OWASP Developer Guide

Implementation Dependencies

5.2 Dependencies

Management of software dependencies is described by the SAMM Software Dependencies activity, which in turn is part of the SAMM Secure Build security practice within the Implementation business function.

It is important to record all dependencies used throughout the application in a production environment. This can be achieved by Software Composition Analysis (SCA) to identify the third party dependencies.

A Software Bill of Materials (SBOM) provides a record of the dependencies within the system / application, and provides information on each dependency so that it can be tracked :

  • Where it is used or referenced
  • Version used
  • License
  • Source information and repository
  • Support and maintenance status of the dependency

Having an SBOM provides the ability to quickly find out which applications are affected by a specific Common Vulnerability and Exposure (CVE), or what CVEs are present in a particular application.


5.2.1 Dependency-Check
5.2.2 Dependency-Track
5.2.3 CycloneDX

The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.