Announcing the 2024 Dependency Management Report
Our third-annual Dependency Management Report explores how emerging trends in open source security should guide SDLC security strategy.
Our third-annual Dependency Management Report explores how emerging trends in open source security should guide SDLC security strategy.
Our third-annual Dependency Management Report explores how emerging trends in open source security should guide SDLC security strategy.
Our third-annual Dependency Management Report explores how emerging trends in open source security should guide SDLC security strategy.
Our third-annual Dependency Management Report explores how emerging trends in open source security should guide SDLC security strategy.
It’s clear by now: there will only ever be more dependencies and more software vulnerabilities from here. The rise of artificial intelligence in software development is only accelerating increases in phantom dependencies and rises in cyber attacks. We’ll never be able to 100% keep up, which means the most important question application security teams have to answer is: Where should we start?
Our third-annual Dependency Management Report explores how emerging trends in open source security should guide SDLC security strategy. This year, we focused on the following research questions:
- How successful are AppSec teams at identifying dependencies and their vulnerabilities?
- Does public vulnerability data support successful researching and prioritizing of vulnerabilities?
- What gets in the way of remediating known vulnerabilities?
- How can software composition analysis (SCA) improve dependency management?
Why focus on dependencies?
A ‘software dependency’ refers to external code or libraries that a software project requires to function properly. Most commonly, dependencies are recognized as third-party libraries, frameworks, or other software components that provide essential functionality without having to write it from scratch. At Endor Labs, we go beyond traditional dependencies to secure everything your code depends on, extending the definition of “dependency” to include tools we use to build, test, and operate applications.
Think of dependencies like the building blocks of your software supply chain. They never seem all that critical, until one has an issue. Remember in March 2021, when the Ever Given blocked the Suez canal and this one ship held up $9 billion in global trade per day?
Your software supply chain is the same - every open source dependency your developers choose matters a great deal, and the trends in dependency management help us all make sense of this complex house of cards.
What’s inside the report
The research is based on analysis of Endor Labs’ vulnerability data, the Open Source Vulnerabilities (OSV) database for comparison, information from Endor Labs’ customer tenants, and Java ARchives (JARs) of hundreds of versions of the top 15 open source dependencies to compute breaking changes.
This report is comprehensive, but we organized it so that you could find what’s interesting to you very easily. The executive summary is a quick, less-technical read that cuts to the chase on our biggest findings. The rest of the report is broken into four parts:
- Part 1: Identifying Dependencies & Their Vulnerabilities
- Part 2: Discrepancies and Shortcomings of Vulnerability Databases
- Part 3: Why Remediating Known Vulnerabilities is Hard
- Part 4: Software Composition Analysis and Its Role in Dependency Management
How to access the research
We’ve made it super easy to access our research in a variety of formats, no form required.
- There’s an interactive report page here, with a useful TL;DR summary right at the top and some useful infographics to screenshot.
- You can download a PDF version of the report below.
- Not a reader? Join us on September 24th for a live recap and Q&A session. If you’re reading this later, don’t worry, the video will be available at that same link!
- Prefer a printed copy? (Old school, we like it!) Send us a note at engage@endorlabs.com and we will get one to you.