In this analysis, we examine over 85,000 applications and their use of more than 500k open source libraries. We provide an overview of open source usage showing that typical applications have hundreds or thousands of libraries, with most coming from a cascade of transitive dependencies. We find that proof-of-concept exploits exist for 21.7% of libraries with flaws, and that even very tiny (162 LoC) and very popular (included in 89% of applications) JavaScript libraries can contain exploitable flaws.

By Benjamin Edwards & Chris Eng

Full Abstract & Presentation Materials: blackhat.com/us-20/briefings/schedule/#the-devils-in-the-dependency-data-driven-software-composition-analysis-20208

• The Devils in the Dependency Data Driven Software Composition Analysis ( Download)
• The Devils in the Dependency Data Driven Software Composition Analysis ( Download)
• Day 15: Software Composition Analysis (SCA)| #CybersecurityAwarenessMonth 2023 ( Download)
• December Event - G0rking | Software Composition Analysis 101 ( Download)
• Software Composition Analysis: Check Assembled Product For Known Risks | Synopsys ( Download)
• Learn to Code | Managing Software Dependencies better so you are not blocked by other developers ( Download)
• Software Composition Analysis (SCA) | Jenkins and SNYK Integration ( Download)
• Mind Games: Using Data to Solve for the Human Element ( Download)
• Protect Yourself Against Supply Chain Attacks - Rob Bos - NDC Security 2022 ( Download)
• Your Software IS/NOT Vulnerable: CSAF, VEX, and the Future of Advisories ( Download)
• EdTech - The Ultimate APT ( Download)
• A Look Ahead at Cyber Security in 2021 ( Download)
• BlackHat 2020 Arsenal - C2 Matrix by Jorge Orchilles and Bryson Bort #C2Matrix ( Download)
• Finding New Bluetooth Low Energy Exploits via Reverse Engineering Multiple Vendors' Firmwares ( Download)
• SoK: (State of) The Art of War: Offensive Techniques in Binary Analysis ( Download)