How Do I Know What Third-Party Components My Software Is Using?

Question: I know third-party/open source components in my software could be a source of vulnerabilities, but I don't even know what third-party components all of my software is using. How do I find out?

Brad Causey, CEO at Zero Day Consulting: In most cases, it's best to reach out directly to the vendor/developer and ask this question. However, you can also perform a source code review to identify those components as well. This is especially true in Web applications, where references and includes are easily found.

Look into automated source scanners, such as the commercial ones from Veracode or Whitehat, or open source alternatives like LGTM. Another option is to look into commercial services that specialize in this role, such as BlackDuck or Protecode. Services will be more comprehensive with analysts and other resources available, but they will cost more. Using automated tools will be less expensive but will require some in-house security experience to interpret and investigate findings.

Whatever you do, make sure you integrate source code review into your security life cycle because it is likely to change over time, and applications may include new third-party and open-source components. A great way to do this would be to synchronize the checks with software upgrades and releases. This will allow you to plan for it and check again each time a major change is made to the application.

If vulnerabilities are reported in any of these components, roll them into your normal remediation process. Treat it the same way you would any other bug tracking or patch management.

What do you advise? Let us know in the Comments section, below.