Checking your project dependencies for vulnerabilites

In the light of the recent case of introducing malicious code through a popular JavaScript module on npm, I like to mention snyk.io .

In a simple, free of charge scenario, snyk.io scans build or dependencies files on your github or gitlab projects and periodically reports vulnerabilities. Snyk supports Node, Ruby, Java, Scala and Python projects.

If you pay for snyk.io, you get a lot more integrations, CLI and API access etc.

In my own trial I found that even for fairly recent spring boot and apache camel dependency tree there a dozen of high-rated vulnerabilities! (Many of them by using “com.fasterxml.jackson.core:jackson-databind@2.9.1”). So the next question is if it’s advisable to upgrade to a secure patch of – say – jackson-databind although I use it only indirectly – in other words: will the depended framework still work with the secure patch version?

An open-source alternative is OWASP-Dependency-Check. It scans Java and .Net dependencies, has experimental support for Python, Ruby, PHP (composer), and Node.js applications. The tool seems to be JVM-based. There is a SonarQube-plugin. I have not tried it myself.

GOTO Berlin 2017

The last two days I spent at the GOTO Berlin 2017 conference. It’s a conference “by developers for developers”. Three out of four keynote speakers were women (last year four out of four); I have got the impression that inclusivness is an import part of the conference. There seem to be more female attendancees than on other tech conferences.

I enjoyed the conference: the keynotes, the talks, the food and the beverages, the people.

The first keynote on Thursday was held by Anita Sengupta about “The future of Mars exploration“. In the first part, she focused on the Curiosity mission. She developed the parachute that was used during the decent on Mars. Cool. Prof. Sengupta showed us some actual video shootage from the mission. In the second part of her talk she talked about the challenges that a human mission to mars would face, especially radiation.

The evening keynote on Thursday “Number crush” was held by Hannah Fry. She showcased some interesting data from human (and cow) behaviour. It’s hard to summarize her talk in a few sentences. Make sure to check out her website.

Raffaelo D’Andrea held the morning keynote on Friday on autonomous drones. He was part of Kiva Systems, a company that build robots that brings stuff in a warehouse to human packers. It got aquired by Amazon that uses this technology in its warehouses. It’s astonishing to see all these robots moving around bringing stuff from A to B. The main theme was the autonomous drones D’Andrea developed in a company called Verity studios. They are used on broadway, in Metallica concerts. A key concern for him are safeness (no drone is going to crash) and reliability. Very impressive!!!

Susan Landau held the evening keynote on Friday on “Cybersecurity in an Insecure Age“. She talked about end-to-end encryption and locked phones. A thing that was new to me is “tainted leaks” where documents from “a target” are stolen, messed with and then “leaked” in order to discredit the target and generally generate mistrust.

Attendance Joy Clark did some cool sketch note of the key notes and some talks.

I especially enjoyed the talks by Dan North (“How to break the rules” and “Agile revisited“) Gregor Hohpe (“Adopting DevOps? You are Aiming at the Wrong Target!” and “Enterprise Architecture = Architecting the Enterprise?“), Steve Smith (“Measuring Continuous Delivery“) and Adam Tornhill (“A Crystal Ball to Prioritize Technical Debt“).

Also on: