Open-Source Software Libraries Security

Started in August 2023

The goal of the project is to collaboratively tackle the issue of Open-Source Software Libraries Security (henceforth OSSLS). The project intends to identify security vulnerabilities in the source code of open source software libraries used in PCSI partners’ applications by combining the output of different testing techniques (static analysis, software composition analysis, and fuzz testing). 

https://pcsi.nl/uploads/projects/OSSLS-1920x1080-vecteezy.jpg

The PCSI partners involved in the project will share knowledge of the testing techniques’ results, providing additional security attestation when using open source software libraries. Furthermore, the PCSI partners in the project will analyse the identified risks and share this amongst all other PCSI partners for further policy development. Finally, PCSI core partners may decide to make results of analyses conducted within the project available upstream, thus sharing those back with the maintainers of these open source software libraries, where security vulnerabilities will have been identified. Open-source communities can use these results to fix and improve future updated versions.  

Innovative aspects   

  • The introduction of an array of software testing techniques which includes fuzzing in the software development lifecycle pipelines.   

  • Collaboration in lowering the threshold for PCSI partners when it comes to acquiring new skills and knowledge.  

  • Identifying vulnerabilities in commonly used open source software libraries collaboratively, whilst not hindering healthy competition in the market.  

Solutions 

The project aims to deliver a solution which will provide a reliable way to increase software quality and increase security. This solution would make it actionable information on how to test configurations yielding efficient results when testing open source software libraries. The feedback loop towards the open-source software community would eventually lead to faster patching, resulting in better long-term maintenance and security of open source libraries.  

Intended end result 

At the end of the project, each PCSI partner will have a good understanding of the risks of using open source libraries and improved knowledge and skills about an array of software testing techniques including fuzzing. As a result, the exposure to security risks is reduced and the quality of all the PCSI partners' software products in which open source libraries is used has significantly improved.

  

 

Picture source: www.vecteezy.com
Beeldmerk PCSI
PCSI is een samenwerking van
    ABN-AMRO Achmea ASML Belastingdienst ING TNO