I want to start by stating this tool is simply AMAZING! This tool is the brainchild of Stevev Springett. It is also a result of the fantastic tool OWASP Dependency Check, the brainchild of Jeremy Long. If you are responsible for the security of your applications, I cannot recommend this tool enough. It's Open Source, which means there is no cost associated with, other than the costs of actually running it.
Why It Is So Good
I have worked with several tools in the past, which in some way or another, which attempt to perform some security aspect to 3rd party libraries. Some of these tools are good, however they were not designed to report on 3rd party library vulnerabilities. OWASP Dependency Track does this so well, since that it is all it does. It does one thing, and it does it really well.
To me the biggest selling points are:
- A single location to get a snap shot of all libraries being used by your software.
- A single location to manage all reported findings.
- Ability to view which of your software components are using a library. This is something that I've seen being a difficult task over the years. For example, there is a Struts 2 vulnerability which is announced. There is usually a mad scramble to try identify what components are using it. Well now just go view it in Dependency Track and you have your answer.
- Trivial integration. This is a huge selling point. For developers this is as simple as copying and pasting a few lines of XML configuration into their POM files. Integration into Jenkins is even simpler.
Why Is This So Important
Vulnerabilities in 3rd party components is becoming more and more of an issue. Software development over the years has changed significantly with the rise of Open Source. We no longer need to develop things from the ground up. There are thousands upond thousands of libraries freely available, which greatly help reduce the need to develop features and functions from the gound up. But that introduces a new risk to the organization. These libraries are developed by humans, and humans make mistakes. So there are bound to be security related vulnerabilities in these libraries. Some of these vulnerabilities can be rather severe, just ask the likes of Equifax.
So it's vital to keep on top of things and ensure that you are tracking the vulnerabilities in the libraries used by your software, and perform the appropriate remediation efforts (almost always to update to a later version). Having a central tool to manage these efforts is vital, especially if you have a large number of components and services to protect. A job which OWASP Dependency Track does really well.