Learning from Developers: How to Make Dependency Management Secure


Components with known vulnerabilities (#9 from OWASP Top 10 list of Web Application Security Risks) are the most frequent cause of severe security breaches. The famous examples are the Equifax breach due to an outdated Apache Struts library, the Panama Papers data leak due to an old unpatched version of Drupal, and the Ubuntu forum breach due to an outdated Forumrunner add-on. Still, developers often keep third-party components used in their projects outdated.

To find the incentives of developers’ motivations for (not) updating dependencies of their projects, we interviewed developers of 25 different companies located in 9 countries and analysed their strategies for (i) selecting new dependencies, (ii) updating currently used dependencies, (iii) using automatic dependency management tools, and (iv) mitigating bugs and vulnerabilities for which there is no fixed dependency version.

In this talk, we will share our observations of the influence of security concerns on the current dependency management practices and recommendations (both based on observations and direct developers’ recommendations) on how to address the lack of attention to the security of third-party components.

Hence, the key takeaways of this talk are the following:
– you will learn the current developers’ practices of managing software dependencies
– you will discover the implications of the most popular dependency management strategies
– you will have the ideas on how to adjust the dependency management of your software projects to make them more secure