Part Two!
QUICK TIP
THE PROS AND CONS OF OWASP’S DEPENDENCYTRACK
DATA SECURITY STANDARDS
Part Two!
Missed part one of this series? Then turn to page 66
Missed part one of this series? Then turn to page 66
For a refresher on setting up CI/CD pipelines in GitLab, check out the previous tutorial in this series, or head on over to https://blog. plaintextnerds. com where there’s a dedicated tutorial series on GitLab CI/CD.
If you have the time and resources to manage and maintain it then it’s possible to build a complete self-hosted SCA solution, including all of the reporting features that you need ,by utilising The OWASP’s Foundation DependencyTrack. This uses something called a Software Bill of Materials (SBOM) to carry out a lot of the same analytics and issue tracking as Snyk. SBOM of course being the output of another OWASP project: CycloneDX. DependencyTrack has a lot of good things going for it: a modern “dark mode” UI, policy compliance testing, impact analysis, time-series metrics, various SSO solutions, and it’s completely open source, too.
A lot of engineers like to rail against standards as pointless boxchecking and in some cases they are. Especially when it comes to things like PCI-DSS. Fundamentally, any engineer can look at PCI-DSS and say honestly that it’s obvious, and that all of these things should be implemented anyway. But when you ask them if they do, the answer is most often, “No, not all of it”. When you look at certain companies that are compliant (or are applying for certification) and see how much effort they take to “limit the impact” of complying, you start to ask yourself, “If this is all obvious BCoP, then why is everyone afraid of it?”.
OUR EXPERT