AppSec Europe 2016 has ended
Back To Schedule
Thursday, June 30 • 11:35 - 12:20
Using Third Party Components for Building an Application Might be More Dangerous Than You Think

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Today, nearly all developers rely on third party components for 
building an application. Thus, for most software vendors, third party 
components in general and Free and Open Source Software (FOSS) in 
particular, are an integral part of their software supply chain. 

As the security of a software offering, independently of the delivery 
model, depends on all components, a secure software supply chain is of 
utmost importance. While this is true for both proprietary and as well 
as FOSS components that are consumed, FOSS components impose 
particular challenges as well as provide unique opportunities. For 
example, on the one hand, FOSS licenses contain usually a very strong 
"no warranty" clause and no service-level agreement. On the other 
hand, FOSS licenses allow to modify the source code and, thus, to fix 
issues without depending on an (external) software vendor. 

This talk is based on working on integrating securely third-party 
components in general, and FOSS components in particular, into the 
SAP's Security Development Lifecycle (SSDL). Thus, our experience 
covers a wide range of products (e.g., from small mobile applications 
of a few thousands lines of code to large scale enterprise 
applications with more than a billion lines of code), a wide range of 
software development models (ranging from traditional waterfall to 
agile software engineering to DevOps), as well as a multiple 
deployment models (e.g, on premise products, custom hosting, or 

In this talk, 
* we analyze and categorize the challenges and opportunities of 
the secure use of a FOSS components in building proprietary 
enterprise software, 
* we discuss the challenges in basing the decision in using FOSS 
on empirical research results, and 
* we discuss three different cost models for using FOSS in a 
commerical software development process: 
- the centralized model, where vulnerabilities of a FOSS component 
are fixed centrally and then pushed to all consuming products (and 
therefore costs scale sub-linearly in the number of products) 
- the distributed model, where each development team fixes its own 
component and effort scales linearly with usage 
- the hybrid model, where only the least used FOSS components are 
selected and maintained by individual development team 
* we provide, based on our experience, a clear recommendation of 
minimal actions that should be followed when using third party 
components as part of a software development process. 

avatar for Achim D. Brucker

Achim D. Brucker

Professor, University of Exeter
Dr. Achim D. Brucker (www.brucker.ch) is a Senior Lecturer and consultant at The University of Sheffield, UK where he heads the heads the Software Assurance & Security Research Team (logicalhacking.com). Until December 2015, he was a Research Expert (Architect), Security Testing Strategist... Read More →
avatar for Stanislav Dashevskyi

Stanislav Dashevskyi

PhD student, University of Trento
avatar for Fabio Massacci

Fabio Massacci

Deputy Head of Department, University of Trento
Fabio Massacci research interests are is the development of experimental and empirical methods for cybersecurity. Fabio has a PhD in computing from the University of Rome La Sapienza. He was the European coordinator of the Socio-Economics Meets Security (SECONOMICS; www.seconomics.org... Read More →

Thursday June 30, 2016 11:35 - 12:20 CEST
Room D (Tiziano Ballrom Sec. 3)