Send message to

Do you want to send the message without a subject?
Please note that your message can be maximum 1000 characters long
Special characters '<', '>' are not allowed in subject and message
reCaptcha is invalid.
reCaptcha failed because of a problem with the server.

Your message has been sent

You can find the message in your personal profile at "My messages".

An error occured

Please try again.

Make an appointment with

So that you can make an appointment, the calendar will open in a new tab on the personal profile of your contact person.

Create an onsite appointment with

So that you can make an onsite appointment, the appointment request will open in a new tab.

Forums it-sa Expo Knowledge Forum A

Supply chain security for software - more important than ever

Do you know the security gaps in your software supply chain? Or do you rely on finding known CVEs?

calendar_today Wed, 26.10.2022, 10:00 - 10:15

event_available On site

Action Video

south_east

Action description

south_east

Speaker

south_east

Themes

Trend topic Awareness / Phishing / Fraud

Event

This action is part of the event Forums it-sa Expo

Action Video

grafischer Background
close

This video is available to the it-sa 365 community. 
Please register or log in with your login data.

Action description


At the turn of the year 2021/2022, vulnerabilities found in the logging library log4j impressively demonstrated how much the security of applications, systems, and infrastructures depends on the security of the individual components. A standard, widely used open source library for a peripheral issue like logging led to frantic patching and updating of major web services and critical enterprise applications. Employees were recalled from Christmas vacation, and applications were shut down as a precaution. The first patches for log4j turned out to be insufficient, and within a short period of time, improvements had to be made again. Each new log4j version entailed updates of the rolled-out applications, and with each interim status, attack possibilities remained.

At the latest since this experience, the topic of supply chain security has been high on the agenda of many security managers. In this context, SBOM, the "Software Bill of Materials", and thus the question of which libraries and components are used at all in one's own software, is at the beginning of every investigation. Having such a list maintained manually by the developers is not realistic in practice. Newly taken up open source components are not added, or the version statuses in the manual SBOM are long outdated. In addition, such a manual documentation effort stands in the way of an agile development process that focuses on the code and relies on the code itself as a central source of information. This problem can only be solved through automation. While traditional approaches focus on the repository and thus the developer, they offer little opportunity for the end user to check the dependencies of purchased software. With a binary code scanner, on the other hand, the executed file can be checked without requiring access to the source code or the development environment. This allows users to check their own dependencies without having to rely purely on the information provided by the manufacturer.

Even if all components are known, and for none of these components a vulnerability is publicly known, by e.g. a CVE number exists, this does not mean security. The security hole in log4j was present for years undiscovered, although the library was widely used and available as an open source project for everyone to see. On the one hand, this example shows that even popular open source components can be vulnerable without being detected, i.e. a community-based testing and correction process is not one hundred percent given here either, despite the open source nature. On the other hand, the example shows that CVE numbers only represent vulnerabilities that are already known, i.e. a reaction may not be possible until too late. If the vulnerability is known, exploits for it are also commonly known.

To solve this problem, code scanners can once again make an important contribution. A binary code scanner checks the final executed software, including all dependencies. Regardless of whether a line of code originally came from a library or from the primary application code, it is part of the final software, the final installation or execution file, and thus can be inspected by a binary code scanner. The binary code scan eliminates the distinction between program and library, and errors in the libraries become as visible as errors in the program itself, since the code is examined as a unit. This principle is the basis for the deep scan of our VUSC scanner for Java (enterprise) applications, Spring Boot web applications, Android apps, and other platforms
... read more

Downloads

Language: German

Questions and Answers: No

Speaker

show more
close

This content or feature is available to the it-sa 365 community. 
Please register or log in with your login data.