From the course: DevSecOps: Building a Secure Continuous Delivery Pipeline
Join today to access over 22,500 courses taught by industry experts or purchase this course individually.
Options for software composition analysis
From the course: DevSecOps: Building a Secure Continuous Delivery Pipeline
Options for software composition analysis
- [Instructor] Okay, we've covered two tools so far, OWASP dependency check and Retire.js. Both of these are great tools, but there are several others that are worth considering. If you're doing Ruby development, then bundler-audit's worth taking a look. It checks for vulnerable gems and insecure gem sources. It also allows overrides if your using a gem that you need, and have worked around the vulnerability. What's great is, that it doesn't require a network connection, which means that it's really fast to run. Another open source option to look at is PHP Security Checker. Like the others, it looks for common libraries that you're using, but shouldn't be. Of course we should mention, there are a lot of commercial option. A few to consider are Sonatype, Black Duck, Veracode, and WhiteSource. I really do like Sonatype Nexus. They have a ton of data from running the central repository for Maven for all of these years. This experience parlays into their Nexus pro offering. So far, we've…
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.