WhiteSource, profile picture
Uploaded byWhiteSource
PDF, PPTX71 views

Tackling the Risks of Open Source Security: 5 Things You Need to Know

This document discusses open source security risks and provides recommendations. It contains 5 sections: 1. Open source risk is on the rise as open source code accounts for 60-80% of software and reported vulnerabilities are increasing. 2. Developers must change their mindset as open source vulnerabilities differ from proprietary vulnerabilities in detection, publicity and remediation. 3. Prioritizing security vulnerabilities is key as developers spend too much time on ineffective vulnerabilities. 4. Security responsibilities must be delegated between security, DevOps and developers to bridge gaps. 5. Shifting security left by empowering developers and integrating tools earlier can turn developers into advocates and detect issues cheaper.

Embed presentation

Download as PDF, PPTX
Tackling the Risks of Open Source Security 5 Things You Need to Know 1 Sharon Sharlin, Product Marketing Manager
2 5 Things To Know About Open Source Security 01 Open Source Risk Is On The Rise 03 Prioritize Security Vulnerabilities 02 It’s Time To Change Your Mindset 04 Delegate Security Responsibilities 05 Shift Left Is At Its Best With Open Source
3 01 Open Source Risk Is On The Rise
4 Are You Spending Enough In AppSec? The Level of Risk (# of Breaches Multiplied By Severeness) The Level of Annual Spending (Investment) in IT Security Gaps in Security Risks and the Allocation of Spending Source: Ponemon Institute: The Increasing Risk to Enterprise Applications
Open Source Components Account For 60%-80% Of The Average Software Product 5%-10% 1998 30%-50% 2008 60%-80% 2018 Proprietary Code Open Source Code Source: North Bridge Future Of Open Source Survey Open Source Code Proprietary Code
96.8% of developers rely on open source components Frequency of Use of Open Source Components
The Number of Reported Vulnerabilities is Rising
8 02 It’s Time To Change Your Mindset
Potential vulnerability detected (SAST & DAST) No public information Need to research to find a fix During development Detection Publicity Remediation Scan Phase Known vulnerability All information is publicly available Actionable remediation(s) are available Continuous monitoring (incl. post release) PROPRIETARY VULNERABILITIES OPEN SOURCE VULNERABILITIES Open Source Security is a Different Game It’s time to change your mindset
10 03 Prioritize Security Vulnerabilities
DEVELOPERS ARE NOT EFFICIENTLY MANAGING OPEN SOURCE VULNERABILITIES How much time is spent? hours/month None 1 - 10 hours 11 - 20 hours 21 - 35 hours 36 - 60 hours Over 60 hours 15 spent on average by every developer on security vulnerabilities Developers Are Investing Too Much Time On Vulnerabilities Assessment and Remediation 3.8 hours/month spent on security vulnerabilities remediation
EFFECTIVE VULNERABILITY INEFFECTIVE VULNERABILITY Vulnerability Effectiveness: a novel approach to prioritization Prioritization Is Key To Save Wasted Time On Vulnerabilities Management
13 After testing 2,000 Java applications, WhiteSource found that 85% of all detected vulnerabilities were deemed ineffective.
14 04 Delegate Security Responsibilities
15 Bridging the Gap is a Must Security DevOps Developers
16 05 Shift Left Is At Its Best With Open Source.
17 Turn Developers Into Security Advocates Empower developers with more flexible selection and approval processes Project Planning Requirements Definition Design Development Integration & Test Installation & Acceptance
18 Organizations of all sizes are shifting their operational security to software development teams Who owns security in your organization, by company size?
19 The impact of developers taking over security is: Integrating security tools earlier in the SDLC of developers are taking action towards application testing on build stage or before. 66% In what stage of the SDLC do you spend most of your time implementing security measures?
20 The cost of fixing security and quality issues is rising significantly, as the development cycle advances. Coding $80/Defect Build $240/Defect QA & Security $960/Defect Production $7,600/Defect Detect Issues As Early As Possible
21 Detect Issues As Early As Possible - Shift Left The cost of fixing security and quality issues is rising significantly, as the development cycle advances.
22 Analyze and prioritize open source security vulnerability remediation Streamline policies with better integration options Shift-left security processes to establish better practices
Thank You! 23

More Related Content

PDF
The State of Open Source Vulnerabilities Management
byWhiteSource
 
PDF
Taking Open Source Security to the Next Level
byWhiteSource
 
PDF
Open Source Security at Scale- The DevOps Challenge 
byWhiteSource
 
PDF
Empowering Financial Institutions to Use Open Source With Confidence
byWhiteSource
 
PPTX
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
byWhiteSource
 
PDF
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
byWhiteSource
 
PDF
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
byDevOps.com
 
PDF
Open Source Security: How to Lay the Groundwork for a Secure Culture
byWhiteSource
 
The State of Open Source Vulnerabilities Management
byWhiteSource
 
Taking Open Source Security to the Next Level
byWhiteSource
 
Open Source Security at Scale- The DevOps Challenge 
byWhiteSource
 
Empowering Financial Institutions to Use Open Source With Confidence
byWhiteSource
 
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
byWhiteSource
 
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
byWhiteSource
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
byDevOps.com
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
byWhiteSource
 

What's hot

PDF
Winning open source vulnerabilities without loosing your deveopers - Azure De...
byWhiteSource
 
PPTX
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
byWhiteSource
 
PDF
Tackling the Container Iceberg:How to approach security when most of your sof...
byWhiteSource
 
PDF
The Challenges of Scaling DevSecOps
byWhiteSource
 
PDF
5 things about os sharon webinar final
byDevOps.com
 
PPTX
The State of Open Source Vulnerabilities - A WhiteSource Webinar
byWhiteSource
 
PDF
Security & DevOps - What We Have Here Is a Failure to Communicate!
byDevOps.com
 
PDF
Pentest as a Service Impact 2020
byDevOps.com
 
PDF
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
byWhiteSource
 
PPTX
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
byDevOps.com
 
PPTX
SCS DevSecOps Seminar - State of DevSecOps
byStefan Streichsbier
 
PPTX
DevSecOps outline
byNickleus Jimenez
 
PPTX
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
byWhiteSource
 
PPTX
Benefits of DevSecOps
byFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
PPTX
DevSecOps
byJoel Divekar
 
PDF
PIACERE - DevSecOps Automated
byPIACERE
 
PDF
Demystifying DevSecOps
byArchana Joshi
 
PDF
The State of Open Source Vulnerabilities Management
bySBWebinars
 
PPTX
DEVSECOPS: Coding DevSecOps journey
byJason Suttie
 
PPTX
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
byDevOps Indonesia
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
byWhiteSource
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
byWhiteSource
 
Tackling the Container Iceberg:How to approach security when most of your sof...
byWhiteSource
 
The Challenges of Scaling DevSecOps
byWhiteSource
 
5 things about os sharon webinar final
byDevOps.com
 
The State of Open Source Vulnerabilities - A WhiteSource Webinar
byWhiteSource
 
Security & DevOps - What We Have Here Is a Failure to Communicate!
byDevOps.com
 
Pentest as a Service Impact 2020
byDevOps.com
 
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
byWhiteSource
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
byDevOps.com
 
SCS DevSecOps Seminar - State of DevSecOps
byStefan Streichsbier
 
DevSecOps outline
byNickleus Jimenez
 
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
byWhiteSource
 
Benefits of DevSecOps
byFinto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DevSecOps
byJoel Divekar
 
PIACERE - DevSecOps Automated
byPIACERE
 
Demystifying DevSecOps
byArchana Joshi
 
The State of Open Source Vulnerabilities Management
bySBWebinars
 
DEVSECOPS: Coding DevSecOps journey
byJason Suttie
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
byDevOps Indonesia
 

Similar to Tackling the Risks of Open Source Security: 5 Things You Need to Know

PDF
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
byFINOS
 
PPTX
WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...
byWhiteSource
 
PDF
Open Source Security for Newbies - Best Practices
byBlack Duck by Synopsys
 
PPTX
Security in the Age of Open Source
byBlack Duck by Synopsys
 
PPTX
Black Duck & IBM Present: Application Security in the Age of Open Source
byBlack Duck by Synopsys
 
PPTX
Welcome & The State of Open Source Security
byJerika Phelps
 
PPTX
Managing Open Source in Application Security and Software Development Lifecycle
byBlack Duck by Synopsys
 
PDF
Open Source Security: How to Lay the Groundwork for a Secure Culture
byDevOps.com
 
PDF
OWF14 - Plenary Session : David Jones, Chief Solutions Architect, Sonatype
byParis Open Source Summit
 
PPTX
A question of trust - understanding Open Source risks
byTim Mackey
 
PPTX
DevSecCon London 2017: when good containers go bad by Tim Mackey
byDevSecCon
 
PDF
Sonatype's 2013 OSS Software Survey
bySonatype
 
PDF
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
bySonatype
 
PDF
Myths and Misperceptions of Open Source Security
byBlack Duck by Synopsys
 
PPTX
Open Source 360 Survey Results
byTim Mackey
 
PPTX
September 13, 2016: Security in the Age of Open Source:
byBlack Duck by Synopsys
 
PPTX
Security in the age of open source - Myths and misperceptions
byTim Mackey
 
PPTX
Open Source Insight: CVE-2017-2636 Vuln of the Week & UK National Cyber Secur...
byBlack Duck by Synopsys
 
PDF
Webinar–2019 Open Source Risk Analysis Report
bySynopsys Software Integrity Group
 
PPTX
Shifting the conversation from active interception to proactive neutralization
byRogue Wave Software
 
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
byFINOS
 
WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...
byWhiteSource
 
Open Source Security for Newbies - Best Practices
byBlack Duck by Synopsys
 
Security in the Age of Open Source
byBlack Duck by Synopsys
 
Black Duck & IBM Present: Application Security in the Age of Open Source
byBlack Duck by Synopsys
 
Welcome & The State of Open Source Security
byJerika Phelps
 
Managing Open Source in Application Security and Software Development Lifecycle
byBlack Duck by Synopsys
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
byDevOps.com
 
OWF14 - Plenary Session : David Jones, Chief Solutions Architect, Sonatype
byParis Open Source Summit
 
A question of trust - understanding Open Source risks
byTim Mackey
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
byDevSecCon
 
Sonatype's 2013 OSS Software Survey
bySonatype
 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
bySonatype
 
Myths and Misperceptions of Open Source Security
byBlack Duck by Synopsys
 
Open Source 360 Survey Results
byTim Mackey
 
September 13, 2016: Security in the Age of Open Source:
byBlack Duck by Synopsys
 
Security in the age of open source - Myths and misperceptions
byTim Mackey
 
Open Source Insight: CVE-2017-2636 Vuln of the Week & UK National Cyber Secur...
byBlack Duck by Synopsys
 
Webinar–2019 Open Source Risk Analysis Report
bySynopsys Software Integrity Group
 
Shifting the conversation from active interception to proactive neutralization
byRogue Wave Software
 

More from WhiteSource

PDF
Securing Container-Based Applications at the Speed of DevOps
byWhiteSource
 
PDF
Deep Dive into Container Security
byWhiteSource
 
PDF
Fire alarms vs. Fire hoses: Keeping up with Dependencies
byWhiteSource
 
PDF
DevSecOps: Closing the Loop from Detection to Remediation
byWhiteSource
 
PDF
Barriers to Container Security and How to Overcome Them
byWhiteSource
 
PDF
SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...
byWhiteSource
 
PDF
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
byWhiteSource
 
PPTX
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
byWhiteSource
 
PPTX
Automating Open Source Security: A SANS Review of WhiteSource
byWhiteSource
 
PDF
Top Open Source Licenses Explained
byWhiteSource
 
PPTX
WhiteSource Webinar What's New With WhiteSource in December 2018
byWhiteSource
 
PDF
Find Out What's New With WhiteSource September 2018- A WhiteSource Webinar
byWhiteSource
 
PPTX
Find Out What's New With WhiteSource May 2018- A WhiteSource Webinar
byWhiteSource
 
PPTX
Strategies for Improving Enterprise Application Security - a WhiteSource Webinar
byWhiteSource
 
PPTX
How temenos manages open source use, the easy way combined
byWhiteSource
 
Securing Container-Based Applications at the Speed of DevOps
byWhiteSource
 
Deep Dive into Container Security
byWhiteSource
 
Fire alarms vs. Fire hoses: Keeping up with Dependencies
byWhiteSource
 
DevSecOps: Closing the Loop from Detection to Remediation
byWhiteSource
 
Barriers to Container Security and How to Overcome Them
byWhiteSource
 
SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...
byWhiteSource
 
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
byWhiteSource
 
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
byWhiteSource
 
Automating Open Source Security: A SANS Review of WhiteSource
byWhiteSource
 
Top Open Source Licenses Explained
byWhiteSource
 
WhiteSource Webinar What's New With WhiteSource in December 2018
byWhiteSource
 
Find Out What's New With WhiteSource September 2018- A WhiteSource Webinar
byWhiteSource
 
Find Out What's New With WhiteSource May 2018- A WhiteSource Webinar
byWhiteSource
 
Strategies for Improving Enterprise Application Security - a WhiteSource Webinar
byWhiteSource
 
How temenos manages open source use, the easy way combined
byWhiteSource
 

Recently uploaded

PDF
DSD-INT 2025 Modelling Non-Newtonian Slurry Beaching with Delft3D-Slurry - Bi
byDeltares
 
PDF
DSD-INT 2025 Building-Aware Flood and Lifeline Scour Modeling with Delft3D FM...
byDeltares
 
PDF
How Device, OS, and Network Variability Affects App Experience - And How to T...
bykalichargn70th171
 
PDF
DSD-INT 2025 Climate and impact attribution of compound flooding induced by t...
byDeltares
 
PPTX
Building AI agents in Java - Devoxx Belgium 2025
byJulien Dubois
 
PPTX
Building a RAG System for Customer Support - L1
byBogdan Mustata
 
PDF
DSD-INT 2025 MeshKernel and D-Grid Editor - Stout
byDeltares
 
PPTX
Zotero Software Demonstration. Biomedical Perspective
byDr Snehashis Singha
 
PDF
DSD-INT 2025 3D-modelling of salt intrusion into Germany’s busiest waterway -...
byDeltares
 
PPTX
Boost Productivity the Smart Way with AI Automation Solutions
byEllocent Labs
 
PDF
DSD-INT 2025 Next-Generation Flood Inundation Mapping for Taiwan - Challenges...
byDeltares
 
PDF
Custom Software Development Presentation.pdf
byssuser9c7131
 
PDF
Smarter Testing Safer Systems Balancing AI and Oversight in Regulated Environ...
byApplitools
 
PDF
DSD-INT 2025 Flood Early Warning System for the Trans-African Hydrometeorolog...
byDeltares
 
PDF
DSD-INT 2025 Delft3D FM Suite 2026.01 2D3D - New features + Improvements - Sp...
byDeltares
 
PDF
SCORM Cloud: The 5 categories of content distribution
byRustici Software
 
PDF
DSD-INT 2025 Quantifying Flood Mitigation Strategies Under Sea Level Rise - H...
byDeltares
 
PDF
DSD-INT 2025 Validation of SFINCS on Historical River Floods at the Global Sc...
byDeltares
 
PPTX
operating sys about shells and terminals commands .pptx
byYazeedAbdullah6
 
PDF
Presentation Empowerment Technology in ICT
byoryoseiii
 
DSD-INT 2025 Modelling Non-Newtonian Slurry Beaching with Delft3D-Slurry - Bi
byDeltares
 
DSD-INT 2025 Building-Aware Flood and Lifeline Scour Modeling with Delft3D FM...
byDeltares
 
How Device, OS, and Network Variability Affects App Experience - And How to T...
bykalichargn70th171
 
DSD-INT 2025 Climate and impact attribution of compound flooding induced by t...
byDeltares
 
Building AI agents in Java - Devoxx Belgium 2025
byJulien Dubois
 
Building a RAG System for Customer Support - L1
byBogdan Mustata
 
DSD-INT 2025 MeshKernel and D-Grid Editor - Stout
byDeltares
 
Zotero Software Demonstration. Biomedical Perspective
byDr Snehashis Singha
 
DSD-INT 2025 3D-modelling of salt intrusion into Germany’s busiest waterway -...
byDeltares
 
Boost Productivity the Smart Way with AI Automation Solutions
byEllocent Labs
 
DSD-INT 2025 Next-Generation Flood Inundation Mapping for Taiwan - Challenges...
byDeltares
 
Custom Software Development Presentation.pdf
byssuser9c7131
 
Smarter Testing Safer Systems Balancing AI and Oversight in Regulated Environ...
byApplitools
 
DSD-INT 2025 Flood Early Warning System for the Trans-African Hydrometeorolog...
byDeltares
 
DSD-INT 2025 Delft3D FM Suite 2026.01 2D3D - New features + Improvements - Sp...
byDeltares
 
SCORM Cloud: The 5 categories of content distribution
byRustici Software
 
DSD-INT 2025 Quantifying Flood Mitigation Strategies Under Sea Level Rise - H...
byDeltares
 
DSD-INT 2025 Validation of SFINCS on Historical River Floods at the Global Sc...
byDeltares
 
operating sys about shells and terminals commands .pptx
byYazeedAbdullah6
 
Presentation Empowerment Technology in ICT
byoryoseiii
 

Tackling the Risks of Open Source Security: 5 Things You Need to Know

  • 1.
    Tackling the Risksof Open Source Security 5 Things You Need to Know 1 Sharon Sharlin, Product Marketing Manager
  • 2.
    2 5 Things ToKnow About Open Source Security 01 Open Source Risk Is On The Rise 03 Prioritize Security Vulnerabilities 02 It’s Time To Change Your Mindset 04 Delegate Security Responsibilities 05 Shift Left Is At Its Best With Open Source
  • 3.
  • 4.
    4 Are You SpendingEnough In AppSec? The Level of Risk (# of Breaches Multiplied By Severeness) The Level of Annual Spending (Investment) in IT Security Gaps in Security Risks and the Allocation of Spending Source: Ponemon Institute: The Increasing Risk to Enterprise Applications
  • 5.
    Open Source ComponentsAccount For 60%-80% Of The Average Software Product 5%-10% 1998 30%-50% 2008 60%-80% 2018 Proprietary Code Open Source Code Source: North Bridge Future Of Open Source Survey Open Source Code Proprietary Code
  • 6.
    96.8% of developers relyon open source components Frequency of Use of Open Source Components
  • 7.
    The Number ofReported Vulnerabilities is Rising
  • 8.
    8 02 It’s Time ToChange Your Mindset
  • 9.
    Potential vulnerability detected (SAST& DAST) No public information Need to research to find a fix During development Detection Publicity Remediation Scan Phase Known vulnerability All information is publicly available Actionable remediation(s) are available Continuous monitoring (incl. post release) PROPRIETARY VULNERABILITIES OPEN SOURCE VULNERABILITIES Open Source Security is a Different Game It’s time to change your mindset
  • 10.
  • 11.
    DEVELOPERS ARE NOTEFFICIENTLY MANAGING OPEN SOURCE VULNERABILITIES How much time is spent? hours/month None 1 - 10 hours 11 - 20 hours 21 - 35 hours 36 - 60 hours Over 60 hours 15 spent on average by every developer on security vulnerabilities Developers Are Investing Too Much Time On Vulnerabilities Assessment and Remediation 3.8 hours/month spent on security vulnerabilities remediation
  • 12.
    EFFECTIVE VULNERABILITY INEFFECTIVE VULNERABILITY Vulnerability Effectiveness: anovel approach to prioritization Prioritization Is Key To Save Wasted Time On Vulnerabilities Management
  • 13.
    13 After testing 2,000Java applications, WhiteSource found that 85% of all detected vulnerabilities were deemed ineffective.
  • 14.
  • 15.
    15 Bridging the Gapis a Must Security DevOps Developers
  • 16.
    16 05 Shift Left IsAt Its Best With Open Source.
  • 17.
    17 Turn Developers IntoSecurity Advocates Empower developers with more flexible selection and approval processes Project Planning Requirements Definition Design Development Integration & Test Installation & Acceptance
  • 18.
    18 Organizations of allsizes are shifting their operational security to software development teams Who owns security in your organization, by company size?
  • 19.
    19 The impact ofdevelopers taking over security is: Integrating security tools earlier in the SDLC of developers are taking action towards application testing on build stage or before. 66% In what stage of the SDLC do you spend most of your time implementing security measures?
  • 20.
    20 The cost offixing security and quality issues is rising significantly, as the development cycle advances. Coding $80/Defect Build $240/Defect QA & Security $960/Defect Production $7,600/Defect Detect Issues As Early As Possible
  • 21.
    21 Detect Issues AsEarly As Possible - Shift Left The cost of fixing security and quality issues is rising significantly, as the development cycle advances.
  • 22.
    22 Analyze and prioritize opensource security vulnerability remediation Streamline policies with better integration options Shift-left security processes to establish better practices
  • 23.