2017 - Security Evaluation of Libraries

The target audience for this talk is security engineers, software development engineers, software development managers, technical program managers and anyone who uses libraries as part of software development process. The attendees will walk away with a methodology on how to review libraries and how to scale secure usage of libraries using secure-by-default implementation.

Software services are built on top of service frameworks such as .net, Java web services, Apache axis etc. These frameworks consist of a set of libraries and other components like support program, compilers, tool sets etc. Applications interact with libraries through well-defined API calls either during the build (static) or at run-time (dynamic). Generally speaking, Application Security programs implement an application-centric review process. They do not cover the criteria to do security evaluations of libraries. The attack surface, threats and data flow for a library are different from an application. This talk discusses the primary difference between applications and libraries and provides a mechanism for evaluating libraries. Specifically, it covers how to scope the assessment of a library and special considerations during architecture review and threat modeling phases. Validation of the secure and correct implementation of the security controls offered by the library is the main goal of the evaluation. By evaluating libraries, we make sure that all the fundamental building blocks of development framework are secure. By offering guidance on secure-by-default configurations to developers we can strengthen the secure software development process.