Sprint #5: Making good library choices

OneHourAppSec
Written By The SafeStack Team

Welcome back to the fifth sprint of OneHourAppSec. How did you go last sprint? Did you make any changes to the settings for your source code repos?

Now that we have secured our own source code, we need to start thinking about the source code we inherit from other people. This starts when we decide to use a 3rd party library, component or framework.

If we accept that all software can have bugs and that a percentage of these will be security issues, we must accept that this holds true for all software, not just the code we write.

Accepting this means we can build some lightweight processes to help stay safe when choosing new libraries and 3rd party components.

This sprint we take a look at how we choose new components, what the risks are and we take some steps to make things safer:

  • Understanding why 3rd party components can pose a risk to our software supply chain

  • Examining a 3rd party library from a security perspective and learning what to look for

  • Putting a lightweight process in place for accepting new components into your stack

There is a lot to do but we will do it in small chunks to make it more manageable. Let’s get into it 👏

Activities

📽️ [VIDEO] Introducing Sprint 5 (2 minutes)

Welcome to sprint five, where we dig into our plan for the next two weeks and the importance of choosing our 3rd party components wisely.

📽️ [VIDEO] What is supply chain security and what does it have to do with you? (5 minutes)

In AppSec we like to invent fancy terms for things, today we will look at one of these “supply chain security”. What does this mean and why is it important to us as software developers?

📑 Create and try out your own library selection process (35 minutes)

Now that you understand what to look for, its time to create and try out a process for reviewing new libraries in your context. Use our helpful template as a guide.

📽️ [VIDEO] Interview: Life as a vulnerability researcher (8 minutes)

Meet Selim Enes Karaduman, a professional software vulnerability researcher. In this short video they explain what their role and the importance of keeping our 3rd party software safe.

📽️ [VIDEO] Watch-along - Reviewing a 3rd party library with a security lens (10 minutes)

Join Laura as she reviews a potential 3rd party library for her project and shares what she is looking for from a security perspective.

The SafeStack Team
Previous

Sprint #6: Looking after your libraries
Next

The Stack Overflow Podcast