Your message has been sent

You can find the message in your personal profile at "My messages".

An error occured

Please try again.

Make an appointment with

So that you can make an appointment, the calendar will open in a new tab on the personal profile of your contact person.

Create an onsite appointment with

So that you can make an onsite appointment, the appointment request will open in a new tab.

Make onsite appointment

Forums it-sa Expo Knowledge Forum A

Supply chain security for software - more important than ever

Do you know the security gaps in your software supply chain? Or do you rely on finding known CVEs?

Buy trade fair ticket

You can register for this action soon.

You can register for the digital action soon.

Please come back at the scheduled date and time.

The action is currently live. Please scroll down to watch.

This action is only available onsite: Forums it-sa Expo

Add action to bookmarks and download as iCal

Join now

Note: If you continue, the contact data you provided during registration may be transmitted to the respective provider in accordance with our General Terms and Conditions.

Please log in or register in advance so that you can take part in actions or watch the action videos!

This action has already taken place. This action will soon be available as a video.

This action has already taken place. Please scroll down to watch the video.

This action has already taken place. Please login or register to watch the video.

This action has already taken place. It's not available any more.

You are in!

Your ticket / access to the action was sent to you by email.

There is a problem with the action at the moment. Please come back later or contact support.

calendar_today Wed, 26.10.2022, 10:00 - 10:15

event_available On site

Action Video

south_east

Action description

south_east

Speaker

south_east

Product

south_east

Themes

Trend topic Awareness / Phishing / Fraud

Organizer

Fraunhofer SIT | ATHENE

Event

This action is part of the event Forums it-sa Expo

Action Video

Action description

At the turn of the year 2021/2022, vulnerabilities found in the logging library log4j impressively demonstrated how much the security of applications, systems, and infrastructures depends on the security of the individual components. A standard, widely used open source library for a peripheral issue like logging led to frantic patching and updating of major web services and critical enterprise applications. Employees were recalled from Christmas vacation, and applications were shut down as a precaution. The first patches for log4j turned out to be insufficient, and within a short period of time, improvements had to be made again. Each new log4j version entailed updates of the rolled-out applications, and with each interim status, attack possibilities remained.

At the latest since this experience, the topic of supply chain security has been high on the agenda of many security managers. In this context, SBOM, the "Software Bill of Materials", and thus the question of which libraries and components are used at all in one's own software, is at the beginning of every investigation. Having such a list maintained manually by the developers is not realistic in practice. Newly taken up open source components are not added, or the version statuses in the manual SBOM are long outdated. In addition, such a manual documentation effort stands in the way of an agile development process that focuses on the code and relies on the code itself as a central source of information. This problem can only be solved through automation. While traditional approaches focus on the repository and thus the developer, they offer little opportunity for the end user to check the dependencies of purchased software. With a binary code scanner, on the other hand, the executed file can be checked without requiring access to the source code or the development environment. This allows users to check their own dependencies without having to rely purely on the information provided by the manufacturer.

Even if all components are known, and for none of these components a vulnerability is publicly known, by e.g. a CVE number exists, this does not mean security. The security hole in log4j was present for years undiscovered, although the library was widely used and available as an open source project for everyone to see. On the one hand, this example shows that even popular open source components can be vulnerable without being detected, i.e. a community-based testing and correction process is not one hundred percent given here either, despite the open source nature. On the other hand, the example shows that CVE numbers only represent vulnerabilities that are already known, i.e. a reaction may not be possible until too late. If the vulnerability is known, exploits for it are also commonly known.

To solve this problem, code scanners can once again make an important contribution. A binary code scanner checks the final executed software, including all dependencies. Regardless of whether a line of code originally came from a library or from the primary application code, it is part of the final software, the final installation or execution file, and thus can be inspected by a binary code scanner. The binary code scan eliminates the distinction between program and library, and errors in the libraries become as visible as errors in the program itself, since the code is examined as a unit. This principle is the basis for the deep scan of our VUSC scanner for Java (enterprise) applications, Spring Boot web applications, Android apps, and other platforms ... read more