Gestin de dependencias All rights reserved www keepcoding
- Slides: 38
Gestión de dependencias © All rights reserved. www. keepcoding. io
El problema © All rights reserved. www. keepcoding. io
% de código nuevo In their haste to create applications, developers use open source components as their foundation, creating applications using only 10% to 20% new code The Forrester Wave™: Software Composition Analysis, Q 1 2017 © All rights reserved. www. keepcoding. io
Dependencias Vulnerables 1 de cada 8 componentes descargados en 2018 contenían alguna vulnerabilidad © All rights reserved. www. keepcoding. io
Equifax breach ● Equifax says a 2017 data breach exposed the sensitive personal information of 143 million Americans ○ Apache Struts, CVE-2017 -5638 © All rights reserved. www. keepcoding. io
El problema © All rights reserved. www. keepcoding. io
Tiempos © All rights reserved. www. keepcoding. io
¿Somos vulnerables? ● No sabemos la versión de todas las dependencias ● Dependencias desactualizadas ● No revisamos habitualmente © All rights reserved. www. keepcoding. io
© All rights reserved. www. keepcoding. io
NPM © All rights reserved. www. keepcoding. io
pip © All rights reserved. www. keepcoding. io
Ecosistemas © All rights reserved. www. keepcoding. io
Vulnerabilidades en cada ecosistema © All rights reserved. www. keepcoding. io
Soluciones planteadas por las comunidades 14 © All rights reserved. www. keepcoding. io
¿Somos vulnerables? ● Aviso deprecation nodemon © All rights reserved. www. keepcoding. io
¿Somos vulnerables? © All rights reserved. www. keepcoding. io
¿Somos vulnerables? ● Modificación de la librería buscando robar criptomonedas © All rights reserved. www. keepcoding. io
¿Somos vulnerables? © All rights reserved. www. keepcoding. io
© All rights reserved. www. keepcoding. io
Prevención ● Eliminar dependencias no usadas ● Monitorizar las versiones usadas ● Monitorizar las vulnerabilidades de nuestras dependencias ● Solución: Actualizar las dependencias © All rights reserved. www. keepcoding. io
Tiempos La resolución de vulnerabilidades a causa de avisos de seguridad es menor al 20% El tiempo de resolución varía entre 1 semana y 9 meses, dependiendo del proyecto © All rights reserved. www. keepcoding. io
Prevención ● Comprobar vulnerabilidades ○ NIST ○ CVE © All rights reserved. www. keepcoding. io
CVE y CVSS ● CVE: Common Vulnerabilities and Exposures ● CVSS: Common Vulnerability Scoring System Calculator ○ https: //www. first. org/cvss/calculator/3. 0#CVSS: 3. 0/AV: N/AC: H/PR: L/UI: R/S: U/C: L/I: L/A: L ○ https: //nvd. nist. gov/vuln-metrics/cvss/v 3 -calculator © All rights reserved. www. keepcoding. io
CVE Websites ● Alertas personalizadas ○ https: //www. saucs. com/ ● Clasificación ○ https: //www. cvedetails. com/ © All rights reserved. www. keepcoding. io
CPE ● Common platform enumeration ● Método estándar para describir e identificar software y hardware © All rights reserved. www. keepcoding. io
CPE cpe: 2. 3: a: apache: maven: 3. 0: *: *: *: * Aplicación Versión © All rights reserved. www. keepcoding. io Vendor Producto
Gestores de dependencias ● Npm ls ● Mvn ● Pip freeze © All rights reserved. www. keepcoding. io
Soluciones comerciales © All rights reserved. www. keepcoding. io
Snyk © All rights reserved. www. keepcoding. io
© All rights reserved. www. keepcoding. io
Snyk CLI 1. npm install -g snyk 2. snyk auth 1. snyk test 2. snyk wizard 3. snyk monitor Cheat Sheet © All rights reserved. www. keepcoding. io
Snyk CLI © All rights reserved. www. keepcoding. io
Fossa © All rights reserved. www. keepcoding. io
Proyectos Open Source ● Deep. Tracy: Desarrollado por BBVA ● Dependency-Check: Desarrollado por Owasp © All rights reserved. www. keepcoding. io
Dependency-Check ● Proyecto desarrollado por Owasp ● Soporta Java y. Net ● Puede ser usado como: ○ Ant Task ○ Command Line Tool ○ Gradle Plugin ○ Jenkins Plugin ○ Maven Plugin - Maven 3. 1 or newer required ○ SBT Plugin © All rights reserved. www. keepcoding. io
Uso de Dependency Check. /dependency-check. sh --project test --scan /root/Android. Gangame/ -out. /result © All rights reserved. www. keepcoding. io
Uso de Pyup © All rights reserved. www. keepcoding. io
Pyup integración con Git. Hub © All rights reserved. www. keepcoding. io
- Microsoft corporation. all rights reserved.
- Gssllc
- All rights reserved sentence
- Warning all rights reserved
- Copyright © 2015 all rights reserved
- Airbus deutschland gmbh
- Microsoft corporation. all rights reserved
- Microsoft corporation. all rights reserved.
- Pearson education inc all rights reserved
- Freesound content licence
- Quadratic equation cengage
- Siprop
- 2012 pearson education inc
- 2010 pearson education inc
- Specification by example
- Pearson education inc. all rights reserved
- Pearson education inc. all rights reserved
- Confidential all rights reserved
- Warning all rights reserved
- Microsoft corporation. all rights reserved.
- Copyright © 2018 all rights reserved
- Copyright 2015 all rights reserved
- Dell all rights reserved copyright 2009
- Sentinel value
- Confidential all rights reserved
- Confidential all rights reserved
- Keepcoding login
- Rights reserved
- R rights reserved
- Supuestos y dependencias de un proyecto
- Función del líquido cefalorraquídeo
- Dependencias funcionales ejercicios resueltos
- Negative right
- Legal rights and moral rights
- Negative right
- Positive rights vs negative rights
- What are negative rights
- Littoral right
- Negative rights