 100 companies monitor their use of open-source code”
There’s something like a million different open-source projects on the internet, and any one piece of vulnerable code could be used by hundreds of companies.
In a medium size project there are over 1,500 dependent software packages, not counting different versions of the same package or any packages developed internally for reuse.
Not so Fun Facts
GraphAware®
Technical issues, bugsNew releasesLegal compliance issuesSecurity threats, vulnerabilitiesBus factor for dependencies: https://en.wikipedia.org/wiki/Bus_factor
Issues you involved
GraphAware®
GraphAware®
Quote
”You should have the visibility and the control over your software product dependency, to have
the proper business continuity.”
today’s takeaway from me
Many-many solutions
Gitlinks https://www.gitlinks.com
JFrog X-Ray https://www.jfrog.com/xray/
Sonatype Nexus http://www.sonatype.org/nexus/
…
libraries.io https://libraries.io
DIY
Solutions
GraphAware®
GraphAware®
Neo4j (Neo4j Platform)The Neo4j native graph database
Graph analytics
Data integration
The Cypher graph query language is the bridge to big data analytic tooling
Graph visualisation and discovery
Enterprise architecture underlies and supports massive graph data
GraphAware Databridge
Graph Algorithms Neo4j plugin
My DIY solution
GraphAware®
Schema
╒══════════════════════════════════════════════════════════════════════╤══════╕!"Licenses" !”pcs" !╞══════════════════════════════════════════════════════════════════════╪══════╡!"MIT" !756425!"######################################################################$######%!”” !677470!"######################################################################$######%!"Apache-2.0" !248775!"######################################################################$######%!"Other" !110012!"######################################################################$######%!"ISC" !104508!"######################################################################$######%!"BSD-3-Clause" !94043 !"######################################################################$######%!"GPL-3.0" !35251 !"######################################################################$######%!"BSD-2-Clause" !21201 !"######################################################################$######%!"Artistic-1.0-Perl" !18516 !"######################################################################$######%!"AGPL-3.0" !17405 !"######################################################################$######%
Licenses
GraphAware®
Centralities:
• Page Rank (algo.pageRank)
• Betweenness Centrality (algo.betweenness)
• Closeness Centrality (algo.closeness)
Community Detection:
• Louvain (algo.louvain)
• Label Propagation (algo.labelPropagation)
• (Weakly) Connected Components (algo.unionFind)
• Strongly Connected Components (algo.scc)
• Triangle Count / Clustering Coefficient (algo.triangleCount)
Path Finding:
• Minimum Weight Spanning Tree (algo.mst)
• All Pairs- and Single Source - Shortest Path (algo.shortestPath, algo.allShortestPaths)
The Graph Algorithms
GraphAware®
GraphAware®
rank url score1 http://expressjs.com/ 8172.573038999997
2 http://junit.org/ 7709.026125499998
3 https://mochajs.org 7324.665977000001
4 https://github.com/ruby/rake 5209.688505499999
5 http://expressjs.com 6950.314272500002
6 http://gruntjs.com/ 3945.8917605000006
7 https://phpunit.de/ 3114.4085855
8 http://gulpjs.com 3021.2432475000005
9 http://github.com/rspec 2979.8457910000006
10 http://chaijs.com 2775.124208999999
PageRank example
Java backend, Maven
55 dependencies (32 external, 23 internal)
32 external project means 90 transitive 2nd degree dependencies
293 3rd degree dependencies
compile, provided, runtime, test scopes
Node.js frontend
121 dependencies (12 internal, 109 external)
109 external project means 1412 transitive 2nd degree dependencies
3600 different 3rd degree dependencies
GraphAware®
Random Corporate System (RCS)
GraphAware®
OWASP Top 10: "Using Components with Known Vulnerabilities”
CVE: Common Vulnerabilities and Exposures CVE-2017-14359
NVD: National Vulnerability Database
CSV files to download and ingest into our DB
Possible defense or attack strategies:
Top-down
Bottom-up
Security
GraphAware®
ElasticSearch for full-text search on descriptions
Security vulnerabilities ingestion
NLP to create knowledge graphs
Embed into releasing process
More insights from the data
Future improvements
GraphAware®
SummaryYour software looks rather like this than an individual node.