Cybersecurity In-Depth: Getting answers to questions about IT security threats and best practices from trusted cybersecurity professionals and industry experts.
How Do I Know What Third-Party Components My Software Is Using?How Do I Know What Third-Party Components My Software Is Using?
Options include automated source scanners and commercial services.
July 22, 2019
Question: I know third-party/open source components in my software could be a source of vulnerabilities, but I don't even know what third-party components all of my software is using. How do I find out?
Brad Causey, CEO at Zero Day Consulting: In most cases, it's best to reach out directly to the vendor/developer and ask this question. However, you can also perform a source code review to identify those components as well. This is especially true in Web applications, where references and includes are easily found.
Look into automated source scanners, such as the commercial ones from Veracode or Whitehat, or open source alternatives like LGTM. Another option is to look into commercial services that specialize in this role, such as BlackDuck or Protecode. Services will be more comprehensive with analysts and other resources available, but they will cost more. Using automated tools will be less expensive but will require some in-house security experience to interpret and investigate findings.
Whatever you do, make sure you integrate source code review into your security life cycle because it is likely to change over time, and applications may include new third-party and open-source components. A great way to do this would be to synchronize the checks with software upgrades and releases. This will allow you to plan for it and check again each time a major change is made to the application.
If vulnerabilities are reported in any of these components, roll them into your normal remediation process. Treat it the same way you would any other bug tracking or patch management.
What do you advise? Let us know in the Comments section, below.
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023