Presentation is loading. Please wait.

Presentation is loading. Please wait.

Third-party library mismanagement: How it can derail your plans

Published byIsabella Hamilton Modified over 6 years ago

Similar presentations

Presentation on theme: "Third-party library mismanagement: How it can derail your plans"— Presentation transcript:

1 Third-party library mismanagement: How it can derail your plans
SOFTWARE QUALITY CONFERENCE PACIFIC NW Third-party library mismanagement: How it can derail your plans RUCHIR GARG 17TH OCT 2016 How many developers in the room; QA? Have you ever used 3rd party libraries in your code? I’m sure you have. Integral part of modern software Often overlooked – fire and forget doesn’t work (unlike military) These have the potential to derail all our plans by springing up surprizes PNSQC ™

2 SOFTWARE QUALITY CONFERENCE
PACIFIC NW Does anyone identify that vehicle? Wagon wheels! Any guesses how your ride is gonna be on that!! Consider that vehicle to be our fancy software, and those wheel as 3rd party I don’t wanna refer to that the other way around, coz don’t we love what we build!!! Wheels to modern software; bit not THEEEESE wheels  Don’t reinvent the wheels PNSQC ™

3 Agenda Why manage third-party libraries Real life examples
SOFTWARE QUALITY CONFERENCE Agenda PACIFIC NW Why manage third-party libraries Real life examples Best practices PNSQC ™

4 Why manage third-party libraries
SOFTWARE QUALITY CONFERENCE PACIFIC NW Indispensable part of modern software Indiscriminate usage Frequent updates to such libraries is expected: Defects Vulnerabilities Features Updates may result in: API change Platform deprecation End-of-support for older versions Failure to manage third-party libraries may result in: Multiple hotfixes Unhappy customers Delayed product releases Lawsuits Don’t integrate a library without proper due diligence VULNERABILITY management is the most important aspect on managing 3rd party libs; its often overlooked Lawsuits :- Exaggeration, but not ruled out  PNSQC ™

5 Example…Library enumeration
SOFTWARE QUALITY CONFERENCE PACIFIC NW Problem: A new high severity vulnerability has been reported for a 3rd party library, say ‘x’, which is shipped with our product Solution: Upgrade ‘x’ to its latest version to address the vulnerability and ship the hotfix No action is taken as the product team was ignorant of the fact that ‘x’ was used in the product Recommendation: We should enumerate a list of all libraries used in our product and keep it updated with every product release Gotcha! PNSQC ™

6 Example…Vulnerability tracking
SOFTWARE QUALITY CONFERENCE PACIFIC NW Problem: Libraries enumeration is complete and yet another high severity vulnerability is reported for ‘x’ Solution: Upgrade ‘x’ to its latest version to address the vulnerability and ship the hotfix No hotfix was released as engineering was unaware of the existence of the vulnerability. Customer’s systems were exploited using vulnerable ‘x’ shipped with your product Recommendation: Actively track vulnerabilities in all libraries used. Many organizations have dedicated teams for this task E.g. NVD, library websites, vulnerability scanners… Gotcha! PNSQC ™

7 Example…Keeping things updated
SOFTWARE QUALITY CONFERENCE PACIFIC NW Problem: All libraries are enumerated and vulnerabilities tracked and yet another high severity vulnerability is reported for ‘x’ Solution: Upgrade ‘x’ to its latest version to address the vulnerability and ship the hotfix The latest version of ‘x’ has API changes and platform deprecation, hence the hotfix cannot be delivered in time (SLAs) Recommendation: Let’s keep updating the libraries incrementally and don’t allow the version difference to grow out of control Gotcha! PNSQC ™

8 Example…Selection and support
SOFTWARE QUALITY CONFERENCE PACIFIC NW Problem: All libraries are enumerated, vulnerabilities tracked, and the latest version used in the product. Another high severity vulnerability is reported for ‘x’ Solution: Upgrade ‘x’ to its latest version to address the vulnerability and ship the hotfix An updated version of the library ‘x’ is not available as it went End-of-Support (EoS) last year Recommendation: Have a system in place to pick libraries that are actively maintained. We’ve to keep track of their end-of-support dates to avoid surprises. Track alternatives too Gotcha! PNSQC ™

9 Example…Quality Matters
SOFTWARE QUALITY CONFERENCE PACIFIC NW Problem: An attacker, using your product’s buffer overflow vulnerability, compromises multiple systems of our customer Solution: Provide an immediate fix within a week that fixes the vulnerability The vulnerability actually lies with the third-party library ‘x’ that is bundled with our product Recommendation: Third-party libraries should be tested (if possible) for quality to uncover potential vulnerabilities Gotcha! PNSQC ™

10 Example…Priorities SOFTWARE QUALITY CONFERENCE PACIFIC NW Problem: Our product is using an older version of library ‘x’ and an upgrade is pending since long time Solution: Upgrade the library to its latest version in the current release Management does not prioritize the library upgrade over other product features, leading to a hurried hotfix immediately after the product release due to a new vulnerability in the older version Recommendation: Management investment to reduce technical backlog is critical to reduce the number of hotfixes Gotcha! PNSQC ™

11 Lifecycle of a 3rd-party library & Best Practices
SOFTWARE QUALITY CONFERENCE Lifecycle of a 3rd-party library & Best Practices PACIFIC NW Library selection is the key. Stringent selection process is needed An active Security Incidence Response program will help Management commitment is critical to meet Incidence Response SLAs PNSQC ™

12 Resources SOFTWARE QUALITY CONFERENCE PACIFIC NW National Vulnerability Database: Vulnerability scanner: PNSQC ™

13 Thank you Reach me at: linkedin.com/in/ruchirgarg
SOFTWARE QUALITY CONFERENCE PACIFIC NW Reach me at: linkedin.com/in/ruchirgarg / PNSQC ™

Download ppt "Third-party library mismanagement: How it can derail your plans"

Similar presentations

High level QA strategy for SQL Server enforcer

High level QA strategy for SQL Server enforcer
©2013 Software AG. All rights reserved. alex Burggraf Principal Systems Engineer (415) 690-3176 Software AG IT Health Check Overview IT Health Check Diagnostics.

©2013 Software AG. All rights reserved. alex Burggraf Principal Systems Engineer (415) Software AG IT Health Check Overview IT Health Check Diagnostics.
Simplifying Application Management CIO Strategies SummIT, Mumbai 23 Jun 2011 Rajesh Raghavan.

Simplifying Application Management CIO Strategies SummIT, Mumbai 23 Jun 2011 Rajesh Raghavan.
Achieving (and Maintaining) Compliance With Secure Software Development Compliance Requirements (ISC)² SecureSDLC May 17, 2012.

Achieving (and Maintaining) Compliance With Secure Software Development Compliance Requirements (ISC)² SecureSDLC May 17, 2012.
SE 555 Software Requirements & Specification Requirements Management.

SE 555 Software Requirements & Specification Requirements Management.
Test Environments Arun Murugan – u4430411 Rohan Ahluwalia – u4358281 Shuchi Gauri – u4358305.

Test Environments Arun Murugan – u Rohan Ahluwalia – u Shuchi Gauri – u
U-Mail System Design Specification Joseph Woo, Chris Hacking, Alex Benson, Elliott Conant, Alex Meng, Michael Ratanapintha April 28, 2008 1.

U-Mail System Design Specification Joseph Woo, Chris Hacking, Alex Benson, Elliott Conant, Alex Meng, Michael Ratanapintha April 28,
IT:Network:Microsoft Applications

IT:Network:Microsoft Applications
PopMedNet Software Development Life Cycle Chayim Herzig-Marx Harvard Pilgrim Health Care Institute Daniel Dee Lincoln Peak Partners.

PopMedNet Software Development Life Cycle Chayim Herzig-Marx Harvard Pilgrim Health Care Institute Daniel Dee Lincoln Peak Partners.
Debunking the Top 10 Myths of Small Business Server: Using Windows SBS in Larger Environments Abstract: This session will debunk some of the common myths.

Debunking the Top 10 Myths of Small Business Server: Using Windows SBS in Larger Environments Abstract: This session will debunk some of the common myths.
WAO 2007 Andrej Košiček Dealing with the Obsolescence in state-of- the-art Electronic Components 27 September 2007.

WAO 2007 Andrej Košiček Dealing with the Obsolescence in state-of- the-art Electronic Components 27 September 2007.
Security Overview for Microsoft Infrastructures Fred Baumhardt and James Noyce Infrastructure Solutions and Security Solutions Teams Microsoft Security.

Security Overview for Microsoft Infrastructures Fred Baumhardt and James Noyce Infrastructure Solutions and Security Solutions Teams Microsoft Security.
Oracle Patching and Maintenance A practical guide for System Administrators October 2009.

Oracle Patching and Maintenance A practical guide for System Administrators October 2009.
BT Young Scientists & Technology Exhibition App Risk Management.

BT Young Scientists & Technology Exhibition App Risk Management.
Viking Quality Report Team Assignment 9 Team 2-1.

Viking Quality Report Team Assignment 9 Team 2-1.
Code and Asset Branching Best Practices Session 315 Philip Wolfe, Lead Developer Farm Credit Services of America.

Code and Asset Branching Best Practices Session 315 Philip Wolfe, Lead Developer Farm Credit Services of America.
Universal Acceptance of All TLDs ALAC 24 June 2012.

Universal Acceptance of All TLDs ALAC 24 June 2012.
Theories of Agile, Fails of Security Daniel Liber CyberArk.

Theories of Agile, Fails of Security Daniel Liber CyberArk.
Cruise Training Introduction of Continuous Integration.

Cruise Training Introduction of Continuous Integration.
| Lausanne Successful Migration to SharePoint 2013 - Planning Considerations & Migration Strategies Roberto V. Delgado Sr. Technical Solutions Professional.

| Lausanne Successful Migration to SharePoint Planning Considerations & Migration Strategies Roberto V. Delgado Sr. Technical Solutions Professional.

Similar presentations

Ads by Google