Controlling open source security vulnerabilities
-
Upload
whitesource -
Category
Technology
-
view
426 -
download
1
description
Transcript of Controlling open source security vulnerabilities
Controlling Open Source Security Vulnerabilities
Smart and Easy Management of Open Source Components
Rami SassCEO, White Source
2
Agenda and Logistics
• About White Source• Security and quality issues with open source• White Source• Demo• Q&A
• Please type questions in the control bar• Questions will addressed at the end• Full answers will be sent by email
Open Source is Great but…
3
• Almost all software projects use open source (85%)• But, few are able to get the benefits without falling for the pitfalls
Security and Quality
License Risks and Compliance
Ineffective Manual Management
4
Enter White Source
• Agile solution that fits into your development lifecycle and processes
• Leaves you with the full benefits of open source
• Without the security issues• Without the compliance risks• Without burdening your developers• Without costing you a fortune
Security and Quality Issueswith Open Source
6
• 70% of applications have security issues (State of Software Security Survey, Veracode)
• Open source is also code, and likely to contain same percent of security issues and other bugs
• Hence, your product likely contains such issues
WORSE:• Open source communities are often quick to fix
security issues and other bugs (5-8 fixes a year)• But if you are like many, you did not know of these
issues, and did not update (85%, White Source data)
FACT: Your product likely contains known security issues and other bugs
Open Source
Security and
quality
White Source LTD. 7
• Study of 3000 real software projects (from over 700 commercial organizations) on White Source databases
• shows 23% of projects have security vulnerabilities
• Only 1.3% of open source libraries with vulnerabilities were up-to-date
White Source Security Study
Open Source
Security and
quality
Missed updates are the number one cause of vulnerable software
8
Software Security Testing Practices
Software developers test their own code
But, open source typically comprises 90% of the total code base
If your product contains vulnerable open source library, your product is vulnerable
Open Source
Security and
quality
9
Discovering Vulnerabilities
Open Source components are just as likely to have security issues as any code
Many users and the open source code make vulnerabilities more likely to be discovered
On-line open databases track known and new vulnerabilities
Known vulnerabilities are an invitation for hackers to attack
So what’s the problem?
Open Source
Security and
quality
10
Vulnerabilities Database
Not everyone is aware
Difficult to search
Difficult to understand severity
No way to see all issues together
Do not refer directly to an open source project
11
Nobody Looks for Vulnerabilities
Very few developers continue to monitor the open source they used for vulnerabilities They usually go on to the next project Focus on their own code
Therefore
You won’t know when a vulnerability is discovered
You won’t even know when a fix was released
And so, your product will likely continue to carry the vulnerable code for long time
Open Source
Security and
quality
12
• “As open source software becomes mainstream it requires the same level of security and reliability as proprietary software. Organizations must therefore implement processes and solutions to promptly identify and fix vulnerabilities in their open source software."
Dan Yachin, Research Director at IDC Emerging Technologies group
• “There is a clear disconnect between what is expected from development teams and what they can realistically do. They often lack the expertise and time to continually monitor open source libraries for security vulnerabilities and bugs.”
P. Cohen, EVP and Senior Analyst from STKI
What Analysts are Saying
Open Source
Security and
quality
White Source
14
White Source
• Cloud-based service.• Internal, always updated, knowledge base about open
source projects (licenses, issues, risks, versions, etc.)• Feeds from your dev platforms• Seamlessly integrates with your dev processes• Automates open source management best practices• All the information you need, up to date, in a click• Watches your back and proactively alerts you• Easy to operate (very little work; no training needed)• Extremely affordable
15
Managing Security and Quality Issues
White Source proactively manages each of your projects to address security issues and other bugs
Open Source
Security and
quality
• We know the exact open source content of each of your projects
• We will proactively alert you whenever security vulnerabilities are reported for open source you actually use
• We will proactively alert you when new releases are available that fix these and other issues
16
License Risks and Compliance
• Over 80% of companies have gaps between reported vs. actual open source consumed
• Substantial driver for this gap are open source dependencies• Difficult to enforce approval process and insufficient
documentation
With White Source• Automatically discover existing open source inventory• Automatically detect new open source when added• Automatically identify all licenses, down to last dependency• Automate enforcement of policy and processes
Open Source
License Risks and
Compliance
Companies do not have an accurate picture of their open source usage, resulting in legal liability and potential compromise to IP
17
How it’s done
• Wide range of OOTB plugins to leading build tools• Plugins send signatures of libraries to the service• No code is ever exposed to White Source• Take developers out of the loop, save time, reduce
errors
18
Summary and Value Proposition• Open source is great, but its value can be marred by
• Security and quality issues• License risks and compliance• Laborious management processes
• White Source• Fits seamlessly into your development lifecycle• Proactively alerts you on vulnerabilities as well as available fixes• Enforces compliance and organizational license policies• Automates all open source management processes
• Fastest, easiest, most cost-effective solution