By Tania Skinner, Product Security Strategist, Intel Corporation

The Managing Security Risks Inherent in the Use of Third-party Components White Paper is now available.  Below is a brief preview of the document.  I encourage you to download it and share it with your colleagues.

The use of third-party components (TPCs), including open source software (OSS) or commercial off-the-shelf (COTS) components, has become a de facto standard in software development. The efficiency and productivity gains provided by third-party components are well known but they come with risk.  TPCs, used as pre-made building blocks, enable faster time to market and lower development costs by providing out-of-the box functionality of common functions. TPCs are often treated as “black boxes” and are less scrutinized than comparable internally developed components.

Historically, the selection and usage of TPCs has been an engineering decision, purely based on functionality. Given the increasing trend in usage of third-party components, security must be a consideration in the selection and usage of TPCs.

Over the last year and a half myself and Prithvi Bisht, Adobe; Mike Heim, Boeing; Manuel Ifland, Siemens; and Michael Scovetta, Microsoft contributed and culled the best practices from our own organizations to create a set of guidelines for third-party components (TPC) that SAFECode believes organizations should consider when using open source software (OSS) or commercial off-the-shelf (COTS) components.  The white paper discusses the benefits, risks, challenges and problems with TPCs and addresses the third-party component management lifecycle.  Included in the white paper are a number of recommendations on TPC topics like:

  • Identifying components
  • Assessing risk
  • Managing risk
  • Planning for patches and remediation
  • Vulnerability response

The Managing Security Risks Inherent in the Use of Third-party Components White Paper is available on the SAFECode website. I strongly urge you to read it and email [email protected] with your thoughts and comments. We would especially appreciate the feedback on its best practice guidelines. I do ask you one favor; after reading the white paper please share it with at least one other person you think would benefit from it. Thank you in advance for helping to educate the industry on managing the security risks of TPCs.