Dependency Mapping for DevSecOps
Today, DevOps teams use a staggering array of interconnected applications and infrastructure systems to build their continuous integration and continuous deployment (CI/CD) pipelines. These components are called dependencies because they depend on each other to enhance the functionality of an application. While dependencies shorten the release cycle and simplify developers’ lives, without proper security in place, these pipelines can be exposed to critical risks. In a worst-case scenario, it can cause dependency hell.
While a robust DevSecOps approach should seemingly prevent such incidents, in reality, many organisations overlook security in the race to release products faster. But with the modern IT landscape being a complex maze comprising a mix of cloud, on-premises, and hybrid resources, it isn't easy to gain absolute visibility into the supporting infrastructure and artefacts that underpin modern applications.
In such a scenario, simply monitoring apps and their dependencies for performance is not enough. They also need to be monitored for security risks. After all, a vulnerability in even one of the connected interfaces or components could invite an attack that brings down the entire system. To avoid this, you must know your dependencies well and map them so that even if cybercriminals make changes to your codebase, you're aware of it and can quickly bolster your security stance.
Application mapping is the process of identifying and uncovering the relationships between apps and other components in the software supply chain to uncover hidden vulnerabilities in the system. In particular, dependency mapping allows IT teams to create a visual map of the dependencies in their software development lifecycle (SDLC) process. By gaining insights into all aspects of their network infrastructure and understanding the possible upstream/downstream impacts of dependencies, teams can manage the software lifecycle more effectively and improve their IT environment's overall security posture.
This article discusses the importance of dependency mapping and lists some best practices for successful dependency management.
The importance of dependency mapping
Given the pressure on teams to deliver code faster, organisations hardly have any time to take proper inventory of all the components in their supply chain. Even fewer companies have a software bill of materials (SBOM) that lists all the dependencies and components required to develop an application. This increases vulnerabilities across the software supply chain.
In a supply chain attack, an infiltrator targets dependencies, more specifically open source code. When an unsuspecting victim uses the malware-infected dependency, their system also gets compromised. According to the 2021 State of the Software Supply Chain report, there was a whopping 650% increase in software supply chain attacks in 2021, and that's not all. Gartner predicts that 45% of organisations will experience software supply chain attacks by 2025—a three-fold jump from 2021.
While occurrences like Codecov, Log4j, and SolarWinds demonstrate the havoc that unsecured dependencies can cause, unfortunately, they’re not the only ones. Today, developers prefer using third-party libraries that help speed up app development and allow them to go to market quickly. But introducing third-party shadow code into your codebase without adequate controls can be disastrous for your organisation. So, you must be proactive in securing your supply chain, which can only happen when you have a holistic overview of the entire project, along with its dependencies.
SecOps teams have found it difficult in the past to get a clear overview of application behaviour, primarily because of the complexity of apps and their nested dependencies but also because of dynamic changes that keep occurring in the IT ecosystem. Nevertheless, unless you understand the ins and outs of your supply chain, how on earth will you secure it?
To stay in sync with evolving risks in dynamic environments, you need an intuitive map that constantly watches your dependencies in real time. An application dependency map helps businesses understand the underlying components of their tech stack and visualise how they are connected.
A fully equipped mapping tool can analyse all instances in the IT ecosystem, be it on-premises or cloud-based, and provide complete views of application topologies. An accurate visual map of app dependencies helps you understand the health of your IT system, identify security risks, prioritise critical issues, and devise an appropriate incident response.
Continuous monitoring of applications ensures that businesses always have up-to-the-minute visibility in their systems, avoiding any impediments to product development.
Thus, dependency mapping is more than simply listing off dependencies. It’s about creating a detailed overview of how they connect and interact to allow teams to understand which parts of an application depend on one another. When you focus on the applications and all the associated components, you can quickly identify vulnerable elements in real time and react swiftly.
You can implement several strategies to get a holistic view of dependencies in your organisation. Here are a few of the most popular ones:
1. Sweep and poll
The sweep and poll method is a lightweight method of dependency mapping that ping sweeps an organisation's IP addresses from a single location to check their current state. Pings function by sending “Echo Requests” packets to respective devices. If the device works properly, they send back an “Echo Reply” packet. While the sweep and poll method is used to perform network audits and identify potential vulnerabilities in the system, one drawback is that it’s not well-suited to monitor and track distributed or agile environments.
2. Network monitoring
Network monitoring is a method where you monitor your network for faults in real time and analyse traffic patterns at the packet or flow level. While this method is ideal for simple use cases, as with the sweep and poll method, it’s challenging to scale up for agile and dynamic IT landscapes with networks spread over several geographical areas.
3. Agent on server
The agent on server method involves placing agents on servers and other infrastructures to monitor real-time traffic. The agents collect information by executing commands in the individual server’s system. While this method is preferred in cases where in-depth surveillance is necessary, given its nature, it requires additional effort to implement.
4. Automated ADDM
Traditionally, IT teams have relied on conventional manual methods like spreadsheets to manage dependencies. But the sheer proliferation of IT networks has made it difficult for organisations to track dependencies using outdated methods.
Application discovery and dependency mapping (ADDM) products are custom-built solutions that discover app dependencies in an automated fashion. These products offer tools that automatically discover the components of your tech stack and their dependencies and then map these entities to provide comprehensive insights into the status of your applications.
A good ADDM tool visualises the performance of dependencies, which are then used to chalk out troubleshooting strategies. Abnormalities are noted and correlated to forensic data, and root-cause analyses are performed to identify the cause.
Best practices, when applied together with the correct dependency management tools, can do great things for your business. Listed below are some best practices for managing app dependencies and staying ahead of threat actors.
Large application projects inevitably have numerous dependencies, but too many dependencies can sometimes lead to nondeterministic builds. If your dependencies are not pinned to an exact version, you’ll be saddled with multiple sub-dependencies and their transitive dependencies. It then becomes difficult to manage them and determine which artefact is free of bugs and which one has been tampered with.
To achieve deterministic or reproducible builds (where the same inputs will give you the exact same output irrespective of where or how you run them), you need to pin dependencies. Pinning ensures your builds are repeatable and assures you that your developers are working on the same codebase.
New package versions are continually getting updated. While pinning versions works to some extent, you could end up installing two different versions of the same dependencies by not locking down a particular version, leading to code breaks and inconsistencies. A lock file specifies the exact version of a dependency that you should install. Nowadays, most build tools combine lock files with an entire dependency tree. This ensures you can install only dependencies present in the tree.
Organisations often use a mix of both public code and private code registries to build and deploy applications. Sometimes, this sets the stage for a confusion attack. A dependency confusion attack is a supply chain attack where attackers trick package installers into installing malicious code. DNS spoofing and namespacing are some of the ways by which dependency attacks are executed.
To avoid dependency confusion, you can:
- Remove unused and old dependencies.
- Reserve namespaces in the public registry.
- Include dependencies in a lock file.
- Use a pre-built runtime environment.
- Import only source code.
- Embed the source code of your dependencies in the code repository.
There isn’t much that your developers can do to avoid dependencies. They are here to stay! But when incorporated into a DevSecOps strategy, dependency mapping can protect your CI/CD pipelines from malicious actors. Following established good practices and employing the services of a superior ADDM solution can provide you with greater clarity on the state of your IT infrastructure.
Trend Micro offers a one-stop solution for DevSecOps teams to easily track and manage their dependencies. If you’re thinking about a customised solution for your app dependencies need, we’re here for you. Contact us through our webpage.