Advisory on Software Bill of Materials and Real-time Vulnerability Monitoring for Open-Source Software and ThirdParty Dependencies Introduction 1. The integration of Open-Source Software (OSS) in software development introduces significant cybersecurity challenges, particularly regarding vulnerabilities in third-party dependencies. Notable incidents, such as Log4j and Heartbleed, underscore these risks. On Log4j, many organisations struggled to assess system compromises due to a lack of visibility into their software components and dependencies, with delayed responses to discovered vulnerabilities. On Heartbleed, it affected the widely used OpenSSL cryptography library, leading to the theft of 4.5 million medical records from a major overseas hospital chain. 2. These dependency threats are exacerbated by extent of third-party dependencies and critical vulnerabilities found in software development projects. According to studies, there are on average 68.81 dependencies per project and 5.12 critical vulnerabilities in an application. If developers are unaware of the full composition of their applications, the risks of cybersecurity breaches are significant. In the light of such trends, there is an impetus for developers to easily identify and address OSS dependencies to mitigate cybersecurity risks.
Intended audience of advisory 3. The advisory is intended for all software developers, especially those who incorporate OSS and third-party dependencies into their projects. While many developers are aware of cybersecurity risks, they may not have the resources and guidance to enforce cybersecurity during software development and implementation. To aid developers, the advisory offers guidance on a sustainable and automated approach to vulnerability management through Software Bill of Materials (SBOM) and real-time vulnerability monitoring.
https://chenbihuan.github.io/paper/icsme20-wang-lib-empirical.pdf https://www.helpnetsecurity.com/2022/10/04/when-transparency-is-also-obscurity-open-sourcesecurity/ 1 2
1