Benchmarking Dependency Analysis Tools

DZone 's Guide to

Benchmarking Dependency Analysis Tools

This open source framework for evaluating dependency analysis can help developers with the security issue of using components with known vulnerabilities.

· Performance Zone ·
Free Resource

OWASP Top 10 2017 lists A9: "using components with known vulnerabilities" as a major security issue facing companies. The recent Equifax data breach was actually caused by a known security issue in the Apache Struts library; it was an instance of the OWASP A9. There are several vendors in the market with products that claim to address this problem. However, it is often very difficult to compare and contrast the results from the tools that do dependency analysis. We recently released an open-source Evaluation Framework for Dependency Analysis (EFDA) to help address this challenge.

EFDA provides a set of test cases and scoring criteria to benchmark dependency analysis. It currently covers 8 different languages across 17 package managers and has 38 different test scenarios. The idea is that you run the tool based on the tests and then compare the results with the expected results. For each passing test you get a point that contributes towards the total. You can also customise and configure the importance of a given test by giving it a weight. There is a public EFDA Spreadsheet that allows you to compute the total score.

The full details of the framework and the thoughts behind the design are given here. We welcome everyone to contribute to the project by suggesting more tests or benchmarking and publishing the results of dependency analysis tools.

benchmark, dependency analysis, open source, owasp, performance, security

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}