IEEE Secure Development Conference

October 18 - 20, 2021
Virtual Conference

Sponsored by the IEEE Computer Society Technical Committee on Security and Privacy



Posted on: August 23rd, 2021 by SecDev

Serena Elisa Ponta
SAP Security Research

Security of Open Source Software Dependencies

Bio: Serena Elisa Ponta is a senior researcher at SAP Security Research. Her current research focuses on open source security and the secure consumption of open source software components. For almost ten years she has been working on the analysis and management of known vulnerabilities in open source software libraries. She is one of the co-authors of Eclipse Steady and one of its main contributors. Prior to joining SAP in 2010, she obtained her Ph.D. in Mathematical Engineering and Simulation from the University of Genova in 2011 and her M.Sc. in Computer Engineering from the same university in 2007.

Abstract: Software applications integrate more and more open source software components offering readily available implementations of a wide variety of functionalities. While speeding up development, the (direct or transitive) reuse of OSS components has implications on the security of the application. Any vulnerability discovered in the OSS components may potentially affect the application that includes it. Moreover, malicious actors may deliberately place malicious code in open-source components to infect downstream components or applications. The key to maintaining a secure software supply chain is to discover these vulnerabilities, assess their risk, and mitigate them during the development, testing, validation, and response phases of the secure software development lifecycle.

In this talk I will overview the challenges posed to security by the reuse of OSS components. I will share our experience creating the open source tool Eclipse Steady, which implements our code-centric approach to detect, assess and mitigate vulnerabilities in OSS components. I will also pinpoint the main limitations of state-of-the-art solutions and discuss directions for reducing the attack surface of applications.