Maintenance of dependencies#
Problem#
Maintenance of used software and all dependencies should be seen as a problem!
Maintenance of used software and all of its related dependencies is an absolute must do! This to prevent future security risks if your software is not up to date or replaced. Good software is maintained to prevent failures or security risks. Like a car or house: Every type of software needs maintenance.
Software maintenance means software should be able to be adjusted or replaced. This to solve problems or prevent failures that may cause trouble when not fixed. Good generic software that is frequently used should always be maintained. In essence all software is dependent on other software. And every piece of software can have issues or vulnerabilities.
But knowing if and when software should be updated, replaced or removed is not simple.
This is due to the fact that modern software is created based on many other software packages. And these software packages are too often also again dependent on other software packages.
Solution#
Use FOSS solutions. The great advantages regarding security when using FOSS solutions is that it is easier to retrieve what all the dependencies are.
More and more countries require having a SBOM for software in use by law. A software bill of materials (SBOM) is a minimum security baseline to check if you have known vulnerabilities.
A Software Bill of Materials (SBOM) is viewed as a solution for improving security. A lot of initiatives have been tried in the last 20 years for SBOMs and SBOM standardisation.
An SBOM is effectively a nested inventory, a list of ingredients that make up software components. A Software Bill of Materials (SBOM) is a list of ingredients or a nested inventory. It is “a formal record containing the details and supply chain relationships of various components used in building software”
Caution
Remember CVEs are never the complete truth and most real nasty vulnerabilities are never reported in a CVE.