Beyond "Just Update All the Things": Uncovering the Nuances of Dependency Security

Explore the complexities of dependency security management in this 19-minute conference talk by Rex Pan and Holly Gong from Google, presented at OpenSSF. Delve into the challenges of keeping project dependencies safe from vulnerabilities, going beyond the simplistic "update everything" approach. Uncover the hidden intricacies of dependency management, including breaking changes, maintenance burdens, and ecosystem complexities. Learn about the OSV project's developer-centric solutions, including the OSV Schema, OSV.dev, and OSV-Scanner. Discover strategies for seamlessly integrating dependency awareness and remediation into developer workflows. Examine the importance of container image scanning for identifying and patching vulnerabilities beyond initial releases.

Beyond "Just Update All the Things": Uncovering the Nuances of Dependency Se... Rex Pan & Holly Gong