Third-Party Library Mismanagement: How it Can Derail Your Plans

Target Audience: All

Ruchir Garg, 2016 Technical Paper, Abstract, Paper, Slides, Notes, Video.

If a vulnerability gets exploited Intel may even face a litigation. These challenges may create unwarranted situations where the ongoing product releases get affected. For example, consider a situation where a researcher discloses a critical vulnerability in a third-party library version that you are using and your customers are demanding an immediate fix within a week. Now when you try to upgrade to the newest version of the library, which has the fix, but you realize that an important OS platform support has been dropped. This may affect a large customer base and definitely not a good news for the organization. Worse, if you lost track, the library might have gone end-of-support and the fix for the vulnerability is simply not available. This is a nightmare scenarios for any organization. We describe a method to minimize the negative impact of using third-party libraries to your release plans. We identified and adopted best-practices that helped us manage third-party libraries in a more predictive manner. We also observed that adopting these best-practices reduced the number of hotfixes we shipped. In this paper, we’ll discuss various issues like managing different library versions, its compatibility– API or platform support, maintenance, and security vulnerability management.