Managing Security Risks Inherent in the Use of Thirdparty Components b u c . 5 h t i g © 2017 SAFECode – All Rights Reserved. m o Managing Security Risks Inherent in the Use of Third-party Components Table of Contents 1 Introduction ......................................................................................................................................... 4 1.1 2 Challenges in Using Third-party Components................................................................................. 5 2.1 Example Use Case ......................................................................................................................... 5 2.2 What TPCs Are Included in a Product? .......................................................................................... 6 2.2.1 Naming of Components........................................................................................................... 7 2.2.2 Dependencies.......................................................................................................................... 7 2.3 3 Methodology and Scope ................................................................................................................. 4 2.3.1 Naming of Components........................................................................................................... 9 2.3.2 Dependencies.......................................................................................................................... 9 2.3.3 CVE Reports............................................................................................................................ 9 What TPCs Should We Use and What Are the Security Risks Associated with Them?................ 9 2.5 What Should We Do To Maintain the TPCs Within Our Product? ............................................... 10 b u Managing Third-party Components ................................................................................................ 11 3.2 h t i g Overview of the Third-party Component Management Life Cycle ............................................... 11 3.1.1 TPC Life Cycle and Software Development Life Cycle ......................................................... 12 Key Ingredients of a TPC Management Process ......................................................................... 14 3.2.1 Maintain List of TPCs (MAINTAIN)........................................................................................ 15 3.2.2 Assess Security Risk (ASSESS) ........................................................................................... 19 3.2.3 Mitigate or Accept Risk (MITIGATE) ..................................................................................... 22 3.2.4 Monitor for TPC Changes (MONITOR) ................................................................................. 23 3.3 5 c . 5 2.4 3.1 4 m o Is the Product Affected by the Vulnerable Third-party Component? .............................................. 8 Closing the Example Use Case .................................................................................................... 25 3.3.1 Selecting TPCs ...................................................................................................................... 25 3.3.2 Monitoring TPCs .................................................................................................................... 25 3.3.3 Responding to New Vulnerabilities........................................................................................ 25 3.3.4 Maintaining the TPCs in the Product ..................................................................................... 26 Future Considerations ...................................................................................................................... 27 4.1 Crowdsourcing of Naming and Name Mapping............................................................................ 27 4.2 Crowdsourcing of an End-of-life Repository ................................................................................. 27 4.3 Crowdsourcing of a Vulnerability Source Listing .......................................................................... 27 Summary ............................................................................................................................................ 28 5.1 Acknowledgements.....................................................