Most modern software relies on external libraries, code, or other software to function - this reliance is referred to as software dependency. The external piece of software is a package. (A package is a combination of metadata, configuration and software, that is prepared in a way that a package management program can be used to install software and related configuration data on a computer.)
Software projects typically rely on direct and transitive dependencies. An application truly relies on its direct dependencies. It couldn’t function without them. Transitive dependencies are second-level components that don’t directly interact with your software. More likely, one of your direct dependencies reaches out to a transitive dependency for support. All these relationships can be hard to track, which is why developers often use tools like Maven to manage and track their dependencies (this is exactly where you will find Packagecloud superbly useful as well, shameless plug).
Now, dependencies are a good thing - they allow developers to ship faster, and reuse existing code. Dependencies save time and money.
There are cons as well, as you may have guessed.
Threats can come from proprietary and open-source software dependencies. Even code that comes from within your organization could contain vulnerabilities! The SolarWinds data breach proved that. In the SolarWinds attack, hackers gained access to the company’s network and inserted malicious code into the product. The code got added before SolarWinds shipped its product to clients. Not surprisingly, the company and clients assumed they had an effective, secure IT performance monitoring system. Later, several government agencies and multinational corporations discovered that hackers had slipped backdoors into the code. Incidentally, the SolarWinds attack compromised data from the U.S. Department of Justice, Homeland Security, and the Department of Defense, including the National Security Agency (NSA), among other government agencies.
Popular open-source components are appealing to hackers. If they can find a way to insert malware into a piece of code that is downloaded in large numbers, the surface of the attack vectors increase manifold. Malicious agents may even intentionally build open-source software dependencies that contain malware; once enough developers add the component to their products, the agent can tap into the malware to make mischief.
Making sure you ship secure software only
Knowing an application’s software components is critical to protecting users from malicious code. Currently, that requires a Software Bill of Materials (SBOM) for every piece of software. An SBOM lists every proprietary and open-source component software contains. It also ranks potential security threats, so development teams can make informed decisions.
You also need to choose a reliable package manager to defend against dependency confusion and substitution attacks.
Dependencies can be complex; but they do not have to be complicated. Now you know!
(Thanks to Wikipedia for the image!)