Integrating Dependency Management Into Cloud Services: The Mend-AWS Partnership
Table of Contents
The ongoing growth in the adoption of cloud services poses escalating opportunities and risks in equal measure. The increased capacity and scalability of cloud environment lends itself to an accelerated pace and higher volume of software and application development than ever before. This trend brings into play a huge increase in the number of software components and dependencies that developers use in their code bases. Without robust and dynamic management, these dependencies can give rise to a host of vulnerabilities that pose serious risks in a range of different ways.
Let’s take a brief look at the size of the challenge, how to manage dependencies better, and what Mend does with Amazon Web Services (AWS) to help you achieve this.
What’s the scale of the challenge?
According to the Linux Foundation, between 70 and 90 percent of modern applications contain free and open source software (FOSS). Applications that rely on them can be vulnerable to security flaws. When you consider this trend goes hand-in-hand with the escalation in cloud services and platforms on which your developers work, you could have a potentially big problem without the right security tools and solutions in place.
Techjury notes that 81 percent of all enterprises have a multi-cloud strategy already laid out or in the works, 67 percent of enterprise infrastructure is cloud-based, and 82 percent of enterprises’ workload will reside in cloud environments. As a result, more than 40 zettabytes of data will be flowing through cloud servers and networks.
In 2022 alone, worldwide spending on cloud infrastructure services has increased 33 percent year on year to $62.3 billion. Gartner has forecast worldwide end-user spending on public cloud services will grow 20.4 percent in 2022 to total $494.7 billion, up from $410.9 billion in 2021. In 2023, end-user spending is expected to reach nearly $600 billion. And Research and Markets predicts that the global cloud computing market is expected to reach $1,554.94 billion by 2030, registering a CAGR of 15.7 percent.
That means there’s a mind-boggling amount of code, software, applications, and dependencies being stored, used, and shared across cloud platforms. Moreover, we can expect even more to follow as updates and revisions proliferate. As new relationships between dependencies are formed, each of them brings the potential for new vulnerabilities that can put your code base at risk. Developers can find themselves overwhelmed by the volume of code that they should be scanning for vulnerabilities. Without the right tools and solutions, it’s too easy and tempting for them to overlook potential threats in order to maintain their development pace and keep up with demand.
And the leading cloud infrastructure services provider on the market is AWS, which is growing at a rate of 33 percent annually and now represents about 32 percent of the cloud service provider market. With that in mind, it makes sense to address the issue of dependency management with the leading provider, to reinforce your software and application security.
How do you manage dependencies better?
Software dependencies and components are now used at such a rate and volume that it’s impossible to manually scan, update, and manage them in a way that allows you to keep pace with development pipelines. Nevertheless, consistent management and maintenance of dependencies is the only way to ensure that your environment is secure. So, how do you solve this conundrum? Two of the most prominent ways are:
Automation. The technology and know-how now exist to make scanning, fixing, and updating dependencies automatic. A tool that can automatically update dependencies will enable you to specify what your criteria are for allowing new or updated dependencies to be used in your code base. This removes the burden on developers to perform manual case-by-case analysis and remediation, freeing them to do what they do best — develop software and applications. It also removes the risk of human error and eases the pressure on developers. Furthermore, automated scanning can be performed in real time. In short, automatically updating dependencies helps your development teams save a lot of time and significantly reduce risk, so that they can confidently deliver secure software and applications.
Integration. Having acknowledged the importance of automation, how do you make it work most effectively? The answer is integration. Traditionally, scanning and remediating dependencies might involve switching to a separate tool. That’s cumbersome, and the need to understand, adopt, and use a separate tool discourages many developers from performing the necessary scans and updates. Their priority will always remain in production and meeting the demands of their busy pipelines. Therefore, it is important to deploy a user-friendly dependency management tool that seamlessly activates within developers’ regular environments and their existing workflows. Precisely because it’s easy and frictionless, a tool that’s integrated into your cloud computing environment encourages adoption, simplifies automation, improves scanning and remediation, reduces vulnerabilities and security risk, and saves development time.
How does Mend integrate with AWS?
With all of these considerations in mind, it makes perfect sense that Mend has teamed up with AWS, the world’s leading cloud service provider, to integrate and automate dependency management for users.
We have integrated Mend Renovate, our automation dependency update solution, with AWS CodeCommit and CodeBuild, both pieces of the AWS suite of continuous integration and continuous delivery (CI/CD) services. Through this integration, developers will be able to work directly within the AWS development ecosystem and leverage Renovate capabilities natively in their existing workflows, giving developers time back on what is often a manual, time-consuming process. It will enable developers to maintain their development speed, reduce technical debt, decrease risk, and proactively prevent vulnerabilities by automatically updating dependencies within the AWS environment.
By using the Renovate integration, developers working in AWS CodeCommit and CodeBuild can now group and schedule updates together to limit unnecessary noise that hampers productivity and reduces CI/CD resources. The integration also provides robust default configuration options that enable users in almost any environment to get started within minutes of installation.
Mend Renovate also reduces any risk that might arise from updating dependencies with faulty updates. It achieves this through Mend’s Merge Confidence, a feature designed to save time and reduce risk when keeping dependencies up to date. Merge Confidence consolidates crowdsourced data from over 500,000 repositories to show the likelihood that a dependency update will break a project. It identifies and flags undeclared breaking releases based on aggregated and anonymous analysis of test and release adoption data across Mend Renovate’s user base.
The integration also further signifies Mend’s strong partnership with AWS and commitment to eliminating the burden of application security Through this partnership and the open source community behind the Renovate project, Mend has developed one of the industry’s first auto-dependency update solutions that integrates natively into the AWS development ecosystem, through CodeCommit and CodeBuild. A fully managed source control service, CodeCommit hosts secure Git-based repositories and makes it easy for teams to collaborate on code in a secure and highly scalable ecosystem. CodeBuild, a fully managed CI service, compiles source code, runs tests, and produces ready-to-deploy software packages. Developers building their software in these AWS services can now use the Renovate integration to lower their risk of being breached and increase confidence in their code base.
Mend is an AWS Partner Network (APN) Advanced Tier Technology Partner, and through this strong partnership, we ensure that both open source and custom code applications running on AWS are secured using a remediation-first approach for faster and more confident deployments. With seamless integration in the existing AWS DevOps environments and CI/CD pipelines, Mend reduces complexity and increases developer speed. Furthermore, the partnership also supports customers in meeting their obligations as part of the AWS Shared Responsibility Model. Integrations with key AWS services, such as Renovate’s integration with AWS CodeCommit and CodeBuild, make it easier for customers to manage their responsibilities and ship software and applications securely with ease.
Learn more about Mend’s partnership with AWS here.