Controlling Open Source Security Vulnerabilities

Smart and Easy Management of Open Source Components

Rami SassCEO, White Source

2

Agenda and Logistics

• About White Source• Security and quality issues with open source• White Source• Demo• Q&A

• Please type questions in the control bar• Questions will addressed at the end• Full answers will be sent by email

Open Source is Great but…

3

• Almost all software projects use open source (85%)• But, few are able to get the benefits without falling for the pitfalls

Security and Quality

License Risks and Compliance

Ineffective Manual Management

4

Enter White Source

• Agile solution that fits into your development lifecycle and processes

• Leaves you with the full benefits of open source

• Without the security issues• Without the compliance risks• Without burdening your developers• Without costing you a fortune

Security and Quality Issueswith Open Source

6

• 70% of applications have security issues (State of Software Security Survey, Veracode)

• Open source is also code, and likely to contain same percent of security issues and other bugs

• Hence, your product likely contains such issues

WORSE:• Open source communities are often quick to fix

security issues and other bugs (5-8 fixes a year)• But if you are like many, you did not know of these

issues, and did not update (85%, White Source data)

FACT: Your product likely contains known security issues and other bugs

Open Source

Security and

quality

White Source LTD. 7

• Study of 3000 real software projects (from over 700 commercial organizations) on White Source databases

• shows 23% of projects have security vulnerabilities

• Only 1.3% of open source libraries with vulnerabilities were up-to-date

White Source Security Study

Open Source

Security and

quality

Missed updates are the number one cause of vulnerable software

8

Software Security Testing Practices

Software developers test their own code

But, open source typically comprises 90% of the total code base

If your product contains vulnerable open source library, your product is vulnerable

Open Source

Security and

quality

9

Discovering Vulnerabilities

Open Source components are just as likely to have security issues as any code

Many users and the open source code make vulnerabilities more likely to be discovered

On-line open databases track known and new vulnerabilities

Known vulnerabilities are an invitation for hackers to attack

So what’s the problem?

Open Source

Security and

quality

10

Vulnerabilities Database

Not everyone is aware

Difficult to search

Difficult to understand severity

No way to see all issues together

Do not refer directly to an open source project

11

Nobody Looks for Vulnerabilities

Very few developers continue to monitor the open source they used for vulnerabilities They usually go on to the next project Focus on their own code

Therefore

You won’t know when a vulnerability is discovered

You won’t even know when a fix was released

And so, your product will likely continue to carry the vulnerable code for long time

Open Source

Security and

quality

12

• “As open source software becomes mainstream it requires the same level of security and reliability as proprietary software. Organizations must therefore implement processes and solutions to promptly identify and fix vulnerabilities in their open source software."

Dan Yachin, Research Director at IDC Emerging Technologies group

• “There is a clear disconnect between what is expected from development teams and what they can realistically do. They often lack the expertise and time to continually monitor open source libraries for security vulnerabilities and bugs.”

P. Cohen, EVP and Senior Analyst from STKI

What Analysts are Saying

Open Source

Security and

quality

White Source

14

White Source

• Cloud-based service.• Internal, always updated, knowledge base about open

source projects (licenses, issues, risks, versions, etc.)• Feeds from your dev platforms• Seamlessly integrates with your dev processes• Automates open source management best practices• All the information you need, up to date, in a click• Watches your back and proactively alerts you• Easy to operate (very little work; no training needed)• Extremely affordable

15

Managing Security and Quality Issues

White Source proactively manages each of your projects to address security issues and other bugs

Open Source

Security and

quality

• We know the exact open source content of each of your projects

• We will proactively alert you whenever security vulnerabilities are reported for open source you actually use

• We will proactively alert you when new releases are available that fix these and other issues

16

License Risks and Compliance

• Over 80% of companies have gaps between reported vs. actual open source consumed

• Substantial driver for this gap are open source dependencies• Difficult to enforce approval process and insufficient

documentation

With White Source• Automatically discover existing open source inventory• Automatically detect new open source when added• Automatically identify all licenses, down to last dependency• Automate enforcement of policy and processes

Open Source

License Risks and

Compliance

Companies do not have an accurate picture of their open source usage, resulting in legal liability and potential compromise to IP

17

How it’s done

• Wide range of OOTB plugins to leading build tools• Plugins send signatures of libraries to the service• No code is ever exposed to White Source• Take developers out of the loop, save time, reduce

errors

18

Summary and Value Proposition• Open source is great, but its value can be marred by

• Security and quality issues• License risks and compliance• Laborious management processes

• White Source• Fits seamlessly into your development lifecycle• Proactively alerts you on vulnerabilities as well as available fixes• Enforces compliance and organizational license policies• Automates all open source management processes

• Fastest, easiest, most cost-effective solution

19

Thank You!

Rami Sassrami@whitesourcesoftware.com