Using Third Party Components for Building an Application Might be More Dangerous Than You Think!

By Achim D. Brucker, Fabio Massacci, and Stanislav Dashevsky.

Today, nearly all developers rely on third party components for building an application. Thus, for most software vendors, third party components in general and Free/Libre and Open Source Software (FLOSS) in particular, are an integral part of their software supply chain.

As the security of a software offering, independently of the delivery model, depends on all components, a secure software supply chain is of utmost importance. While this is true for both proprietary and as well as FLOSS components that are consumed, FLOSS components impose particular challenges as well as provide unique opportunities. For example, on the one hand, FLOSS licenses contain usually a very strong ``no warranty” clause and no service-level agreement. On the other hand, FLOSS licenses allow to modify the source code and, thus, to fix issues without depending on an (external) software vendor.

This talk is based on working on integrating securely third-party components in general, and FLOSS components in particular, into the SAP’s Security Development Lifecycle (SSDL). Thus, our experience covers a wide range of products (e.g., from small mobile applications of a few thousands lines of code to large scale enterprise applications with more than a billion lines of code), a wide range of software development models (ranging from traditional waterfall to agile software engineering to DevOps), as well as a multiple deployment models (e.g., on premise products, custom hosting, or software-as-a-service).

Please cite this work as follows:
A. D. Brucker, F. Massacci, and S. Dashevsky, “Using third party components for building an application might be more dangerous than you think!” presented at the OWASP AppSec EU conference, Rome, Italy, Jun. 30, 2016. Author copy: https://logicalhacking.com/publications/talk-brucker.ea-owasp-third-party-security-2016/

BibTeX
@Unpublished{ talk:brucker.ea:owasp-third-party-security:2016,
  date              = {2016-06-30},
  title             = {Using Third Party Components for Building an Application
                       Might be More Dangerous Than You Think!},
  author            = {Achim D. Brucker and Fabio Massacci and Stanislav Dashevsky},
  venue             = {Rome, Italy},
  eventtitle        = {OWASP AppSec EU Conference},
  abstract          = {Today, nearly all developers rely on third party components
                       for building an application. Thus, for most software vendors,
                       third party components in general and Free/Libre and Open
                       Source Software (FLOSS) in particular, are an integral part of
                       their software supply chain.
                       
                       As the security of a software offering, independently of the
                       delivery model, depends on all components, a secure software
                       supply chain is of utmost importance. While this is true for
                       both proprietary and as well as FLOSS components that are
                       consumed, FLOSS components impose particular challenges as
                       well as provide unique opportunities. For example, on the one
                       hand, FLOSS licenses contain usually a very strong ``no
                       warranty'' clause and no service-level agreement. On the other
                       hand, FLOSS licenses allow to modify the source code and,
                       thus, to fix issues without depending on an (external)
                       software vendor.
                       
                       This talk is based on working on integrating securely
                       third-party components in general, and FLOSS components in
                       particular, into the SAP's Security Development Lifecycle
                       (SSDL). Thus, our experience covers a wide range of products
                       (e.g., from small mobile applications of a few thousands lines
                       of code to large scale enterprise applications with more than
                       a billion lines of code), a wide range of software development
                       models (ranging from traditional waterfall to agile software
                       engineering to DevOps), as well as a multiple deployment
                       models (e.g., on premise products, custom hosting, or
                       software-as-a-service).},
  slideshare        = {key/MHOHP8uqpIpndj},
  video             = {https://youtu.be/zUDaP0m-gFU},
  slideshare_width  = {595},
  slideshare_height = {485},
  areas             = {software, security},
  note              = {Author copy: \url{https://logicalhacking.com/publications/talk-brucker.ea-owasp-third-party-security-2016/}},
  pdf               = {https://logicalhacking.com/publications/talk-brucker.ea-owasp-third-party-security-2016/talk-brucker.ea-owasp-third-party-security-2016.pdf},
}