Say No to the Dependency Hell

Modern software projects typically import functionality from third-party sources by including them as software dependencies. Hence, these dependencies introduce a huge chunk of code, that needs to be considered, when we are talking about bugs and security vulnerabilities of a software project. During the talk we will discuss how to automatically manage software dependencies, so there is no unpleasant gifts of a vulnerable dependency. We start with an overview of the existing options, such as the Github’s software dependency initiative. Then, we will leverage on this approach and present you the methodology for managing vulnerable dependencies developed in the Security Research Lab of the University of Trento (Italy) in collaboration with SAP Security Research (France).