Gestin de dependencias All rights reserved www keepcoding
- Slides: 38
Gestión de dependencias © All rights reserved. www. keepcoding. io
El problema © All rights reserved. www. keepcoding. io
% de código nuevo In their haste to create applications, developers use open source components as their foundation, creating applications using only 10% to 20% new code The Forrester Wave™: Software Composition Analysis, Q 1 2017 © All rights reserved. www. keepcoding. io
Dependencias Vulnerables 1 de cada 8 componentes descargados en 2018 contenían alguna vulnerabilidad © All rights reserved. www. keepcoding. io
Equifax breach ● Equifax says a 2017 data breach exposed the sensitive personal information of 143 million Americans ○ Apache Struts, CVE-2017 -5638 © All rights reserved. www. keepcoding. io
El problema © All rights reserved. www. keepcoding. io
Tiempos © All rights reserved. www. keepcoding. io
¿Somos vulnerables? ● No sabemos la versión de todas las dependencias ● Dependencias desactualizadas ● No revisamos habitualmente © All rights reserved. www. keepcoding. io
© All rights reserved. www. keepcoding. io
NPM © All rights reserved. www. keepcoding. io
pip © All rights reserved. www. keepcoding. io
Ecosistemas © All rights reserved. www. keepcoding. io
Vulnerabilidades en cada ecosistema © All rights reserved. www. keepcoding. io
Soluciones planteadas por las comunidades 14 © All rights reserved. www. keepcoding. io
¿Somos vulnerables? ● Aviso deprecation nodemon © All rights reserved. www. keepcoding. io
¿Somos vulnerables? © All rights reserved. www. keepcoding. io
¿Somos vulnerables? ● Modificación de la librería buscando robar criptomonedas © All rights reserved. www. keepcoding. io
¿Somos vulnerables? © All rights reserved. www. keepcoding. io
© All rights reserved. www. keepcoding. io
Prevención ● Eliminar dependencias no usadas ● Monitorizar las versiones usadas ● Monitorizar las vulnerabilidades de nuestras dependencias ● Solución: Actualizar las dependencias © All rights reserved. www. keepcoding. io
Tiempos La resolución de vulnerabilidades a causa de avisos de seguridad es menor al 20% El tiempo de resolución varía entre 1 semana y 9 meses, dependiendo del proyecto © All rights reserved. www. keepcoding. io
Prevención ● Comprobar vulnerabilidades ○ NIST ○ CVE © All rights reserved. www. keepcoding. io
CVE y CVSS ● CVE: Common Vulnerabilities and Exposures ● CVSS: Common Vulnerability Scoring System Calculator ○ https: //www. first. org/cvss/calculator/3. 0#CVSS: 3. 0/AV: N/AC: H/PR: L/UI: R/S: U/C: L/I: L/A: L ○ https: //nvd. nist. gov/vuln-metrics/cvss/v 3 -calculator © All rights reserved. www. keepcoding. io
CVE Websites ● Alertas personalizadas ○ https: //www. saucs. com/ ● Clasificación ○ https: //www. cvedetails. com/ © All rights reserved. www. keepcoding. io
CPE ● Common platform enumeration ● Método estándar para describir e identificar software y hardware © All rights reserved. www. keepcoding. io
CPE cpe: 2. 3: a: apache: maven: 3. 0: *: *: *: * Aplicación Versión © All rights reserved. www. keepcoding. io Vendor Producto
Gestores de dependencias ● Npm ls ● Mvn ● Pip freeze © All rights reserved. www. keepcoding. io
Soluciones comerciales © All rights reserved. www. keepcoding. io
Snyk © All rights reserved. www. keepcoding. io
© All rights reserved. www. keepcoding. io
Snyk CLI 1. npm install -g snyk 2. snyk auth 1. snyk test 2. snyk wizard 3. snyk monitor Cheat Sheet © All rights reserved. www. keepcoding. io
Snyk CLI © All rights reserved. www. keepcoding. io
Fossa © All rights reserved. www. keepcoding. io
Proyectos Open Source ● Deep. Tracy: Desarrollado por BBVA ● Dependency-Check: Desarrollado por Owasp © All rights reserved. www. keepcoding. io
Dependency-Check ● Proyecto desarrollado por Owasp ● Soporta Java y. Net ● Puede ser usado como: ○ Ant Task ○ Command Line Tool ○ Gradle Plugin ○ Jenkins Plugin ○ Maven Plugin - Maven 3. 1 or newer required ○ SBT Plugin © All rights reserved. www. keepcoding. io
Uso de Dependency Check. /dependency-check. sh --project test --scan /root/Android. Gangame/ -out. /result © All rights reserved. www. keepcoding. io
Uso de Pyup © All rights reserved. www. keepcoding. io
Pyup integración con Git. Hub © All rights reserved. www. keepcoding. io
Microsoft corporation. all rights reserved.
Gssllc
All rights reserved sentence
Warning all rights reserved
Copyright © 2015 all rights reserved
Airbus deutschland gmbh
Microsoft corporation. all rights reserved
Microsoft corporation. all rights reserved.
Pearson education inc all rights reserved
Freesound content licence
Quadratic equation cengage
Siprop
2012 pearson education inc
2010 pearson education inc
Specification by example
Pearson education inc. all rights reserved
Pearson education inc. all rights reserved
Confidential all rights reserved
Warning all rights reserved
Microsoft corporation. all rights reserved.
Copyright © 2018 all rights reserved
Copyright 2015 all rights reserved
Dell all rights reserved copyright 2009
Sentinel value
Confidential all rights reserved
Confidential all rights reserved
Keepcoding login
Rights reserved
R rights reserved
Supuestos y dependencias de un proyecto
Función del líquido cefalorraquídeo
Dependencias funcionales ejercicios resueltos
Negative right
Legal rights and moral rights
Negative right
Positive rights vs negative rights
What are negative rights
Littoral right
Negative rights
