Open-source security specialist Snyk has released a new survey combining data on vulnerabilities in available packages with responses from developers and DevOps teams about how they handle the challenge this poses.
Click to enlarge (via Snyk)
The problem is easy to express. Software development today typically makes use of packages from online repositories. A developer sits down to create a web application and starts by installing libraries from npm.js (more than 1 million JavaScript packages to choose from), Maven (for Java), NuGet (for .NET) or PyPI (for Python).
Each package may and probably will pull down other packages on which it depends. The result is a big chunk of code that gets deployed with the application, but was not written by the developer and may include security vulnerabilities.
< ..
Support the originator by clicking the read the rest link below.
