pdfreaders.org

Using Third Party Components for Building an Application Might be More Dangerous Than You Think!

by Achim D. Brucker, Fabio Massacci, and Stanislav Dashevsky

Today, nearly all developers rely on third party components for building an application. Thus, for most software vendors, third party components in general and Free/Libre and Open Source Software (FLOSS) in particular, are an integral part of their software supply chain.

As the security of a software offering, independently of the delivery model, depends on all components, a secure software supply chain is of utmost importance. While this is true for both proprietary and as well as FLOSS components that are consumed, FLOSS components impose particular challenges as well as provide unique opportunities. For example, on the one hand, FLOSS licenses contain usually a very strong "no warranty" clause and no service-level agreement. On the other hand, FLOSS licenses allow to modify the source code and, thus, to fix issues without depending on an (external) software vendor.

This talk is based on working on integrating securely third-party components in general, and FLOSS components in particular, into the SAP's Security Development Lifecycle (SSDL). Thus, our experience covers a wide range of products (e.g., from small mobile applications of a few thousands lines of code to large scale enterprise applications with more than a billion lines of code), a wide range of software development models (ranging from traditional waterfall to agile software engineering to DevOps), as well as a multiple deployment models (e.g., on premise products, custom hosting, or software-as-a-service).

Keywords:
Categories:
Documents:

QR Code for talk:brucker.ea:owasp-third-party-security:2016.Please cite this article as follows:
Achim D. Brucker, Fabio Massacci, and Stanislav Dashevsky. Using Third Party Components for Building an Application Might be More Dangerous Than You Think!. OWASP AppSec EU, 30. jun. 2016.
(slides) (handout) (BibTeX) (Share article on LinkedIn. Share article on CiteULike. )

BibTeX
@Talk{ talk:brucker.ea:owasp-third-party-security:2016,
abstract = {Today, nearly all developers rely on third party components for building an application. Thus, for most software vendors, third party components in general and Free/Libre and Open Source Software (FLOSS) in particular, are an integral part of their software supply chain.\\\\As the security of a software offering, independently of the delivery model, depends on all components, a secure software supply chain is of utmost importance. While this is true for both proprietary and as well as FLOSS components that are consumed, FLOSS components impose particular challenges as well as provide unique opportunities. For example, on the one hand, FLOSS licenses contain usually a very strong ``no warranty'' clause and no service-level agreement. On the other hand, FLOSS licenses allow to modify the source code and, thus, to fix issues without depending on an (external) software vendor.\\\\This talk is based on working on integrating securely third-party components in general, and FLOSS components in particular, into the SAP's Security Development Lifecycle (SSDL). Thus, our experience covers a wide range of products (e.g., from small mobile applications of a few thousands lines of code to large scale enterprise applications with more than a billion lines of code), a wide range of software development models (ranging from traditional waterfall to agile software engineering to DevOps), as well as a multiple deployment models (e.g., on premise products, custom hosting, or software-as-a-service).},
author = {Achim D. Brucker and Fabio Massacci and Stanislav Dashevsky},
day = {30},
event = {OWASP AppSec EU},
handout = {https://www.brucker.ch/bibliography/download/2016/talk-brucker.ea-owasp-third-party-security-2016-2x2.pdf},
isodate = {2016-06-30},
lecturer = {Achim D. Brucker},
location = {Rome, Italy},
month = {jun},
slides = {https://www.brucker.ch/bibliography/download/2016/talk-brucker.ea-owasp-third-party-security-2016.pdf},
slideshare = {key/MHOHP8uqpIpndj},
slideshare_height = {485},
slideshare_width = {595},
title = {Using Third Party Components for Building an Application Might be More Dangerous Than You Think!},
url = {https://www.brucker.ch/bibliography/abstract/talk-brucker.ea-owasp-third-party-security-2016},
video = {https://youtu.be/zUDaP0m-gFU},
year = {2016},
}