An Intelligent Approach to Upgrading OSS Libraries presented at OWASPBASC 2019

by Madison Cool,

Summary : Maintaining secure versions of third-party libraries is a repetitive and tedious task at best. At worst, with many interdependent internal projects (think microservices) and dozens of layers of transitive dependencies, it is a logistical nightmare. A top-down, ad hoc approach is often used to resolve vulnerable third-party libraries, prioritizing high-severity vulnerabilities or internal projects critical to business functions, but failing to address the larger impact of vulnerabilities. TraceLink is taking a different approach, utilizing the graph structure of interconnected projects to perform security upgrades in an informed order from the bottom up. This process aims to automate third-party library version maintenance as much as possible, aiding in the completion of vital security upgrades and compounding the effects of each individual upgrade to reduce overall work done.