Ruchir Garg, Intel Corporation
Most decent sized software products use third-party libraries for faster development. The topic we’d discuss here is something that is usually given lesser importance than it deserves i.e. the management of third-party libraries. Along with the obvious benefits, using third-party libraries also bring along its own share of possible challenges and complexities. When third-party libraries are not managed in an organized manner, developers use and include numerous external libraries, without giving attention to their maintenance. This has led to a situation where the legacy code our customers are running is using obsolete and possibly, vulnerable libraries.
If a vulnerability gets exploited Intel may even face a litigation. These challenges may create unwarranted situations where the ongoing product releases get affected. For example, consider a situation where a researcher discloses a critical vulnerability in a third-party library version that you are using and your customers are demanding an immediate fix within a week. Now when you try to upgrade to the newest version of the library, which has the fix, but you realize that an important OS platform support has been dropped. This may affect a large customer base and definitely not a good news for the organization. Worse, if you lost track, the library might have gone end-of-support and the fix for the vulnerability is simply not available. This is a nightmare scenarios for any organization. We describe a method to minimize the negative impact of using third-party libraries to your release plans. We identified and adopted best-practices that helped us manage third-party libraries in a more predictive manner. We also observed that adopting these best-practices reduced the number of hotfixes we shipped. In this paper, we’ll discuss various issues like managing different library versions, its compatibility– API or platform support, maintenance, and security vulnerability management.