Enhancing Software Supply Chain Security: Approaches to Software Composition Analysis - OCX 2024

Channel:
Eclipse Foundation
Subscribers:
24,300
Published on ● Video Link: https://www.youtube.com/watch?v=PAGT7y5HIwM


Duration: 0:00
37 views
1

Java is one of the most popular programming languages in the world with a large software ecosystem. A common Java project relies on third-party packages as part of the software supply chain. This often results in hundreds of direct and indirect dependencies. SolarWinds, Log4Shell and other incidents have demonstrated the catastrophic impact of attacks on the software supply chain in general and the Java ecosystem in particular. In this talk, we will look at Software Composition Analysis (SCA) tools approaches: the code-centric approach implemented by Eclipse Steady and the metadata-base approach implemented by OWASP Dependency-Check. Both are mature tools and try to solve the problem of reliably detecting vulnerabilities in package dependencies. While the metadata-based approach is state of the art and widely implemented, the code-centric approach has been developed in recent years. We apply both approaches to a set of Java projects and inspect their results. Our findings show that both approaches have their advantages and downsides, and we propose a hybrid approach to combine the strengths of both. The aim of this investigation is to answer the question of how we can improve the precision and efficiency of vulnerability detection in third-party dependencies and increase the security of our software supply chain. Since the two tools Eclipse Steady and OWASP Dependency-Check are free and open source software, these tools can potentially be used in your own projects. Basic knowledge of software development is sufficient to participate in this session.



Other Videos By Eclipse Foundation


2024-12-11Bringing Embedded Development to the Next Generation Code Composer Studio's Evolution with Theia
2024-12-11Building Collaborative Experiences with Theia
2024-12-11Developing AI Integration in Domain Specific Tools with Theia AI
2024-12-11Full Control of AI in Tools and IDEs with Theia AI and the Theia IDE
2024-12-11GPU Profiling and Debugging with Sokatoa Built on Theia
2024-12-11Recent Activity, Trends, and Priorities at Open VSX
2024-12-11Reducing Entry Barriers for Online Programming Exercises Theia in an Education Environment
2024-12-11The Eclipse Theia Project Update 2024
2024-12-11Theia Cloud Progress, Contributions, and the Road to 1.0
2024-12-11Theia IDE: The Why, the How and the Future
2024-12-10Enhancing Software Supply Chain Security: Approaches to Software Composition Analysis - OCX 2024
2024-12-09Christofer Dutz on Fostering Open Source in Industrial Automation
2024-12-08Francisco Carneiro on Why Joining the Eclipse Foundation and Open Source Benefits Businesses
2024-12-08What is next? Towards Dataspace Interoperability: Open standardisation and implementation
2024-12-05Sovereign IIoT Data Exchange Using DAG-Based DLT and International Data Spaces Architecture
2024-12-05Testing OSGi with OSGi-Test - OCX 2024
2024-12-05Building governance for health data spaces and infrastructures: interplay between General Data
2024-12-05SKILLAB: Creating a Skills Supply and Demand Data Space
2024-12-05OSGi can be good for your health - OCX 2024
2024-12-05Unlocking the Power of OSGi: The Latest Innovations in Bndtools - OCX 2024
2024-12-05Introducing an Enhanced Metadata Broker for Manufacturing Data Spaces