When you are trying to figure out why/where a particular vulnerable transitive dependency is showing up in your report you’ll need to determine the “parent” component that includes the transitive dependency to determine how to proceed. Upgrading to a different version of the parent component may resolve the violation because a different version of the …
Dependencies can grow to the point where they get out of hand. You may be following all the right security best practices, but due to a single vulnerable dependency, your application can still be susceptible to exploitation. Keeping dependencies up-to-date can present a huge problem if left unmanaged. 2020 State of the Software Supply Chain …
Similarly, microservices and containers are a really big thing. We work with container vendors to be able to understand the different layers, the different dynamics in there and pulling out the application bits from the container bits. This actually is a really big trend, because often the people owning the container aren’t developers, but again, …
Also worth mentioning are the different types of views that are available if you need to dig a little deeper after you’ve applied your filters. Violations view Components view Applications view Displays data for the last 30 days and shows the first 100, newest policy violations found in your applications. Displays the 100 highest risk …
As a Product Owner/Product Manager, I probably care about all of these items. But I may be particularly interested in the highest risk or the whole aggregate amount of risk. Luckily, we have a couple of features that allow you to highlight those before waiving those risks. Potentially your organization could configure the settings to …
From a security perspective, we can get what is most important to you – policy violations that are due to security issues. This time use the Policy Type –> Security filter options. From there, more details about what caused the violation can be observed by opening the CIP for a given violating component. Now we …
Remember that release where you had to get a patch out, and you discover that there’s an issue? And how this totally interrupted your workflow trying to get that patch out the door? This puts you in a position of being reactive. You’re going to look at it and ask yourself, can we get this …
Imagine you’ve got a project, a legacy system that is of moderate complexity, or maybe you’re new to this sort of application scanning. You turn it on for the first time, and you’re inundated with data that you were unaware of before. This leads us to two specific questions. What is a good approach to …
Lesson 2 Overview So, we’ve got some good news! The market is shifting and development teams are gaining budget authority to purchase tools that fit their needs better. This means going beyond vulnerability identification and warnings by integrating dependency management directly into your DevOps tooling. Develop Smarter, Not Harder Using open source libraries to build …
