Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Taming the Dependencies

Taming the Dependencies

This was internal presentation that I did at Pusher.
Goal of the talk was to explain what dependencies are to the wider audience of the people (technical and non-technical) to better understand how we're using them in our products and what are the things that we need to be aware of.

Luka Bratos

January 11, 2019
Tweet

More Decks by Luka Bratos

Other Decks in Programming

Transcript

  1. Honda. Loads of great engineers perfecting the hardware to create

    very performing motorcycles. Exhaust done by external company on which they depend. Do things that you’re good at, offload others to people who specialise in them.
  2. Building blocks We have a Pusher product. Some of the

    building blocks are created by us, others are third party, developed by other companies, developers. Channels - Encrypted messaged. Used encryption library. Use tested, trusted solutions. Did you work in a company that didn’t use dependencies? Check your mobile app (acknowledgments) - do your mobile app uses dependency.
  3. State od APIs More and more companies are using third

    party dependencies. Fortune 500 companies, etc.
  4. Balance ⛺ Startups - Loads of dependencies, less people, build

    fast and go quicker on the market. Banks - No dependencies, security audits, very conservative and strict. How to achieve the balance, is there a middle way/compromise?
  5. Own Your Dependencies Artsy, mobile team using React Native. More

    than 800 dependencies. One of the principles is to own the dependencies, contribute back and improve them. Do we do the same? Do we own our dependencies? We contributed to Envoy and Kubernetes. DevOps team contributing a lot back to the community.
  6. Looks like a familiar workflow? Update the dependencies, separate PR.

    No breaking changes - looks good. But: What are the changes? Did we check the diff? Security implications?
  7. Crypto wallet startup was targeted. It was compromised by a

    malicious code. Lost the trust from customers.
  8. GitLab GitLab acquired company that was developing tool to scan

    for security issues. It’s included in the build pipeline.
  9. Dependabot It opens a PR when there’s an update. It

    gives visibility: - Summary - Changelog Advantage: Consistent and tiny upgrades instead of waiting and then upgrading when there’s a lot of changes.
  10. snyk Tool that check for security issues when we open

    a PR. Gives confidence and insights. If we can catch security issue quicker it means that we can reduce the risk and prioritise things.
  11. Test your code Online tool that you can use to

    check your projects and play around. snyk supports scanning vulnerabilities in Docker images!
  12. Benefits • Marketing: No bad PR • Management: Our engineers

    are following the best practices and we can move fast with confidence ✨ • Engineers: Confident when we’re making changes ⚒ • Sales: Trust. Pusher is serious about security. • Customers: Using up to date, secure and stable software Sales - Trust