Ways to mitigate the risk of a third-party library
There are a number of strategies to mitigate the risks of third-party libraries. Chris Wysopal, CTO and founder of Veracode, tells CSO that he wants software developers to work harder and “invest in the right kinds of tools to find and fix vulnerabilities in their software supply market and implement quick fixes, governments should too.” they acknowledge the potential risks to national security posed by open source software.” This is a common denial from him, going back to earlier times when he was known by his hacker handle, Weld Pond, and when he testified before Congress on the subject.
As software becomes more complex with more interdependent components, it quickly becomes difficult to detect coding errors, whether they are unintentional or added for malicious purposes as attackers try to hide their malware. “A clever attacker can make his attack look like it’s not intentional, thus creating a plausible deniability,” Williams said.
There are ways to help flag and eliminate these insecure libraries. In June 2023, the Cybersecurity and Infrastructure Security Agency (CISA) issued a series of recommendations on how to improve development frameworks and coding pipelines to prevent third-party attacks. Although the agency talked about the benefits of third-party code to facilitate rapid development and deployment, there needs to be controls such as better and cryptographically strong account credentials and restrictions on trusted libraries, for example.
Source link