OWASP Flagship Projects - OWASP Dependency-Check

Explore OWASP Dependency-Check, a flagship project of the OWASP Foundation, in this 29-minute conference talk presented by Jeremy Long. Dive into the world of Software Composition Analysis and learn about primary data sources, including the National Vulnerability Database (NVD) and Common Vulnerability and Exposures (CVE) list. Understand the challenges in library identification, evidence-based identification issues, and strategies for dealing with false positives. Discover how to onboard an application and various use cases for dependency-check. Gain insights into vulnerability data sources and their importance in identifying security risks in software dependencies. Learn how to contribute to this open-source project and enhance the security of your applications.

Intro
Software Composition Analysis
Primary Data Sources
Vulnerability Data Source • National Vulnerability Database (NVD) List of Common Vulnerability and Exposures (CVE) • Each CVE entry contains • A description of the vulnerability
Library Identification Problems • Development & Security use different identifiers
Evidence Based Identification Issues
Dealing with False Positives Invalid dependency identification can be resolved using a suppression file
Onboarding an Application
Use Cases for dependency-check
How can you help?