By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
18px_cookie
e-remove

Highlights from Our 2024 Dependency Management Webinar

Get key insights from the 2024 Dependency Management webinar with Darren Meyer and Henrik Plate. We discuss how to prioritize vulnerabilities, navigate breaking changes, and leverage public vulnerability databases effectively.

Get key insights from the 2024 Dependency Management webinar with Darren Meyer and Henrik Plate. We discuss how to prioritize vulnerabilities, navigate breaking changes, and leverage public vulnerability databases effectively.

Get key insights from the 2024 Dependency Management webinar with Darren Meyer and Henrik Plate. We discuss how to prioritize vulnerabilities, navigate breaking changes, and leverage public vulnerability databases effectively.

Written by
Darren Meyer
Darren Meyer
A photo of Henrik Plate — Security Research at Endor Labs.
Henrik Plate
Published on
September 24, 2024

Get key insights from the 2024 Dependency Management webinar with Darren Meyer and Henrik Plate. We discuss how to prioritize vulnerabilities, navigate breaking changes, and leverage public vulnerability databases effectively.

Get key insights from the 2024 Dependency Management webinar with Darren Meyer and Henrik Plate. We discuss how to prioritize vulnerabilities, navigate breaking changes, and leverage public vulnerability databases effectively.

If you caught our recent webinar on the 2024 Dependency Management Report, thanks for joining. If not, don’t worry——here’s a quick breakdown of the main points we covered. We dove deep into our 2024 Dependency Management Report and shared some strategies for dealing with vulnerabilities in open-source components.

The Dependency Graph

In a dependency graph, at the top is your first-party code, and underneath it is a massive web of third-party components, the stuff we rely on to avoid reinventing the wheel. But with that reuse comes risk. Those components can bring in vulnerabilities, and you can’t tackle them all at once.

The goal here is to show that not every vulnerability needs to be treated with the same urgency. Prioritization is key.

How to Prioritize Vulnerabilities

There’s always a lot of noise around vulnerabilities, so we broke it down into four criteria to help teams prioritize:

  • Reachable vulnerable functions (based on whether the vulnerable code can actually be accessed)
  • Whether a fix is available
  • If the vulnerability is in a test dependency
  • The EPSS score (which measures the likelihood of exploitation)

What we found is that focusing on reachable functions is the most effective way to prioritize, followed closely by the EPSS score. When you combine these two criteria, you’re only focusing on about 4% of vulnerabilities first, which makes managing them a lot more doable.

The Real Struggle: Breaking Changes

We get it—updating dependencies sounds straightforward, but in reality, it’s a challenge. Breaking changes are a major reason why updating can feel like a minefield. Even minor updates can introduce changes that break your app.

In our research, we found that 24% of major version updates and 47% of minor or patch updates come with breaking changes. It’s no wonder teams are hesitant to jump on every update. You’ve got to balance staying secure with not breaking your app in the process.

The Vulnerability Database Problem

Public vulnerability databases like OSV and GitHub are amazing resources. They’ve come a long way, but they’re still not complete. We’ve seen discrepancies—missing data, incomplete package info, and more. That’s why we enrich these databases with our own data to provide more context and accuracy for our customers.

It’s important to know the limits of these resources. They’re a great starting point, but there’s value in going deeper when necessary.

Top Takeaways

  1. Focus on what matters: Prioritize vulnerabilities based on reachable functions and EPSS scores to focus on the most critical issues first.
  2. Updates aren’t always easy: Breaking changes happen even in minor updates, so make sure you understand the risks before jumping into an update.
  3. Databases are improving but need support: Public vulnerability databases are better than ever, but gaps still exist. Relying solely on them might leave you exposed, so adding more context can make a big difference.

If you missed the live session, no worries! You can still access the full report here. It’s packed with insights to help you stay on top of dependency management and keep your applications secure.

The Challenge

The Solution

The Impact

Book a Demo

Book a Demo

Book a Demo

Welcome to the resistance
Oops! Something went wrong while submitting the form.

Book a Demo

Book a Demo

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Book a Demo