Managing dependencies isn’t easy for developers, especially in large projects with dependencies from many different sources.
Staying organized when using dependencies is crucial both for productivity and security reasons, but can be a daunting task. Tips for managing dependencies often emphasize two primary messages: Establish Policies and Encourage Automation.
It is important that a company or organization establishes a specific set of policies for dependency use, as this can create routines that will help to avoid vulnerabilities and weaknesses. If a bit of extra work when dependencies are first put to use means policies are followed, this can help to prevent issues in the future, when resolving them would be far more time consuming and costly. Additionally, policies can help to instruct developers and security teams about how to handle threats, and will end up facilitating better dependency management.
Encouraging automation is also a top priority, as dependency management is complex and hard to keep organized. Automating dependency documentation can help current developers stay more organized and help future developers acquaint themselves with the dependencies that are currently in use. Using automatic updates can also help implement bug fixes immediately and reduce risk of software attacks due to weaknesses in outdated software.
The Following 6 Tips Can Help Developers with Productive Dependency Management
1 – Document Dependency Use and Maintain a List
Maintaining organized documentation of dependency use is a crucial first step to properly managing dependencies. Creating a list is a great place to start, and can be done with something as simple as a spreadsheet. For a more advanced approach, especially for larger organizations using more dependencies, usage can also be organized with more complex tools that integrate some automation and allow for communication and coordination throughout the organization.
Whatever method is chosen for listing and documenting dependencies, this can help developers by making it easier to understand the function of the dependency, and often includes relevant details like URLs indicating the locations of the latest versions of the software. This documentation facilitates the acquisition of new versions of the dependencies from the source when it is time to update, and enables quality assurance to identify the functions to test after upgrades. Without proper documentation of dependencies, dependency management may be handled by individual employees, leaving an organization vulnerable if one of those employees leaves.
2 – Update Dependency Documentation Continuously
Ensuring that dependencies are updated on a consistent basis is crucial to protecting your software and your company as a whole. When bugs in programs are found, attackers can move very quickly to exploit the software. Updating projects whenever possible is the easiest way to prevent this, fixing weak points before they’re targeted. Automated tests are also an excellent addition to an organization’s updating routine, and can be used to verify that updates work as expected by executing a test as soon as the source code changes.
3 – Verify the Integrity of Downloads
When working with any open source dependencies, it is good practice to verify the integrity of all downloads. Malicious software can corrupt projects, and should be watched for and avoided at all costs. When searching for a specific dependency on an online repository, be aware that malicious versions of software are sometimes placed on download sites in place of or in addition to the real, authentic version of the software. Dependency confusion attacks are also becoming more prevalent, in which malicious versions of software are published publicly under the same name as private libraries used in a company’s app-building processes, leading to automated package managers at the company mistakenly loading a malicious piece of software in their application.
4 – Use a Tool to Manage Dependencies
Security issues can arise in almost all types of software, including open source software. It can be difficult to keep up with and locate vulnerabilities in dependencies, so automating the process is incredibly helpful. Using automated tools to automatically scan dependencies for vulnerabilities saves time and keeps programs safer, as automated tools can conduct these scans both faster and with greater accuracy than a human developer. If these tools are integrated into the development process of programs, managing risks of attacks becomes far easier for developers.
5 – Contribute to Upstream Dependency Management
Contributing to projects upstream is not only a generous and cooperative thing to do when using open source software, but can be very responsible and proactive. If a company or organization relies on an open source dependency, it must be sustainable, and the developer must do what they can to ensure that support for the dependency is not abandoned. If the dependency is abandoned, bugs and/or weaknesses in the dependency (and therefore the program) could go unfixed, leading to these weaknesses being exploited by attackers before the developer has time to fix the problem themselves.
Contributing to upstream dependency management can be done in a number of ways. One of the most direct ways to contribute is by contributing code, but organizations can also purchase support contracts, contribute financially to projects, sponsor projects with infrastructure like test servers, and help make improvements with bug reports and fixes, feature requests and support for other users on forums. Contributing upstream encourages open source developers to continue to support their dependencies, which means that the creators will conduct their own maintenance and make most of their own fixes, which in turn ensures that those responsibilities don’t fall on your developers’ shoulders.
6 – Don’t Be Hesitant to Switch Software
When looking for dependencies to use, and even when currently using a dependency, ensure that developers prioritize quality over familiarity. When a developer has been using a certain dependency or software component for a long time, they may become too comfortable using that specific component, and may ignore or fail to notice better software alternatives available. Choosing a new type of software to use based on its quality rather than a developer’s familiarity with it may involve an adjustment period at first, but is a better choice in the long run.
Quality of dependencies can be difficult to quantify, but can often be indicated by several factors. The number of open bugs, the number of fixed bugs, the severity of the bugs and the number of commits for the open-source project over time are great indicators of quality, as they indicate how active the community is and how many developers are working on improving the code. Whether or not a new piece of code is familiar to your developers, the quality of the project should be the most important criteria when choosing dependencies to work with.