Managing Application Dependencies in the Cloud: Strategies and Best Practices
What Is Application Dependency Mapping?
Application dependency mapping (ADM) enables you to create a comprehensive map of the entire ecosystem. It helps avoid blind spots that allow mistakes or breaches to occur. ADM solutions can identify and map all instances, applications, and communication channels across the ecosystem, including ports and services.
There are various ADM solutions, including vendor native, open source, and commercial vendor-agnostic tools. A vendor-agnostic solution can quickly and easily identify subnets, VPCs, and security groups on several cloud providers like Microsoft Azure, Google Cloud, and Amazon Web Services (AWS).
ADM solutions can display an intuitive map that visually represents your application dependencies. You can share, examine, and use this map for planning and troubleshooting. A map visualization can help support business strategizing, organizing according to business context, and prioritizing alerts and information in real time.
Why Is Application Dependency Mapping Critical in the Cloud?
Application dependency mapping can help you migrate all your application's dependencies. Otherwise, you may miss a critical dependency and migrate without it. As a result, your application may suffer performance issues or an outage. Application dependency mapping can help you avoid these issues.
Cloud providers know the importance of mapping dependencies before migration and offer application dependency mapping tools native to their environments, including Azure, AWS, and Google Cloud. Since these tools provide results specific to their environments, you should use them only when migrating to one of these clouds.
Alternatively, you can use vendor-agnostic tools. There are various options available, including free, open-source tools. Most tools analyze your application to model the inter-server relationships and identify inbound and outbound connection latency, necessary TCP ports, and processes running.
Cloud Provider ADM Tools
AWS Application Discovery Service
AWS Application Discovery Service gathers information about on-premises data centers to help enterprises plan their migration projects. A data center migration often involves thousands of deeply interdependent workloads, so it is critical to analyze server utilization data and perform dependency mapping at the early stages of the migration process.
AWS Application Discovery Service aggregates and presents servers’ usage, behavior, and configuration data to help enterprises better understand their workloads. The service uses a data store that retains collected data in an encrypted format.
You can export the data as CSV files and use it to estimate your AWS total cost of ownership (TCO) and plan your cloud migration accordingly. You can also find this data in the AWS Migration Hub, which lets you migrate servers and track the migration progress.
Azure Application Insights
Application Insights is an Azure Monitor feature that provides monitoring and extensible application performance management (APM) for live web applications. You can use Application Insights to automatically detect performance anomalies and use analytics tools to diagnose issues.
This feature provides information about users' behavior, helping you see what they do with apps. You can leverage this data to improve app usability and performance continuously. The default application dashboard lets you track load, performance, and responsiveness and monitor dependencies, AJAX calls, and page loads.
4 Best Practices and Strategies for Dependency Management in the Cloud
1. Version Pinning
Version pinning involves restricting the versions of software dependencies in an application, ensuring the use of specific versions (ideally one version).
Pinning dependency versions can freeze applications in time. Although it is a good practice to make an app reproducible, it can have the adverse effect of preventing the application from incorporating updates to its dependencies—you miss out on security and bug fixes.
You can mitigate this issue by using an automated dependency management tool to handle the source control repositories. The dependency manager monitors software dependencies for new releases and updates the application. Often, this includes updating details like the changelog data.
2. Hash and Signature Verification
There are several ways you can ensure that a certain artifact for a software package’s release is the artifact you want to install. You can verify the artifact’s authenticity and security levels by comparing its hash to the artifact repository.
Hash verification lets you ensure that dependencies contain the right files and that malicious actors haven’t tampered with them (i.e., in a MitM attack or repository compromise). You trust that the hash listed in the artifact repository during verification or initial retrieval of the artifact is secure and uncompromised.
You can also use signature verification to add a layer of security to the artifact verification process. An artifact could be signed by the software maintainer or the artifact repository (or both).
3. Avoid Mixing Private and Public Dependencies
Cloud-native applications typically rely on various components, including open source software, third-party code, closed source components, and internal libraries. Private repositories are especially useful for sharing business logic across several applications and reusing the same tooling to install external and internal libraries.
However, combining public and private dependencies may expose the application to dependency confusion attacks. It occurs when a threat actor publishes a project with an identical name to the internal project to open source repositories. Next, the actor tries to use a misconfigured installer to secretly install a malicious library over a legitimate internal package.
Here are practices to help you avoid dependency confusion attacks:
- Verify the hashes or signatures of all dependencies by listing them in a lockfile.
- Ensure separate installation processes for internal dependencies and third-party dependencies using two different steps.
- Explicitly mirror third-party dependencies in your private repository, using pull-through proxies or manually.
4. Vulnerability Scanning
Like other components, dependencies may include newly discovered or zero-day vulnerabilities. You must set up a process that scans your dependencies and notifies you when a vulnerability is identified. However, it is difficult to manually monitor vulnerability databases for dependencies and reliably audit third-party software dependencies.
Vulnerability scanners automatically and consistently analyze your dependencies, looking for vulnerabilities as they become known. A vulnerability scanning tool consumes lockfiles to identify the artifacts you rely on and notifies you when new vulnerabilities surface. Some tools can suggest upgrade paths.
Conclusion
In this article, I explained the basics of application dependency mapping, its importance in cloud environments, and covered four critical best practices that can help you make better use of cloud application mapping and avoid security risks:
- Version pinning - ensuring dependencies are limited to a range of safe versions, or ideally only one version.
- Hash and signature verification - ensuring artifacts within a software package are authentic and do not contain malicious components.
- Avoid mixing private and public dependencies - prefer to mirror third-party dependencies into a trusted private repository after ensuring they are safe.
- Vulnerability scanning - ensure all dependencies are scanned for known vulnerabilities.
I hope this will be useful as you improve visibility and control over your cloud deployments.