The Devils in the Dependency - Data Driven Software Composition Analysis

Dive into a comprehensive analysis of open source library usage and vulnerabilities in software development during this 38-minute Black Hat conference talk. Explore data from over 85,000 applications and 500,000+ open source libraries, uncovering insights on dependency cascades, proof-of-concept exploits, and the impact of even small, popular libraries on application security. Examine language-specific trends, vulnerability patterns, and the implications of transitive dependencies. Learn about the OWASP Top Ten categories, exploit availability, and the vulnerability funnel. Gain valuable takeaways on managing library dependencies, understanding security risks, and making informed decisions about language choices and library updates in your software development process.

Intro
We're going to demonstrate, with data...
About the report
Agenda
Data sources
Biases
Library usage is highly language dependent
Usage rate of popular libraries
SemVer, the closest we can get to a standard...
Definition / implications
Transitive by language (Fig 4)
Direct vs Transitive vulnerabilities (Figs 11-12)
More libraries = more problems? (Fig 13)
Language choice makes a difference (Fig 5)
OWASP Top Ten (Fig 6)
PHP is basically a minefield (Fig 7)
Not all vulnerabilities have exploits (Fig 8)
PoC exploits by OWASP category (Fig 10)
The vulnerability funnel (Fig 14)
Good news: most fixes are minor (Figs 16-17)
Begs many questions
How do the chains end?
Most chains are relatively short...
but it varies by language
Most updates are still small
Takeaways