Third party libraries represent a potential attack vector and present security risks to the ecosystem where they are integrated because a majority of the code in numerous applications today comes from third party libraries but the risk of vulnerabilities in these libraries is widely ignored and under-appreciated. In a previous article, the author illustrated the third party library threat landscape, the challenges associated with developing a comprehensive library specific threat model and explained the common attack patterns that leverage common vulnerabilities in libraries. In this article the author discusses techniques and challenges to mitigate threats and vulnerabilities in third party libraries via Security Development Lifecycle (SDL).

As previously discussed, in this paper, we run Klocwork Insight against Linux kernel (version 2.6.32.9) and we discuss the results of our analysis. Klocwork Insight version used for this analysis was 9.2.0.6223. Figure 3 shows the Klocwork checkers we have used for analyzing C/C++ source code. These are actually ‘checker families’ or ‘categories’ as each of these tree items (in figure 3) contains a number of individual checkers.

Static code analysis (SCA) is the analysis of computer programs that is performed without actually executing the programs, usually by using an automated tool. SCA has become an integral part of the software development life cycle and one of the first steps to detect and eliminate programming errors early in the software development stage. Although SCA tools are routinely used in proprietary software development environment to ensure software quality, application of such tools to the vast expanse of opensource code presents a forbidding albeit interesting challenge, especially when opensource code finds its way into commercial software.