Modern software development teams use fast-paced DevOps work processes. However, the complexity of modern software applications often gets in the way. A typical enterprise software project has thousands of components, many of them third-party and open source components that are outside the control of development teams.
Developers have very low visibility into the libraries and dependencies included in third-party components. Even for proprietary components developed inside the organization, it is often unclear which are the hardware and software dependencies of each software element.
Broadly speaking, a dependency is something a software application needs in order to work properly. This can be anything from helper or utility functions to integrated systems, data flows, APIs, networks, and hardware.
Most commonly, dependencies are introduced when developers add third-party libraries into their code using package managers like npm or container image registries. Application dependency mapping (ADM) is the process of discovering and identifying the interactions and interdependencies between application components and their dependencies, to provide visibility over everything a software application needs to function properly.
Dependency Mapping for Cloud Migration
Migrating applications to the cloud typically involves determining which components to migrate and which to keep on-premises or retire. It also involves assessing whether you can migrate the application as-is by simply lifting and shifting it to the cloud or if it requires changes to fit into the new cloud environment.
Application-to-application code dependency mapping enables organizations to identify dependencies between a migrated application and additional applications considered for migration. These insights help identify vulnerable connections, determine the potential impact, and minimize risks before refactoring or rewriting code. This approach can help reduce the likelihood of breaking application dependencies. This could lead to outages, which may surface only after the migration process.
Application-to-application code dependency mapping also helps define a cloud migration’s performance and security implications. Most migrations involve opening firewalls strategically without providing access to all personnel. Additionally, you can establish connections from the cloud to a local data center with high-frequency connections that can slow functions. Both scenarios can leverage dependency mapping to surface issues and their origins.
Determining the migration strategy
To modernize the application, you must choose between refactoring or rewriting it. A refactor strategy involves making changes to existing code, while a rewrite strategy involves writing code from scratch to suit the new environment. Application dependency mapping helps highlight the complexity, interconnectedness, and risk level of the application to indicate which strategy is the most efficient.
A cloud migration plan usually involves assessing your data. You need to determine whether to migrate all data alongside the application or divide the database, moving only certain tables to the cloud. Alternatively, you can replicate or cache the data in the cloud. Application dependency mapping can help you make an informed decision.
To migrate only a part of an application to the cloud, you must learn which pieces connect to each other. If the components targeted for migration are loosely coupled in the application, you should separate the application into microservices. However, if the part targeted for migration is tightly coupled, you should not split the application into microservices.
Dependency Management Best Practices for Cloud Operations
Cloud operations, also known as CloudOps, is a growing field that enables organizations to improve efficiency and reduce costs for enterprise cloud deployments. Here are a few dependency best practices that can provide a strong basis for CloudOps practices.
Version pinning involves restricting an application’s dependency version to a specific version. The downside of this practice is that it freezes the application in time. While version pinning enables reproducibility, it also prevents you from receiving updates because the dependency keeps making new releases for bug fixes, general improvements, or security fixes.
You can mitigate this issue by adding an automated dependency management program to the source control repository. This tool monitors dependencies for new version releases and automatically updates the requirement files, modifying details such as changelog data.
Signature and Hash Verification
There are various techniques to verify an artifact’s authenticity and ensure that this is the artifact you intend to install. Signature verification provides an added security layer to the verification process. Artifacts can be signed by software maintainers and artifact repositories.
Hash verification enables you to compare an artifact’s hash with a known hash retrieved from your artifact repository. You need to enable hash verification to ensure dependencies cannot be replaced by malicious files through a compromise of the repository or a man-in-the-middle (MitM) attack. It requires trusting the hash received from the repository during verification is not compromised.
Mixing Private and Public Dependencies
Modern applications utilize various components, including open source, closed-source, and third-party code, as well as internal libraries that allow you to share business logic across several applications. Private repositories enable you to easily reuse the same tools to install external and internal libraries.
Note that mixing public and private dependencies may expose you to dependency confusion attacks. When you publish a project with the same name as an internal project to an open source repository, it allows threat actors to use misconfigured installers to install malicious libraries on top of the internal package.
You can avoid a dependency confusion attack by including signature and hashes of dependencies in a lockfile to verify them. You should also separate the installation of internal and third-party dependencies into two different steps. Finally, manually mirror the required third-party dependencies into your private repository or by using a pull-through proxy.
Vulnerabilities can expose your application to many risks, some more severe than others. Either way, you need to learn about these vulnerabilities so that you can prioritize them and mitigate them as needed. There are many vulnerability databases available that list known vulnerabilities and include information about them and their severity level.
To ensure your dependencies are secure, you need to monitor various vulnerability databases that include information about open source and third-party software components and reliably audit them. Doing this manually is not effective. Instead, you can use vulnerability scanners to automatically and reliably analyze your software dependencies for vulnerabilities. These tools consume lockfiles to determine the artifacts that other components depend on. They notify you when identifying new vulnerabilities and offer suggested upgrade paths.
In this article, I explained the basics of application dependency mapping and covered several ways it can provide critical benefit for cloud operations, specifically for cloud migration:
- Assess dependencies – understand application topology before migration to prevent breaking dependencies.
- Minimize risks – preventing performance or security concerns as a result of dependency issues.
- Determine a migration strategy – make an informed decision whether to refactor or rebuild the application.
- Data binding – ensure that essential data stores are collocated with the application.
I hope this will be useful as you enhance your cloud visibility with dependency management.
By Gilad David Maayan
Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Samsung NEXT, NetApp and Imperva, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership.