Description: Today, nearly all developers rely on third party components for building an application. Thus, for most software vendors, third party components in general and Free and Open Source Software (FOSS) in particular, are an integral part of their software supply chain. As the security of a software offering, independently of the delivery model, depends on all components, a secure software supply chain is of utmost importance. While this is true for both proprietary and as well as FOSS components that are consumed, FOSS components impose particular challenges as well as provide unique opportunities. For example, on the one hand, FOSS licenses contain usually a very strong "no warranty" clause and no service-level agreement. On the other hand, FOSS licenses allow to modify the source code and, thus, to fix issues without depending on an (external) software vendor. This talk is based on working on integrating securely third-party components in general, and FOSS components in particular, into the SAP's Security Development Lifecycle (SSDL). Thus, our experience covers a wide range of products (e.g., from small mobile applications of a few thousands lines of code to large scale enterprise applications with more than a billion lines of code), a wide range of software development models (ranging from traditional waterfall to agile software engineering to DevOps), as well as a multiple deployment models (e.g, on premise products, custom hosting, or software-as-a-service). In this talk, * we analyze and categorize the challenges and opportunities of the secure use of a FOSS components in building proprietary enterprise software, * we discuss the challenges in basing the decision in using FOSS on empirical research results, and * we discuss three different cost models for using FOSS in a commerical software development process: - the centralized model, where vulnerabilities of a FOSS component are fixed centrally and then pushed to all consuming products (and therefore costs scale sub-linearly in the number of products) - the distributed model, where each development team fixes its own component and effort scales linearly with usage - the hybrid model, where only the least used FOSS components are selected and maintained by individual development team * we provide, based on our experience, a clear recommendation of minimal actions that should be followed when using third party components as part of a software development process.
For More Information Please Visit:- https://2016.appsec.eu/
Tags:
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.