LOGBOOK

HELP

Quiz Entry - updated: 2026.06.23

What is dependency analysis and why is it critical for software security?

Tracking and securing every third-party library you use — critical because you inherit all of their vulnerabilities, even with perfectly secure first-party code.

Dependency analysis means tracking and securing all third-party components (libraries, frameworks, packages) your software uses.

Why it's critical:

  • Modern apps use hundreds of dependencies
  • Each dependency can have its own vulnerabilities
  • You inherit all vulnerabilities of your dependencies
  • Supply chain attacks specifically target popular packages

Key practices:

  1. SBOM (Software Bill of Materials) — Complete inventory of all dependencies
  2. Version management — Keep dependencies updated, especially security patches
  3. CVE scanning — Regularly check against NVD/CVE databases
  4. Automated scanning — Integrate into CI/CD (npm audit, OWASP Dependency-Check, Snyk)
  5. Update triggers — Re-scan when vulnerability databases update, not just on builds

Example: Your app has no SQL injection bugs, but a logging library has CVE-2021-44228 (Log4Shell). You're still vulnerable.

See: OWASP Dependency-Check

From Quiz: SPRG / Secure Programming Introduction | Updated: Jun 23, 2026