Third-party library mismanagement: How it can derail your plans SOFTWARE QUALITY CONFERENCE PACIFIC NW Third-party library mismanagement: How it can derail your plans RUCHIR GARG 17TH OCT 2016 How many developers in the room; QA? Have you ever used 3rd party libraries in your code? I’m sure you have. Integral part of modern software Often overlooked – fire and forget doesn’t work (unlike military) These have the potential to derail all our plans by springing up surprizes PNSQC ™

SOFTWARE QUALITY CONFERENCE PACIFIC NW Does anyone identify that vehicle? Wagon wheels! Any guesses how your ride is gonna be on that!! Consider that vehicle to be our fancy software, and those wheel as 3rd party I don’t wanna refer to that the other way around, coz don’t we love what we build!!! Wheels to modern software; bit not THEEEESE wheels  Don’t reinvent the wheels PNSQC ™

Agenda Why manage third-party libraries Real life examples SOFTWARE QUALITY CONFERENCE Agenda PACIFIC NW Why manage third-party libraries Real life examples Best practices PNSQC ™

Why manage third-party libraries SOFTWARE QUALITY CONFERENCE PACIFIC NW Indispensable part of modern software Indiscriminate usage Frequent updates to such libraries is expected: Defects Vulnerabilities Features Updates may result in: API change Platform deprecation End-of-support for older versions Failure to manage third-party libraries may result in: Multiple hotfixes Unhappy customers Delayed product releases Lawsuits Don’t integrate a library without proper due diligence VULNERABILITY management is the most important aspect on managing 3rd party libs; its often overlooked Lawsuits :- Exaggeration, but not ruled out  PNSQC ™

Example…Library enumeration SOFTWARE QUALITY CONFERENCE PACIFIC NW Problem: A new high severity vulnerability has been reported for a 3rd party library, say ‘x’, which is shipped with our product Solution: Upgrade ‘x’ to its latest version to address the vulnerability and ship the hotfix No action is taken as the product team was ignorant of the fact that ‘x’ was used in the product Recommendation: We should enumerate a list of all libraries used in our product and keep it updated with every product release Gotcha! PNSQC ™

Example…Vulnerability tracking SOFTWARE QUALITY CONFERENCE PACIFIC NW Problem: Libraries enumeration is complete and yet another high severity vulnerability is reported for ‘x’ Solution: Upgrade ‘x’ to its latest version to address the vulnerability and ship the hotfix No hotfix was released as engineering was unaware of the existence of the vulnerability. Customer’s systems were exploited using vulnerable ‘x’ shipped with your product Recommendation: Actively track vulnerabilities in all libraries used. Many organizations have dedicated teams for this task E.g. NVD, library websites, vulnerability scanners… Gotcha! PNSQC ™

Example…Keeping things updated SOFTWARE QUALITY CONFERENCE PACIFIC NW Problem: All libraries are enumerated and vulnerabilities tracked and yet another high severity vulnerability is reported for ‘x’ Solution: Upgrade ‘x’ to its latest version to address the vulnerability and ship the hotfix The latest version of ‘x’ has API changes and platform deprecation, hence the hotfix cannot be delivered in time (SLAs) Recommendation: Let’s keep updating the libraries incrementally and don’t allow the version difference to grow out of control Gotcha! PNSQC ™

Example…Selection and support SOFTWARE QUALITY CONFERENCE PACIFIC NW Problem: All libraries are enumerated, vulnerabilities tracked, and the latest version used in the product. Another high severity vulnerability is reported for ‘x’ Solution: Upgrade ‘x’ to its latest version to address the vulnerability and ship the hotfix An updated version of the library ‘x’ is not available as it went End-of-Support (EoS) last year Recommendation: Have a system in place to pick libraries that are actively maintained. We’ve to keep track of their end-of-support dates to avoid surprises. Track alternatives too Gotcha! PNSQC ™

Example…Quality Matters SOFTWARE QUALITY CONFERENCE PACIFIC NW Problem: An attacker, using your product’s buffer overflow vulnerability, compromises multiple systems of our customer Solution: Provide an immediate fix within a week that fixes the vulnerability The vulnerability actually lies with the third-party library ‘x’ that is bundled with our product Recommendation: Third-party libraries should be tested (if possible) for quality to uncover potential vulnerabilities Gotcha! PNSQC ™

Example…Priorities SOFTWARE QUALITY CONFERENCE PACIFIC NW Problem: Our product is using an older version of library ‘x’ and an upgrade is pending since long time Solution: Upgrade the library to its latest version in the current release Management does not prioritize the library upgrade over other product features, leading to a hurried hotfix immediately after the product release due to a new vulnerability in the older version Recommendation: Management investment to reduce technical backlog is critical to reduce the number of hotfixes Gotcha! PNSQC ™

Lifecycle of a 3rd-party library & Best Practices SOFTWARE QUALITY CONFERENCE Lifecycle of a 3rd-party library & Best Practices PACIFIC NW Library selection is the key. Stringent selection process is needed An active Security Incidence Response program will help Management commitment is critical to meet Incidence Response SLAs PNSQC ™

Resources SOFTWARE QUALITY CONFERENCE PACIFIC NW National Vulnerability Database: https://web.nvd.nist.gov/view/vuln/search Vulnerability scanner: https://www.tenable.com/products/nessus-vulnerability-scanner PNSQC ™

Thank you Reach me at: linkedin.com/in/ruchirgarg SOFTWARE QUALITY CONFERENCE PACIFIC NW Reach me at: linkedin.com/in/ruchirgarg Ruchir.Garg@Intel.com / RuchirG@Gmail.com PNSQC ™