Open Source Security Analysis @ SAP Security Research

Speaker
Serena Elisa Ponta, Henrik Plate

Abstract
Software applications integrate more and more open source software components offering readily available implementations of a wide variety of functionalities. While speeding up development, the (direct or transitive) reuse of OSS components has implications on the security of the application. Any vulnerability discovered in the OSS components may potentially affect the application that includes it. Moreover, malicious actors may deliberately place malicious code in open-source components to infect downstream components or applications.
In this talk we will present the research directions we are pursuing at SAP Security Research in the area of open source software security. We will overview a taxonomy of attack vectors targeting open-source software supply chains. We will share our experience creating the open source tool Eclipse Steady, which implements our code-centric approach to detect, assess and mitigate vulnerabilities in OSS components. We will also pinpoint the main limitations of state-of-the-art solutions and discuss directions for reducing the attack surface of applications.

Bio

• Serena Elisa Ponta is a senior researcher at SAP Security Research. Her current research focuses on open source security and the secure consumption of open source software components. For almost ten years she has been working on the analysis and management of known vulnerabilities in open source software libraries. She is one of the co-inventors of Eclipse Steady and one of its main contributors. Prior to joining SAP in 2010, she obtained her Ph.D. in Mathematical Engineering and Simulation from the University of Genova in 2011 and her M.Sc. in Computer Engineering from the same university in 2007.
• Henrik Plate is a senior researcher at SAP Security Research, the former lead of its focus topic Open Source Security Analysis as well as a co-inventor and core contributor of Eclipse Steady, the Risk Explorer for Software Supply Chains and other open source projects. Starting October 2022, he will work as contracted security advisor for Endor Labs, a start-up developing code-centric solutions in the area of software supply chain security, where he continues his research in this field. He holds a CISSP certification and a M.Sc. in Computer Science and Business Administration from the University of Mannheim.