OWASP Global AppSec Lisbon 2024

Modern application development relies heavily on third-party components, introducing vulnerabilities from the vast and ever-evolving software supply chain. This abstract highlights how OWASP Dependency-Track empowers developers and security professionals to proactively fortify their applications throughout the development lifecycle.

In the current threat landscape, software supply chains pose a significant risk to organizations. Malicious actors are increasingly targeting these interconnected ecosystems, exploiting weaknesses in third-party components to gain access to critical systems. This presentation explores Dependency-Track, an open-source, intelligent component analysis platform driven by the power of Software Bill of Materials (SBOM) and a flagship project of OWASP. It helps organizations maintain an accurate inventory of their software components and identify vulnerable ones.

We'll dive into how OWASP Dependency-Track empowers users to:

Gain Complete Visibility: Dependency-Tracks helps discover and track usage of libraries, third-party components and services used by your application to provide full-stack traceability for enterprises. This enterprise-ready, single source of truth provides a clear view of your attack surface, enabling informed decision-making.

Continuously Monitor for Vulnerabilities and compromised components: Dependency-Track integrates with multiple vulnerability intelligence sources such as the NVD, Sonatype OSS Index, VulnDB, Snyk and Trivy to proactively identify known security issues within your dependencies. Receive timely alerts through popular collaboration tools like Slack, Microsoft Teams etc. and prioritize remediation efforts based on severity and exploitability.

Malicious Component Identification: Dependency-Track's new integrity analysis feature empowers users to continuously analyze their portfolio for potential malicious components and operational risk within their software supply chain. Additionally, Dependency-Track can also detect known backdoors (like xz) using multiple intelligence sources and a policy feature. Automate Vulnerability and License Management: Dependency-Track enables organizations to enforce license policy compliance across their portfolio and also produce CycloneDX Vulnerability Disclosure Reports (VDR).