Application Dependency Mapping: Transforming Troubleshooting in a Hybrid Environment
Gilad David Maayan
Share this on:
What Is Application Dependency Mapping?
Application dependency mapping (ADM) enables you to create an accurate view of an entire software ecosystem. Dependency mapping can help you identify and map all instances, applications, and communication channels used across your IT ecosystem, including ports, services, VPCs, security groups, and subnets on cloud environments like Azure, Google Cloud, and AWS.
Dependency mapping technology can generate an intuitive map visually representing all application dependencies. You can share, examine, and use this map for troubleshooting and planning. It is especially useful for organizing data by business context and prioritizing information and critical alerts in real time.
Historically, downloading software dependency libraries was a tedious process, making it infeasible to reuse small packages. Today, dependency management systems (such as npm or Maven) make it feasible to use small packages. Many packages are available, with software dependencies providing a key aspect of modern application development.
Developers can use dependencies to deliver software quickly, but these often introduce overlooked risks. Using existing software as dependencies entails a reliance on other creators to maintain and test the code.
In addition to security flaws present in a dependency, it could quickly become outdated, impacting performance. Another issue is licensing—misusing software could result in legal consequences. Even open source licenses restrict usage, and violating their terms can be costly and damage a company’s reputation.
Therefore, dependency management has become a critical part of security testing and is essential to minimize the associated risks. Many companies fail to manage their dependencies properly—it can be a difficult process due to the various links and multi-layered dependency chains. Traditionally, software dependencies were code packages purchased from trusted vendors. Today, most dependencies come from open source libraries, making management more complex. Organizations generally rely on external contributors to maintain their code.
Developers should avoid directly copying lines of code to enable dependency tracking and management. Packet managers make it easier and safer to use and update open source components. Few developers have a deep understanding of vulnerabilities in their open source dependencies.
Security teams constantly discover vulnerabilities in open source code, which malicious actors can exploit. A dependency management system should cover the entire dependency lifecycle, including enforcing usage policies.
How Application Mapping Works
Here are the core elements involved in the mapping of application dependencies:
Sweep and Poll
Traditionally, agentless monitoring techniques enable the discovery of IT assets. This technology pings IP addresses to identify responding devices, app components, and server systems. It involves using information like device group information and discovery ping rate.
This technique is generally considered lightweight, allowing you to sweep an entire network using a single node location. However, the process can be too slow for a large data center. Since dependencies can change during this process, a slow process can miss critical assets, leaving them undiscovered.
Network monitoring involves analyzing packet data in real-time and capturing accurate information about application dependencies. Here are two main techniques:
Packet-level by packet capture—packet-level monitoring requires an appliance to monitor the packets.
Flow level via NetFlow—this option allows routers to probe NetFlow traffic records and send them.
The NetFlow protocol includes details about IP traffic like volume, source and target nodes, path, and additional attributes of IP flows. A NetFlow implementation can impact device performance because of the large bandwidth requirements.
You can address this issue by sampling data at separate intervals, reducing the bandwidth demand. It also lets you collect fewer packet data because unsampled data is unmonitored.
Note that NetFlow containing TCP port and IP address information does differentiate between application dependencies. Instead, you can capture data packets while providing only limited information collected during probing.
Agent on Server
This technique involves placing a software component (an agent) on a client server that conducts real-time monitoring of inbound and outbound traffic. It enables the user to locate and recognize each component, ensuring it can immediately recognize changes when the topology changes. This capability is ideal for virtualized infrastructure environments.
This technology can distinguish between apps that run on shared instances of a server. Additionally, agents are usually less expensive than collecting packet data with separate devices.
Note that you must install agents on each server to ensure accurate visibility. It may result in the monitoring agents consuming too many compute resources, which can impact the operating performance and overall cost of the server infrastructure.
Orchestrating Application Dependency Mapping
Automation and orchestration platforms help efficiently manage IT environments, helping teams provision resources for specific workloads. These platforms can perform multiple automated configurations and tasks across various app components that require resources, and keep track of app components and underlying server resources.
A hybrid discovery and dependency mapping solution can work with AIOps, application performance monitoring (APM), and agent-based or agentless to enable accurate reporting. It can also maintain optimal performance and cost of the monitoring systems.
However, organizations must set up processes to prevent performance bottlenecks and proactively manage risks in the dependency management process. Here are three key aspects to consider when orchestrating dependency mapping across the organization:
Applications and systems—you need comprehensive information about the systems and apps that may be impacted. Achieve this by continuously updating existing dependency mapping when new features, infrastructure resources, and application components are deployed.
Risks and mitigation—you can evaluate and prioritize the relevant risks by analyzing vulnerabilities from a performance, cost, and security perspective. You should provide specific guidelines, determine the relevant roles and responsibilities, and specify the information as part of your risk mitigation plan.
Feedback and iteration—IT environments are continuously evolving with new installations of software components and newly provisioned infrastructure resources. Additionally, organizations keep shifting from legacy on-premise workloads to advanced cloud infrastructure, creating a complex and dynamic IT environment. These changes require following up with all team members, improving existing knowledge bases, and investing in the relevant technologies and procedures for application discovery and dependency mapping.
In this article, I explained the basics of application dependency mapping and its importance to the modern IT organization. I described three ways ADM is commonly implemented: sweep and poll, network monitoring, and agent-based systems.
Finally, I explained a few key considerations for deploying and orchestrating ADM in a large organization:
Ensuring the impact of ADM on critical applications and systems is well understood
Identifying and mitigating risks based on insights from ADM
Creating an iterative process for ADM deployment
I hope this will be useful as you adopt dependency mapping across your organization.