{"id":68841,"date":"2015-08-07T10:47:38","date_gmt":"2015-08-07T10:47:38","guid":{"rendered":"http:\/\/www.esri.com\/arcgis-blog\/products\/product\/uncategorized\/developers-track-dependencies-update-apps-or-risk-exposing-users\/"},"modified":"2022-02-16T11:30:44","modified_gmt":"2022-02-16T19:30:44","slug":"developers-track-dependencies-update-apps-or-risk-exposing-users","status":"publish","type":"blog","link":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/developers-track-dependencies-update-apps-or-risk-exposing-users","title":{"rendered":"Developers \u2013 Track Dependencies &amp; Update Apps or Risk Exposing Users"},"author":3911,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","format":"standard","meta":{"_acf_changed":false,"_searchwp_excluded":""},"categories":[37501],"tags":[24081,24361,24071],"industry":[],"product":[763582],"class_list":["post-68841","blog","type-blog","status-publish","format-standard","hentry","category-administration","tag-ssamymlgp","tag-patch","tag-security","product-trust-arcgis"],"acf":{"short_description":"The days of developers not keeping track of where they use third party libraries and not upgrading them are dead.\u00a0\r\n\r\nWhy?\u00a0 Over the last...","flexible_content":[{"acf_fc_layout":"content","content":"<p>The days of developers not keeping track of where they use third party libraries and not upgrading them are dead.<\/p>\n<p>Why?\u00a0 Over the last year awareness of vulnerabilities in these dependencies has increased in general and also as \u00a0security researchers have focused more heavily on finding vulnerabilities within libraries underlying many products across the software industry.\u00a0 Examples of such libraries include common Internet encryption open source implementations (<a href=\"http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2015-1793\">OpenSSL<\/a>), framework base modules (<a href=\"https:\/\/web.nvd.nist.gov\/view\/vuln\/detail?vulnId=CVE-2015-1859\">QT<\/a>), as well as \u00a0commercial Software Development Kits including from \u00a0Esri (<a href=\"http:\/\/support.esri.com\/en\/knowledgebase\/techarticles\/detail\/45249\">ArcGIS Runtime SDK for Android<\/a>).<\/p>\n<p>When Esri incorporates a third party (to Esri) framework or core component such as the ones above as part of our product code, we work to ensure they get updated as necessary along with supporting apps. \u00a0Esri follows the same procedure when vulnerabilities are found in our own developer libraries \u00a0(that both Esri Apps as well as our Developer Customer\u2019s Apps depend on).<\/p>\n<p>For example, after the ArcGIS Runtime SDK for Android vulnerability was found we have updated apps from Esri that depend on this SDK starting with <a href=\"http:\/\/doc.arcgis.com\/en\/collector\/#whatsNew\">Collector for ArcGIS version 10.3.1<\/a>, followed by <a href=\"http:\/\/doc.arcgis.com\/en\/explorer\/#whatsNew\">Explorer for ArcGIS version 10.2.8<\/a>, and even more recently the Esri Lab apps <a href=\"https:\/\/play.google.com\/store\/apps\/details?id=com.esri.apl.snap2Data\">Snap2Data <\/a>and <a href=\"https:\/\/play.google.com\/store\/apps\/details?id=com.esri.labs.snap2map\">Snap2Map<\/a>.\u00a0 You, as a developer dependent on this SDK should do the same.<\/p>\n<p>If you download components or frameworks as part of an application build process, we recommend tracking vulnerabilities in those components over time to ensure they get updated in your applications.\u00a0 If you have built an app with the ArcGIS Runtime SDK for Android before version 10.2.6-2, we strongly recommend updating your app to include the latest SDK security fix.\u00a0 We also recommend that you consider advertising the SDK version utilized by your app, either on the app store or application \u201cAbout\u201d page or via other means for ease of tracking by users.<\/p>\n<p>Using components with known vulnerabilities has become such a significant, widespread risk to users, it was added to the <a href=\"https:\/\/www.owasp.org\/index.php\/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities\">Open Web Application Security Project (OWASP) Top Ten<\/a> list in 2013.\u00a0 Fortunately, the OWASP team built a tool for developer IDE\u2019s called <a href=\"https:\/\/www.owasp.org\/index.php\/OWASP_Dependency_Check\">OWASP Dependency Check<\/a> \u2013 you might want to check it out.\u00a0 Incorporating security tools like this is a great start and should be backed with security policies governing component use\/management.<\/p>\n<p>Last, but not least, we are working on adding a Developer section to the Trust site as we want to foster an environment for sharing secure development practices and updates.\u00a0 Feel free to send us suggestions for what you believe would be most valuable.<\/p>\n<p>&#8211;\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <em>The Security Standards &amp; Architecture Team<\/em><\/p>\n<p><strong>References:<br \/>\n<\/strong><a href=\"http:\/\/support.esri.com\/en\/knowledgebase\/techarticles\/detail\/45249\">ArcGIS Runtime SDK for Android KBA (CVE-2015-2002)<\/a><\/p>\n"}],"authors":[{"ID":3911,"user_firstname":"Michael","user_lastname":"Young","nickname":"Michael Young","user_nicename":"myoung1000","display_name":"Michael Young","user_email":"myoung@esri.com","user_url":"http:\/\/trust.arcgis.com","user_registered":"2018-03-02 00:15:29","user_description":"","user_avatar":"<img data-del=\"avatar\" src='https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2021\/12\/SSP-213x200.jpg' class='avatar pp-user-avatar avatar-96 photo ' height='96' width='96'\/>"}],"related_articles":"","card_image":false,"wide_image":false},"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v25.9 (Yoast SEO v25.9) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Developers \u2013 Track Dependencies &amp; Update Apps or Risk Exposing Users<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/developers-track-dependencies-update-apps-or-risk-exposing-users\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Developers \u2013 Track Dependencies &amp; Update Apps or Risk Exposing Users\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/developers-track-dependencies-update-apps-or-risk-exposing-users\" \/>\n<meta property=\"og:site_name\" content=\"ArcGIS Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/esrigis\/\" \/>\n<meta property=\"article:modified_time\" content=\"2022-02-16T19:30:44+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@ESRI\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":[\"Article\",\"BlogPosting\"],\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/developers-track-dependencies-update-apps-or-risk-exposing-users#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/developers-track-dependencies-update-apps-or-risk-exposing-users\"},\"author\":{\"name\":\"Michael Young\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/b1e77881551053100a9cef9dba632678\"},\"headline\":\"Developers \u2013 Track Dependencies &amp; Update Apps or Risk Exposing Users\",\"datePublished\":\"2015-08-07T10:47:38+00:00\",\"dateModified\":\"2022-02-16T19:30:44+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/developers-track-dependencies-update-apps-or-risk-exposing-users\"},\"wordCount\":10,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#organization\"},\"keywords\":[\"ArcGIS Trust Center\",\"Patch\",\"Security\"],\"articleSection\":[\"Administration\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/developers-track-dependencies-update-apps-or-risk-exposing-users#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/developers-track-dependencies-update-apps-or-risk-exposing-users\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/developers-track-dependencies-update-apps-or-risk-exposing-users\",\"name\":\"Developers \u2013 Track Dependencies &amp; Update Apps or Risk Exposing Users\",\"isPartOf\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#website\"},\"datePublished\":\"2015-08-07T10:47:38+00:00\",\"dateModified\":\"2022-02-16T19:30:44+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/developers-track-dependencies-update-apps-or-risk-exposing-users#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/developers-track-dependencies-update-apps-or-risk-exposing-users\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/developers-track-dependencies-update-apps-or-risk-exposing-users#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.esri.com\/arcgis-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Developers \u2013 Track Dependencies &amp; Update Apps or Risk Exposing Users\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#website\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/\",\"name\":\"ArcGIS Blog\",\"description\":\"Get insider info from Esri product teams\",\"publisher\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.esri.com\/arcgis-blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#organization\",\"name\":\"Esri\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png\",\"contentUrl\":\"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png\",\"width\":400,\"height\":400,\"caption\":\"Esri\"},\"image\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/esrigis\/\",\"https:\/\/x.com\/ESRI\",\"https:\/\/www.linkedin.com\/company\/5311\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/b1e77881551053100a9cef9dba632678\",\"name\":\"Michael Young\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2021\/12\/SSP-213x200.jpg\",\"contentUrl\":\"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2021\/12\/SSP-213x200.jpg\",\"caption\":\"Michael Young\"},\"sameAs\":[\"http:\/\/trust.arcgis.com\"],\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/author\/myoung1000\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Developers \u2013 Track Dependencies &amp; Update Apps or Risk Exposing Users","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/developers-track-dependencies-update-apps-or-risk-exposing-users","og_locale":"en_US","og_type":"article","og_title":"Developers \u2013 Track Dependencies &amp; Update Apps or Risk Exposing Users","og_url":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/developers-track-dependencies-update-apps-or-risk-exposing-users","og_site_name":"ArcGIS Blog","article_publisher":"https:\/\/www.facebook.com\/esrigis\/","article_modified_time":"2022-02-16T19:30:44+00:00","twitter_card":"summary_large_image","twitter_site":"@ESRI","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":["Article","BlogPosting"],"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/developers-track-dependencies-update-apps-or-risk-exposing-users#article","isPartOf":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/developers-track-dependencies-update-apps-or-risk-exposing-users"},"author":{"name":"Michael Young","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/b1e77881551053100a9cef9dba632678"},"headline":"Developers \u2013 Track Dependencies &amp; Update Apps or Risk Exposing Users","datePublished":"2015-08-07T10:47:38+00:00","dateModified":"2022-02-16T19:30:44+00:00","mainEntityOfPage":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/developers-track-dependencies-update-apps-or-risk-exposing-users"},"wordCount":10,"commentCount":0,"publisher":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#organization"},"keywords":["ArcGIS Trust Center","Patch","Security"],"articleSection":["Administration"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/developers-track-dependencies-update-apps-or-risk-exposing-users#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/developers-track-dependencies-update-apps-or-risk-exposing-users","url":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/developers-track-dependencies-update-apps-or-risk-exposing-users","name":"Developers \u2013 Track Dependencies &amp; Update Apps or Risk Exposing Users","isPartOf":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#website"},"datePublished":"2015-08-07T10:47:38+00:00","dateModified":"2022-02-16T19:30:44+00:00","breadcrumb":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/developers-track-dependencies-update-apps-or-risk-exposing-users#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/developers-track-dependencies-update-apps-or-risk-exposing-users"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/trust-arcgis\/administration\/developers-track-dependencies-update-apps-or-risk-exposing-users#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.esri.com\/arcgis-blog\/"},{"@type":"ListItem","position":2,"name":"Developers \u2013 Track Dependencies &amp; Update Apps or Risk Exposing Users"}]},{"@type":"WebSite","@id":"https:\/\/www.esri.com\/arcgis-blog\/#website","url":"https:\/\/www.esri.com\/arcgis-blog\/","name":"ArcGIS Blog","description":"Get insider info from Esri product teams","publisher":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.esri.com\/arcgis-blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.esri.com\/arcgis-blog\/#organization","name":"Esri","url":"https:\/\/www.esri.com\/arcgis-blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png","contentUrl":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png","width":400,"height":400,"caption":"Esri"},"image":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/esrigis\/","https:\/\/x.com\/ESRI","https:\/\/www.linkedin.com\/company\/5311\/"]},{"@type":"Person","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/b1e77881551053100a9cef9dba632678","name":"Michael Young","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/image\/","url":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2021\/12\/SSP-213x200.jpg","contentUrl":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2021\/12\/SSP-213x200.jpg","caption":"Michael Young"},"sameAs":["http:\/\/trust.arcgis.com"],"url":"https:\/\/www.esri.com\/arcgis-blog\/author\/myoung1000"}]}},"text_date":"August 7, 2015","author_name":"Michael Young","author_page":"https:\/\/www.esri.com\/arcgis-blog\/author\/myoung1000","custom_image":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2025\/08\/Newsroom-Keyart-Wide-1920-x-1080.jpg","primary_product":"ArcGIS Trust Center","tag_data":[{"term_id":24081,"name":"ArcGIS Trust Center","slug":"ssamymlgp","term_group":0,"term_taxonomy_id":24081,"taxonomy":"post_tag","description":"","parent":0,"count":96,"filter":"raw"},{"term_id":24361,"name":"Patch","slug":"patch","term_group":0,"term_taxonomy_id":24361,"taxonomy":"post_tag","description":"","parent":0,"count":21,"filter":"raw"},{"term_id":24071,"name":"Security","slug":"security","term_group":0,"term_taxonomy_id":24071,"taxonomy":"post_tag","description":"","parent":0,"count":126,"filter":"raw"}],"category_data":[{"term_id":37501,"name":"Administration","slug":"administration","term_group":0,"term_taxonomy_id":37501,"taxonomy":"category","description":"","parent":0,"count":428,"filter":"raw"}],"product_data":[{"term_id":763582,"name":"ArcGIS Trust Center","slug":"trust-arcgis","term_group":0,"term_taxonomy_id":763582,"taxonomy":"product","description":"Reserved for articles authored by the ArcGIS Trust Center team","parent":36981,"count":89,"filter":"raw"}],"primary_product_link":"https:\/\/www.esri.com\/arcgis-blog\/?s=#&products=trust-arcgis","_links":{"self":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/blog\/68841","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/blog"}],"about":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/types\/blog"}],"author":[{"embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/users\/3911"}],"replies":[{"embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/comments?post=68841"}],"version-history":[{"count":0,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/blog\/68841\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/media?parent=68841"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/categories?post=68841"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/tags?post=68841"},{"taxonomy":"industry","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/industry?post=68841"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/product?post=68841"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}