Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Controlling open source security vulnerabilities


Published on

Controlling Open Source Security Vulnerabilities- Smart and Easy Management of Open Source Components

Published in: Technology, News & Politics

Controlling open source security vulnerabilities

  1. 1. Controlling Open Source Security Vulnerabilities Smart and Easy Management of Open Source Components Rami Sass CEO, White Source
  2. 2. Agenda and Logistics • • • • • About White Source Security and quality issues with open source White Source Demo Q&A • Please type questions in the control bar • Questions will addressed at the end • Full answers will be sent by email 2
  3. 3. Open Source is Great but… • Almost all software projects use open source (85%) • But, few are able to get the benefits without falling for the pitfalls Security and Quality License Risks and Compliance Ineffective Manual Management 3
  4. 4. Enter White Source • Agile solution that fits into your development lifecycle and processes • Leaves you with the full benefits of open source • • • • Without the security issues Without the compliance risks Without burdening your developers Without costing you a fortune 4
  5. 5. Security and Quality Issues with Open Source
  6. 6. FACT: Your product likely contains known security issues and other bugs Security and quality Open Source • 70% of applications have security issues (State of Software Security Survey, Veracode) • Open source is also code, and likely to contain same percent of security issues and other bugs • Hence, your product likely contains such issues WORSE: • Open source communities are often quick to fix security issues and other bugs (5-8 fixes a year) • But if you are like many, you did not know of these issues, and did not update (85%, White Source data) 6
  7. 7. White Source Security Study Security and quality Open Source • Study of 3000 real software projects (from over 700 commercial organizations) on White Source databases • shows 23% of projects have security vulnerabilities • Only 1.3% of open source libraries with vulnerabilities were up-to-date Missed updates are the number one cause of vulnerable software White Source LTD. 7
  8. 8. Software Security Testing Practices  Software developers test their own code Security and quality Open Source  But, open source typically comprises 90% of the total code base  If your product contains vulnerable open source library, your product is vulnerable 8
  9. 9. Discovering Vulnerabilities  Open Source components are just as likely to have security issues as any code Security and quality Open Source  Many users and the open source code make vulnerabilities more likely to be discovered  On-line open databases track known and new vulnerabilities  Known vulnerabilities are an invitation for hackers to attack  So what’s the problem? 9
  10. 10. Vulnerabilities Database  Not everyone is aware  Difficult to search  Difficult to understand severity  No way to see all issues together  Do not refer directly to an open source project 10
  11. 11. Nobody Looks for Vulnerabilities  Very few developers continue to monitor the open source they used for vulnerabilities  They usually go on to the next project  Focus on their own code Security and quality Open Source Therefore  You won’t know when a vulnerability is discovered  You won’t even know when a fix was released  And so, your product will likely continue to carry the vulnerable code for long time 11
  12. 12. What Analysts are Saying Security and quality Open Source • “As open source software becomes mainstream it requires the same level of security and reliability as proprietary software. Organizations must therefore implement processes and solutions to promptly identify and fix vulnerabilities in their open source software." Dan Yachin, Research Director at IDC Emerging Technologies group • “There is a clear disconnect between what is expected from development teams and what they can realistically do. They often lack the expertise and time to continually monitor open source libraries for security vulnerabilities and bugs.” P. Cohen, EVP and Senior Analyst from STKI 12
  13. 13. White Source
  14. 14. White Source • Cloud-based service. • Internal, always updated, knowledge base about open source projects (licenses, issues, risks, versions, etc.) • Feeds from your dev platforms • Seamlessly integrates with your dev processes • Automates open source management best practices • All the information you need, up to date, in a click • Watches your back and proactively alerts you • Easy to operate (very little work; no training needed) • Extremely affordable 14
  15. 15. Managing Security and Quality Issues White Source proactively manages each of your projects to address security issues and other bugs Security and quality Open Source • We know the exact open source content of each of your projects • We will proactively alert you whenever security vulnerabilities are reported for open source you actually use • We will proactively alert you when new releases are available that fix these and other issues 15
  16. 16. License Risks and Compliance Companies do not have an accurate picture of their open source usage, resulting in legal liability and potential compromise to IP Open Source License Risks and Compliance • Over 80% of companies have gaps between reported vs. actual open source consumed • Substantial driver for this gap are open source dependencies • Difficult to enforce approval process and insufficient documentation With White Source • Automatically discover existing open source inventory • Automatically detect new open source when added • Automatically identify all licenses, down to last dependency • Automate enforcement of policy and processes 16
  17. 17. How it’s done • • • • Wide range of OOTB plugins to leading build tools Plugins send signatures of libraries to the service No code is ever exposed to White Source Take developers out of the loop, save time, reduce errors 17
  18. 18. Summary and Value Proposition • Open source is great, but its value can be marred by • • • Security and quality issues License risks and compliance Laborious management processes • White Source • • • • Fits seamlessly into your development lifecycle Proactively alerts you on vulnerabilities as well as available fixes Enforces compliance and organizational license policies Automates all open source management processes • Fastest, easiest, most cost-effective solution 18
  19. 19. Thank You! Rami Sass 19