YoVDO

The Devils in the Dependency - Data Driven Software Composition Analysis

Offered By: Black Hat via YouTube

Tags

Black Hat Courses Software Development Courses Data Analysis Courses Vulnerability Analysis Courses Software Composition Analysis Courses

Course Description

Overview

Dive into a comprehensive analysis of open source library usage and vulnerabilities in software development during this 38-minute Black Hat conference talk. Explore data from over 85,000 applications and 500,000+ open source libraries, uncovering insights on dependency cascades, proof-of-concept exploits, and the impact of even small, popular libraries on application security. Examine language-specific trends, vulnerability patterns, and the implications of transitive dependencies. Learn about the OWASP Top Ten categories, exploit availability, and the vulnerability funnel. Gain valuable takeaways on managing library dependencies, understanding security risks, and making informed decisions about language choices and library updates in your software development process.

Syllabus

Intro
We're going to demonstrate, with data...
About the report
Agenda
Data sources
Biases
Library usage is highly language dependent
Usage rate of popular libraries
SemVer, the closest we can get to a standard...
Definition / implications
Transitive by language (Fig 4)
Direct vs Transitive vulnerabilities (Figs 11-12)
More libraries = more problems? (Fig 13)
Language choice makes a difference (Fig 5)
OWASP Top Ten (Fig 6)
PHP is basically a minefield (Fig 7)
Not all vulnerabilities have exploits (Fig 8)
PoC exploits by OWASP category (Fig 10)
The vulnerability funnel (Fig 14)
Good news: most fixes are minor (Figs 16-17)
Begs many questions
How do the chains end?
Most chains are relatively short...
but it varies by language
Most updates are still small
Takeaways


Taught by

Black Hat

Related Courses

Inspecting Open Source Software Packages for Security and License Compliance
Pluralsight
DevSecOps Fundamentals
Cybrary
Effective Vulnerability Discovery with Machine Learning
Black Hat via YouTube
Protect Yourself Against Supply Chain Attacks
NDC Conferences via YouTube
OWASP Flagship Projects - OWASP Dependency-Check
OWASP Foundation via YouTube