Back to Feed

Visual Dependencies Graph

Yossi Pik

-

July 23, 2024

Introduction

Have you ever struggled to trace the origin of a vulnerable transitive package in your project? Or tried to pinpoint which vulnerable transitive packages are actively utilized by your code? Perhaps you've faced the need to prioritize fixes based on the impact of these vulnerable packages on your application. Traditionally, you would need to run different inquiries, resulting in long lists of findings, and then cross-reference between them to answer simple questions.

Imagine having all this information readily available through a simple visual graph. Backslash is proud to announce the release of our Visual Dependencies Graph. This simple but powerful capability offers a comprehensive view of your application's package dependencies at a glance, allowing you to query it for security insights and answers within seconds.

The Genesis of Our Innovation

Creating the Visual Dependencies Graph was one of those "how have we not thought about this before" moments. One of our technological pillars is the ability to perform graph queries to answer deep data flow security questions. However, in dependency analysis, the graph of dependencies quickly becomes too complex to grasp. We noticed that while customers could get answers using our powerful query engine, the intricacy of dependency graphs often became overwhelming

The primary catalyst for this development was the increasing usage of reachability questions by our customers. These questions, inherently tied to data flow analysis, are significantly easier to understand visually. The overwhelmingly positive feedback from our mockups confirmed the need for a graphical view, making the decision to implement it straightforward.

Empowering AppSec Teams

In the realm of application security, the answer to many questions is often - “it depends.” Consider the question, "Should we prioritize fixing a specific high CVSS package?" The answer depends on several factors: who uses it, whether it's direct or transitive, its depth, if it's a dev-dependency, and most crucially, if it’s reachable. With our new visualization tool, these answers become immediately apparent.

Take another example, a package flagged as a "phantom package." The need to fix it is clear, but determining which package introduced it to the project and whether there are more instances of this package can be challenging. Using our visual graph, these answers are easily accessible, simplifying the process and enhancing your team's efficiency.

Moreover, the new visual graph capabilities complement our powerful querying, filtering rules, and issues-policies engine. This synergy allows AppSec teams to ask customized queries and instantly receive the results in a visual format, ensuring they can address the most critical security issues with precision and ease.

Examples

Reachability View

Backslash's visualization capability allows you to apply reachability views to identify which vulnerable packages are actually reachable within your codebase. Unlike simple filters, it shows both reachable and non-reachable packages together, providing full context and helping you understand their impact within the broader dependency graph.

Phantom Package

When a package is flagged as a "phantom package," it indicates a package that does not appear in your dependency graph but is used in your code. Our visual graph makes it straightforward to trace its origin and determine which package introduced it. This visualization simplifies the remediation process, ensuring no phantom packages are overlooked and maintaining the integrity of your application.

Exploitability Assessment 

The Visual Dependencies Graph helps identify exploitable vulnerabilities within your dependencies. By integrating with the Exploit Prediction Scoring System (EPSS) and the Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities (CISA KEV) catalog, it highlights critical vulnerabilities directly on the graph. This visualization provides clear insights into potential threats, enabling targeted actions to mitigate risks and enhance your project's security.

Summary

In summary, Backslash's Visual Dependencies Graph empowers AppSec teams to make informed decisions swiftly, ensuring the security and integrity of their applications. This tool provides a clear visualization of your application's package dependencies, allowing you to manage and analyze them more effectively than ever before. With immediate insights and simplified processes, the Visual Dependencies Graph is an essential addition to your security toolkit. The graph is now available in our free trial, request access here.