Software dependencies: a code library or package that is reused in a new piece of software. These software dependencies can come in two forms:
Direct: Libraries or packages your code calls directly (ie. a binary calls a method or function of another binary)
Transitive: Libraries or packages your dependencies call. These are dependencies of dependencies (ie. a binary makes a call to another through an intermediary).
By using pre-built software dependencies, developers can deliver software faster and on shorter release cycles. Yet dependencies introduce risks that are often overlooked. That is where Tromzo comes in with our unified developer-first application security management platform to:
Aggregate all dependencies (GitHub, Snyk, Aqua, etc.), associate that context with ownership metadata, allowing your AppSec team to know which developers and what teams own which dependencies. Additionally, we pull in licensing data and how relevant/fresh they are.
Implement security guardrails in CI/CD to enforce policies, guaranteeing proper hygiene of dependencies and ensuring every repository or container is scanned by a dependency/container scanner.
Automate vulnerability management by preventing insecure versions of dependencies being introduced and automatically triage vulnerabilities based on data that indicates whether it is a direct or transitive dependency, in a high risk code repository, or an unused internal code repository.