Out with the Old – Keeping Your Software Secure by Managing Dependencies

During 2023, the U.S. witnessed a record high in supply chain cyber-attacks, affecting 2,769 organizations. This figure represents the largest number recorded since 2017, marking an approximate 58% annual increase in impacted entities.

If there ever was a doubt, now it’s crystal clear that YOUR SOFTWARE SUPPLY CHAIN IS A TARGET. Developers, DevOps and Security teams must prioritize processes that enhance security for all phases of the software supply chain.

This is especially true when it comes to third party open source packages. Today the majority of software developers are leveraging OSS, which comprises an average of 10-20% of the code in most applications.  I’m not complaining—on the contrary, we greatly value the open-source community, which significantly boosts our productivity and propels us to new heights.

With all the benefits of open source packages, they also come with responsibilities that must be addressed. These include maintaining the packages by regularly updating them, ensuring they operate without issues that could cause long-term or immediate damage and continually evaluating whether they could be replaced by better-maintained packages that could enhance performance and security.

Let’s take a look at how these issues are defined, how problematic packages are identified and which best practices should be adopted to ensure that these packages deliver maximum performance with minimum risk.

Risks of Outdated Dependencies

Old dependencies often have well-documented vulnerabilities, making them prime targets for attackers. These vulnerabilities can range from mild issues, such as exposure of non-sensitive information, to critical risks, such as remote code execution, where an attacker could potentially take control of an entire system.

Since these vulnerabilities are known and often listed in public databases by a CVE Numbering Authority (CNA) like the National Vulnerability Database (NVD), attackers can easily identify them and craft exploits to take advantage of their weaknesses.

When software dependencies are not regularly updated, they can become a major security liability. Many dependencies, especially open-source libraries, are frequently updated to address security vulnerabilities that were only discovered after the previous release.

When these updates are neglected, it leaves the door open for attackers to exploit known vulnerabilities. Outdated packages often lag in adopting the latest specifications, features, and security updates of operating systems and other software libraries. This discrepancy can lead to several integration issues such as newer systems that require updated components, resources that are no longer available and old APIs which were built to interact with outdated packages. Many times, this misalignment can even cause the software to fail at runtime.

Lack of Support

A critical concern in using dependencies is the lack of ongoing support, which we need to consider as a serious warning sign. Here’s why an absence of support for dependencies should raise an alarm:

Security Risks: Dependencies that are not regularly updated are vulnerable to security breaches, such as known flaws going unpatched, leaving applications open to attacks.

Debugging Challenges: Without support from the original creators, resolving issues that arise from bugs in a dependency become much more difficult to manage, thereby complicating the debugging process for developers.

Maintenance Issues: Integrating unsupported dependencies with new technologies or systems is fraught with difficulties, often leading to increased maintenance complexity and additional technical debt.

Ultimately, relying on software that lacks maintenance and support undermines both the security and functionality of your applications, underscoring the importance of assessing and, if necessary, replacing unsupported dependencies with those that are actively maintained by a responsible author.

Degraded Performance

Using older versions of software dependencies can prevent you from leveraging the optimizations and enhancements that come with newer releases. New versions often include performance improvements, enhanced features, and more efficient algorithms, all of which contribute to a faster, more robust, and feature-rich application. By sticking with outdated versions, you not only miss out on these benefits but also risk running software that is slower and less efficient. This can affect user experience, reduce competitive edge, and increase operating costs in the long run. Thus, regularly updating dependencies is crucial for maintaining an optimal and forward-compatible software development environment.

Don’t Depend on Stagnant Dependencies

In real life, you wouldn’t drink from stagnant water because it can become polluted in a short period of time. Similarly, you should be cautious about using third-party dependencies that aren’t regularly updated or come from an unidentified source.

From a developer’s perspective, maintaining packages, especially when dealing with major version updates, can be a tedious and time-consuming task. This is particularly true if there is a significant gap between the current version and the most recent one. Consequently, adopting diligent update practices is essential, not just for developers, but also for team leaders and security professionals to mitigate the risk of compromising applications.

Updating software dependencies is a crucial task for maintaining the security, performance, and stability of your applications. Here are some strategies you can use to effectively manage this process:

1. Automate Dependency Management – Use tools like JFrog Xray to automatically detect outdated dependencies and security vulnerabilities in conjunction with Frogbot to open pull requests for updating those dependencies. Automation of the dependency upgrade process saves time and reduces the risk of human error.
2. Maintain a Regular Update Schedule – Set a regular schedule for reviewing and updating dependencies. This could be weekly, bi-weekly, or monthly, depending on the project’s needs and whether the updates are critical or not.
3. Use Semantic Versioning – Adhere to semantic versioning when updating dependencies. This helps you understand the nature of the changes in the new version (major, minor, or patch) and assess the potential impact on your project.
4. Test Thoroughly – Ensure you have a robust testing environment to verify that updates do not break your application. Automated tests, continuous integration (CI) pipelines, and staging environments are vital for catching issues prior to release.
5. Prioritize Security Updates – Always prioritize updates that address security vulnerabilities. Solutions such as JFrog Xray and JFrog Advanced Security can alert you to the security updates which require immediate attention.
6. Review Dependency Changelogs – Before updating, review the changelogs for the dependencies. This can provide insights into the changes and help you prepare for potential issues or adjustments in your code.
7. Gradual Rollouts – For larger projects or updates that could significantly impact functionality, consider a gradual rollout of the update. This might involve canary releases or feature flags to minimize impact on the entire user base.
8. Document Your Dependencies – Maintain clear documentation of all your project’s dependencies, their versions, and why they are used. This documentation can be crucial for new team members and for troubleshooting issues related to specific dependencies.
9. Monitor for Deprecated Features – Keep an eye on the future deprecation plans of your dependencies. Preparing in advance for replacing or updating deprecated features can save a lot of negative end user experiences and last-minute scrambling.
10. Community and Support – Engage with the community around your dependencies. Forums, mailing lists, and other community resources can offer invaluable support and insights for managing updates.

As software development operations continue to integrate more and more sophisticated tools to prevent performance and security issues, simple measures such as vigilantly updating dependencies on a regular basis can be just as effective. If you want to know how JFrog can help manage, maintain and upgrade your dependencies, then why not set up a demo or take an online guided tour at your convenience.