On the Use of Tests for Software Supply Chain Threats

Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses Pub Date : 2022-11-11 DOI:10.1145/3560835.3564557

J. Hejderup

{"title":"On the Use of Tests for Software Supply Chain Threats","authors":"J. Hejderup","doi":"10.1145/3560835.3564557","DOIUrl":null,"url":null,"abstract":"Development teams are increasingly investing in automating the updating of third-party libraries to limit the patch time of zero-day exploits such as the Equifax breach. GitHub bots such as Dependabot and Renovate build such functionality by leveraging existing test infrastructure in repositories to test and evaluate new library updates. However, two recent studies suggest that test suites in projects lack effectiveness and coverage to reliably find regressions in third-party libraries. Adequate test coverage and effectiveness are critical in discovering new vulnerabilities and weaknesses from third-party libraries. The recent Log4Shell incident exemplifies this, as projects will likely not have adequate tests for logging libraries. This position paper discusses the weaknesses and challenges of current testing practices and techniques from a supply chain security perspective. We highlight two key challenges that researchers and practitioners need to address: (1) the lack of resources and best practices for testing the uses of third-party libraries and (2) enhancing the reliability of automating library updates.","PeriodicalId":208151,"journal":{"name":"Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-11-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3560835.3564557","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Development teams are increasingly investing in automating the updating of third-party libraries to limit the patch time of zero-day exploits such as the Equifax breach. GitHub bots such as Dependabot and Renovate build such functionality by leveraging existing test infrastructure in repositories to test and evaluate new library updates. However, two recent studies suggest that test suites in projects lack effectiveness and coverage to reliably find regressions in third-party libraries. Adequate test coverage and effectiveness are critical in discovering new vulnerabilities and weaknesses from third-party libraries. The recent Log4Shell incident exemplifies this, as projects will likely not have adequate tests for logging libraries. This position paper discusses the weaknesses and challenges of current testing practices and techniques from a supply chain security perspective. We highlight two key challenges that researchers and practitioners need to address: (1) the lack of resources and best practices for testing the uses of third-party libraries and (2) enhancing the reliability of automating library updates.

查看原文本刊更多论文

软件供应链威胁测试的使用

开发团队越来越多地投资于第三方库的自动化更新，以限制零日漏洞(如Equifax漏洞)的补丁时间。GitHub机器人(如Dependabot和Renovate)通过利用存储库中现有的测试基础设施来测试和评估新的库更新来构建此类功能。然而，最近的两项研究表明，项目中的测试套件缺乏有效性和覆盖率，无法可靠地在第三方库中找到回归。充分的测试覆盖率和有效性对于从第三方库中发现新的漏洞和弱点至关重要。最近的Log4Shell事件说明了这一点，因为项目可能没有足够的日志库测试。本文从供应链安全的角度讨论了当前测试实践和技术的弱点和挑战。我们强调了研究人员和从业者需要解决的两个关键挑战:(1)缺乏测试第三方库使用的资源和最佳实践;(2)提高自动化库更新的可靠性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses

自引率

0.00%

发文量