[Suggestion] Add Content on Maintaining Up-To-Date Dependencies

[GuyBarGil]

Description: Currently, the Cloud Native Security WhitePaper does not mention the risk involved in not maintaining up-to-date (or close to up-to-date) dependencies in cloud-native applications, as well as the benefits of doing so.

Impact: With time, dependencies in cloud-native applications tend to fall further and further behind from the latest versions as the dependencies are not properly managed. This typically leaves the application using outdated dependencies which exposes them to ever-increasing technical debt and risk over time. In addition, this results in missing out on new features and bug fixes, lower agility for handling unexpected issues (including zero-day vulnerabilities), and an increased risk of being exposed to publicly known vulnerabilities (around 90% of newly disclosed vulnerabilities are in non-latest versions). Properly managing dependencies and maintaining them on consistently recent versions can be done manually or leveraging smart, automated updates.

Introducing the importance of maintaining up-to-date dependencies into the WhitePaper will help both developers and DevOps professionals become aware of the risk involved in using outdated dependencies, as well as the benefits and best practices involved in maintaining up-to-date dependencies.

Scope: I believe the amount of effort involved in this will be relatively small.

Additional info: There is an open-source project called Renovate that provides this functionality of managing outdated dependencies and automating the update process.

The Dependency-Update-Tool section in the OSSF scorecard.

[JustinCappos]

I'm supportive of this mention too. A lot of other tools in the space depend-a-bot, scala steward, github's new dependency bot, etc. should also get mentioned.

[stale[bot]]

This issue has been automatically marked as inactive because it has not had recent activity.

[lumjjb]

@ashutosh-narkar would this be another option to get into the blog series? thoughts

[PushkarJ]

Somewhat related PR to this topic: #887

[ashutosh-narkar]

@GuyBarGil this seems to an interesting blog topic! I think folks would be interested in learning about dependency management, keeping them up-to-date, available tools, practical tips etc. Let us know if you're interested and we can help out as well.

[GuyBarGil]

@ashutosh-narkar sure I'd be happy to put together a blog on this :)

[ashutosh-narkar]

Awesome @GuyBarGil ! Please do share a draft via Google docs so we can collaborate. We are looking to start a blog series with few interesting topics like this one and have it published on the CNCF blog or the STAG site (which we're looking to create). We are hoping to get these blogs out by KubeCon NA. We appreciate the contribution and please let us know if we can help.

[anvega]

@GuyBarGil, if this continues to interest you, we'd love your contribution and the opportunity in https://www.cncf.io/blog/. Understandably you're busy. Should you find the time to get around, it would be something we'd love to showcase. I will only close the issue for now as we have no indication that's still the case.