OWASP Dependency-Check: How Does It Work?

The Open Web Application Security Project (OWASP), is an online community that produces free, publicly-available articles, methodologies, documentation, tools, and technologies in the field of web application security.

Open source components have become an integral part of software development. According to WhiteSource’s Annual State of Vulnerabilities Report, 96.8% of developers rely on open source components. The increasingly widespread use of open source components requires that developers take a more proactive approach to open source security management. They need to make sure throughout the development process that the software products that they are creating and maintaining don’t contain vulnerable components.

In hopes of making working with open source components more secure, the good folks at OWASP have released their OWASP Dependency-Check,  a free utility created for developers, that identifies project dependencies and checks if they contain any known, publicly disclosed, open source vulnerabilities.

We’ve taken a look at the OWASP Dependency-Check’s functionality, along with its features and integrations, and I’m here to share what we found.

Programming Languages and Integrations

The OWASP Dependency-Check currently supports five different programming languages. Java and .NET are fully supported and additional experimental support is provided for Ruby, Node.js, and Python.

The widespread adoption of open source requires developers concerned with the security of their software projects to integrate open source management tools into the Software Development Lifecycle (SDLC). Dependency-Check enables developers to stay on top of their open source components early in the development process with support for command-line integration. This allows seamless integration with other tools, build systems and APIs, helping developers to detect security vulnerabilities as early on in the CI/CD process as possible, without interfering with development time.

The OWASP’s tool also supports the Jenkins plugin, and can fail the build process, allowing you to make (Read more…)

*** This is a Security Bloggers Network syndicated blog from Blog – WhiteSource authored by Shiri Ivtsan. Read the original post at: https://resources.whitesourcesoftware.com/blog-whitesource/owasp-dependency-check