Ways to mitigate third-party library risks

There are a number of techniques to mitigate the risks of third-party libraries. Chris Wysopal, the CTO and co-founder of Veracode, tells CSO that he wants software developers to be more proactive and “invest in the right kinds of tooling to find and fix vulnerabilities in their software supply chains and employ immediate fixes, governments must also acknowledge the potential risk to national security posed by open-source software.” This is a common refrain coming from him, harking back to earlier times when he was known by his hacker handle, Weld Pond, and when he testified before Congress about the topic.

As software gets more complex with more dependent components, it quickly becomes difficult to detect coding errors, whether they are inadvertent or added for malicious purposes as attackers try to hide their malware. “A smart attacker would just make their attack look like an inadvertent vulnerability, thereby creating extremely plausible deniability,” Williams says.

There are ways to help flag and eliminate these insecure libraries. In June 2023, the Cybersecurity and Infrastructure Security Agency (CISA) released a series of recommendations on how to improve development frameworks and coding pipelines to prevent third-party attacks. While the agency mentioned the benefits of third-party code to facilitate rapid development and deployment, there needs to be controls such as better and cryptographically stronger account credentials and restrictions of untrusted libraries, for example.