The State of Open Source Vulnerabilities - A WhiteSource WebinarWhiteSource
Open source components have become a key building block for application development in today’s market where companies are under constant pressure to deploy products as fast as possible. The recent increase in open source usage, however, has introduced many new security challenges.
In this webinar Learn how open source security vulnerabilities are found, how to address any open source security concerns within your organization and understand the difference between securing your open source components and your proprietary code.
The State of Open Source Vulnerabilities ManagementWhiteSource
The number of open source vulnerabilities hit an all-time record in 2017 with 3,500 reported vulnerabilities - that's 60% higher than the previous year, and the trend continues in 2018.
Since it’s impossible to keep up with today’s pace of software production without open source, development and security teams are challenged to meet security objectives, without compromising on speed and quality.
It's time for organizations to step up their open source security game. Join WhiteSource's Senior Director of Product Management, Rami Elron, as he discusses:
- the current state of open source vulnerabilities management;
- organizations' struggle to handle open source vulnerabilities; and
- the key strategy for effective vulnerability management.
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...WhiteSource
The best approaches and practices that security teams should implement in order to enable their developers to harness the power of open source without slowing them down or compromising on security.
Winning open source vulnerabilities without loosing your deveopers - Azure De...WhiteSource
Tsaela Pinto, Director of Knowledge R&D at WhiteSource, spoke at the Azure DevOps meetup in Tel Aviv about how develpers should part in maintaining open source security
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...WhiteSource
This document discusses open source security challenges and recommendations for addressing them. It notes that over 96% of developers rely on open source components but open source vulnerabilities are rising. While companies prioritize fixes, over half do not do so efficiently based on real business impact. The document recommends integrating scanning for vulnerabilities into the entire software development lifecycle from code to deployment. Automating scanning, prioritization of issues, and remediation helps ensure open source security.
Supply Chain Solutions for Modern Software DevelopmentSonatype
The concepts of supply chain management, the industrial revolution and the transformation of software development with open source are all tied together in this talk by Brian Fox, VP of Product Management, during the January 2015 Long Island OWASP user group meetup.
Open Source Security at Scale- The DevOps Challenge WhiteSource
It’s no secret that open source components form the backbone of today’s software, comprising between 60-80% of modern applications. But with this, comes the alarming rise in open source vulnerabilities – more than 3,500 open source vulnerabilities were reported in 2017 – that’s 60% higher than the previous year, and the trend continued in 2018.
The question arises: how can DevOps teams ensure a visible and continuous delivery pipeline for software releases without letting security slow them down?
Join WhiteSource’s Product Manager, Shiri Ivtsan, as she discusses:
- The current state of open source vulnerabilities management;
- The latest innovations in the open source security world; and
- The best DevOps tools to protect organizations against open source vulnerabilities and ensure agility, visibility and control regarding their open source.
The State of Open Source Vulnerabilities - A WhiteSource WebinarWhiteSource
Open source components have become a key building block for application development in today’s market where companies are under constant pressure to deploy products as fast as possible. The recent increase in open source usage, however, has introduced many new security challenges.
In this webinar Learn how open source security vulnerabilities are found, how to address any open source security concerns within your organization and understand the difference between securing your open source components and your proprietary code.
The State of Open Source Vulnerabilities ManagementWhiteSource
The number of open source vulnerabilities hit an all-time record in 2017 with 3,500 reported vulnerabilities - that's 60% higher than the previous year, and the trend continues in 2018.
Since it’s impossible to keep up with today’s pace of software production without open source, development and security teams are challenged to meet security objectives, without compromising on speed and quality.
It's time for organizations to step up their open source security game. Join WhiteSource's Senior Director of Product Management, Rami Elron, as he discusses:
- the current state of open source vulnerabilities management;
- organizations' struggle to handle open source vulnerabilities; and
- the key strategy for effective vulnerability management.
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...WhiteSource
The best approaches and practices that security teams should implement in order to enable their developers to harness the power of open source without slowing them down or compromising on security.
Winning open source vulnerabilities without loosing your deveopers - Azure De...WhiteSource
Tsaela Pinto, Director of Knowledge R&D at WhiteSource, spoke at the Azure DevOps meetup in Tel Aviv about how develpers should part in maintaining open source security
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...WhiteSource
This document discusses open source security challenges and recommendations for addressing them. It notes that over 96% of developers rely on open source components but open source vulnerabilities are rising. While companies prioritize fixes, over half do not do so efficiently based on real business impact. The document recommends integrating scanning for vulnerabilities into the entire software development lifecycle from code to deployment. Automating scanning, prioritization of issues, and remediation helps ensure open source security.
Supply Chain Solutions for Modern Software DevelopmentSonatype
The concepts of supply chain management, the industrial revolution and the transformation of software development with open source are all tied together in this talk by Brian Fox, VP of Product Management, during the January 2015 Long Island OWASP user group meetup.
Open Source Security at Scale- The DevOps Challenge WhiteSource
It’s no secret that open source components form the backbone of today’s software, comprising between 60-80% of modern applications. But with this, comes the alarming rise in open source vulnerabilities – more than 3,500 open source vulnerabilities were reported in 2017 – that’s 60% higher than the previous year, and the trend continued in 2018.
The question arises: how can DevOps teams ensure a visible and continuous delivery pipeline for software releases without letting security slow them down?
Join WhiteSource’s Product Manager, Shiri Ivtsan, as she discusses:
- The current state of open source vulnerabilities management;
- The latest innovations in the open source security world; and
- The best DevOps tools to protect organizations against open source vulnerabilities and ensure agility, visibility and control regarding their open source.
The State of Open Source Vulnerabilities ManagementSBWebinars
The number of open source vulnerabilities hit an all-time record in 2017 with 3,500 reported vulnerabilities - that's 60% higher than the previous year, and the trend continues in 2018.
Since it’s impossible to keep up with today’s pace of software production without open source, development and security teams are challenged to meet security objectives, without compromising on speed and quality.
It's time to for organizations to step up their open source security game. Join WhiteSource's Senior Director of Product Management, Rami Elron, as he discusses:
the current state of open source vulnerabilities management;
organizations' struggle to handle open source vulnerabilities; and
the key strategy for effective vulnerability management.
Black Duck Software provides products that help organizations automate securing and managing open source software to eliminate security vulnerabilities, license compliance issues, and operational risks. Black Duck is headquartered in Burlington, MA and has offices worldwide. Their products help secure applications from cyberattacks by managing open source vulnerabilities, which are a major risk for applications and can lead to costly security breaches if unaddressed.
Tackling the Risks of Open Source Security: 5 Things You Need to KnowWhiteSource
This document discusses open source security risks and provides recommendations. It contains 5 sections:
1. Open source risk is on the rise as open source code accounts for 60-80% of software and reported vulnerabilities are increasing.
2. Developers must change their mindset as open source vulnerabilities differ from proprietary vulnerabilities in detection, publicity and remediation.
3. Prioritizing security vulnerabilities is key as developers spend too much time on ineffective vulnerabilities.
4. Security responsibilities must be delegated between security, DevOps and developers to bridge gaps.
5. Shifting security left by empowering developers and integrating tools earlier can turn developers into advocates and detect issues cheaper.
Taking Open Source Security to the Next LevelWhiteSource
Join us for a webinar featuring Forrester VP and Research Director Amy DeMartine to learn more about why open source security has become critical for securing modern applications, the main considerations when evaluating an open source security and license compliance solution and what she sees in store for the future.
Additionally, WhiteSource Senior Director of Product Marketing, Jeff Crum, will discuss recent analysis of the Software Composition Analysis (SCA) market, including takeaways from The Forrester Wave™: Software Composition Analysis, Q2 2019.
This document discusses regulatory requirements for vulnerability assessments and the challenges of managing open source software vulnerabilities. It notes that regulatory requirements from standards like PCI-DSS require vulnerability monitoring and patching, but traditional vulnerability assessment tools do not provide visibility into custom code or track vulnerabilities over time in open source components. The document argues that organizations need software bills of materials and proactive vulnerability management programs that can map vulnerabilities to applications to effectively manage risks from open source.
Taking Open Source Security to the Next LevelSBWebinars
Join us for a webinar featuring Forrester VP and Research Director Amy DeMartine to learn more about why open source security has become critical for securing modern applications, the main considerations when evaluating an open source security and license compliance solution and what she sees in store for the future.
Additionally, WhiteSource Senior Director of Product Marketing, Jeff Crum, will discuss recent analysis of the Software Composition Analysis (SCA) market, including takeaways from The Forrester Wave™: Software Composition Analysis, Q2 2019.
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...Jerika Phelps
Learn how fast-growing authentication and mobile security solutions provider Entersekt leverages Black Duck Hub for competitive advantage by automating open source security risk management throughout the Software Development Lifecycle (SDLC)
An information security survey was conducted among the top 100 companies in Russia in 2014. The survey found that all companies experienced information security incidents in 2013, with 58% affecting internal infrastructure availability. The most common threats were vulnerabilities allowing network perimeter hacking in 2 steps, with 82% of attacks being successful despite low attacker qualification. Unpatched software left 57% of systems vulnerable to critical vulnerabilities, and some updates took as long as 9 years to install.
Accelerating Innovation with Software Supply Chain ManagementSonatype
We are going to compare building cars with building software – what we are going to realize is the car industry is leaps ahead of the software industry in managing their supply chain – the question is what can we learn from them? We will explore the question, does closely managing our supply chain have benefit in the software industry?
Find Out What's New With WhiteSource September 2018- A WhiteSource WebinarWhiteSource
The document summarizes a product update webinar held by David Habusha in September 2018. Key points include:
- The release of a new Effective Usage Analysis technology to help identify vulnerabilities that pose an actual risk.
- Support for additional platforms and package managers in the Unified Agent, as well as new build/CI tools.
- Enhancements to the Fortify SSC integration including synchronized alerts.
- Various workflow enhancements like user access control and conditional failing of builds.
- Faster navigation features and a new customer community portal.
- An outlook on additional features coming in Q4 2018 like enhanced GitHub integration and release reports.
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Join Black Duck and our customer experts on best practices for application security in DevOps.
You’ll learn:
-New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments
-Best practices for designing and incorporating an automated approach to application security into your existing development environment
-Future development and application security challenges organizations will face and what they can do to prepare
Welcome & The State of Open Source SecurityJerika Phelps
This document summarizes information from a conference on open source software. It discusses trends showing that open source adoption continues to increase rapidly and is now essential to most development strategies. However, open source security and management practices have not kept pace. Many organizations do not have formal policies or processes to track, inventory, or remediate known open source vulnerabilities. Common vulnerabilities in widely used open source components continue to be exploited years later. The document outlines challenges but also the value that open source brings through reduced costs, accelerated innovation, and time to market. It concludes by emphasizing the need for sustained efforts to promote more secure use of open source.
Find Out What's New With WhiteSource May 2018- A WhiteSource WebinarWhiteSource
In our latest webinar, we learned about our latest product updates here at WhiteSource. We unveiled our new, revolutionary technology as well as highlighting other cool releases and enhancements.
Stalled at the intersection of dev ops and security v2matthewabq
The majority of enterprises are very concerned about the security of the software they are developing, but how can they secure their software without slowing down their velocity - or put another way - how can they move past being stalled at the intersection of DevOps and Security? With this in mind, we explore the qualities of a security scanning tool that is "plug-and-play" with a modern devOps shop.
Over 6,000 new open source vulnerabilities have been discovered since 2014. In Q1 2016, 960 new vulnerabilities were found, a 20% increase over Q1 2015. Common vulnerability types include buffer errors and input validation issues. Notable vulnerabilities included issues in glibc and OpenSSL (DROWN). It can be difficult for companies to manage open source security due to a lack of centralized responsibility and patching. A software bill of materials that tracks components and vulnerabilities is recommended to address this problem.
The document outlines seven habits that DevOps teams can adopt to increase application security. The habits are: 1) Increase trust and transparency between development, security, and operations teams. 2) Understand the probability and impact of specific security risks. 3) Discard detailed security roadmaps in favor of incremental improvements. 4) Use continuous delivery pipelines to incrementally improve security practices. 5) Standardize and continuously update third-party software. 6) Govern with automated audit trails. 7) Test security preparedness through "security games". Adopting these habits helps integrate security across the development lifecycle to reduce vulnerability discovery and remediation time.
In this webinar we will explore the findings from the recent PtaaS Impact Report: 2020, which aims to unravel the benefits and challenges of deploying a SaaS-based pentesting model in a modern software development environment.
Join us as Cobalt Chief Strategy Officer Caroline Wong, Cobalt.io customer Ryan Stinson and experienced technology executive Dr. Chenxi Wang discuss how DevOps is changing the adoption of application security measures and how a PtaaS solution adapts to meet this change.
This webinar will cover:
The impact of DevOps on application security
Why SaaS-driven companies are expanding pentesting scopes and frequency
How PtaaS adapts to meet the speed of DevOps
In the movie, RoboCop is given three primary directives: "Serve the public trust, Protect the innocent, and Uphold the law". We built our own RoboCop in order to bring law and order to our CI/CD pipeline. DevOps practices are all about enabling fast and frequent delivery of new software. In order to keep pace in a DevOps culture, application security must be reliably integrated into the CI/CD pipeline.
2015 saw continued growth for open source software across many dimensions, a trend expected to continue in this coming year and a range of interesting developments that we reviewed in the last webinar.
In this webinar, the panelists will discuss:
- Open source and application security
- Community-centered compliance as reflected in OpenChain and SPDX
- The explosion of company involvement in collaborative projects
- The direction of the VMware case and other topics we anticipate being hot this year
Register now to join Black Duck, Mark Radcliffe and Karen Copenhaver on to discuss the hot topics generating buzz in the year to come.
Shifting the conversation from active interception to proactive neutralization Rogue Wave Software
When did we forget that old saying, “prevention is the best medicine”, when it comes to cybersecurity? The current focus on mitigating real-time attacks and creating stronger defensive networks has overshadowed the many ways to prevent attacks right at the source – where security management has the biggest impact. Source code is where it all begins and where attack mitigation is the most effective.
In this webinar we’ll discuss methods of proactive threat assessment and mitigation that organizations use to advance cybersecurity goals today. From using static analysis to detect vulnerabilities as early as possible, to managing supply chain security through standards compliance, to scanning for and understanding potential risks in open source, these methods shift attack mitigation efforts left to simplify fixes and enable more cost-effective solutions.
Webinar recording: http://www.roguewave.com/events/on-demand-webinars/shifting-the-conversation-from-active-interception
The State of Open Source Vulnerabilities ManagementSBWebinars
The number of open source vulnerabilities hit an all-time record in 2017 with 3,500 reported vulnerabilities - that's 60% higher than the previous year, and the trend continues in 2018.
Since it’s impossible to keep up with today’s pace of software production without open source, development and security teams are challenged to meet security objectives, without compromising on speed and quality.
It's time to for organizations to step up their open source security game. Join WhiteSource's Senior Director of Product Management, Rami Elron, as he discusses:
the current state of open source vulnerabilities management;
organizations' struggle to handle open source vulnerabilities; and
the key strategy for effective vulnerability management.
Black Duck Software provides products that help organizations automate securing and managing open source software to eliminate security vulnerabilities, license compliance issues, and operational risks. Black Duck is headquartered in Burlington, MA and has offices worldwide. Their products help secure applications from cyberattacks by managing open source vulnerabilities, which are a major risk for applications and can lead to costly security breaches if unaddressed.
Tackling the Risks of Open Source Security: 5 Things You Need to KnowWhiteSource
This document discusses open source security risks and provides recommendations. It contains 5 sections:
1. Open source risk is on the rise as open source code accounts for 60-80% of software and reported vulnerabilities are increasing.
2. Developers must change their mindset as open source vulnerabilities differ from proprietary vulnerabilities in detection, publicity and remediation.
3. Prioritizing security vulnerabilities is key as developers spend too much time on ineffective vulnerabilities.
4. Security responsibilities must be delegated between security, DevOps and developers to bridge gaps.
5. Shifting security left by empowering developers and integrating tools earlier can turn developers into advocates and detect issues cheaper.
Taking Open Source Security to the Next LevelWhiteSource
Join us for a webinar featuring Forrester VP and Research Director Amy DeMartine to learn more about why open source security has become critical for securing modern applications, the main considerations when evaluating an open source security and license compliance solution and what she sees in store for the future.
Additionally, WhiteSource Senior Director of Product Marketing, Jeff Crum, will discuss recent analysis of the Software Composition Analysis (SCA) market, including takeaways from The Forrester Wave™: Software Composition Analysis, Q2 2019.
This document discusses regulatory requirements for vulnerability assessments and the challenges of managing open source software vulnerabilities. It notes that regulatory requirements from standards like PCI-DSS require vulnerability monitoring and patching, but traditional vulnerability assessment tools do not provide visibility into custom code or track vulnerabilities over time in open source components. The document argues that organizations need software bills of materials and proactive vulnerability management programs that can map vulnerabilities to applications to effectively manage risks from open source.
Taking Open Source Security to the Next LevelSBWebinars
Join us for a webinar featuring Forrester VP and Research Director Amy DeMartine to learn more about why open source security has become critical for securing modern applications, the main considerations when evaluating an open source security and license compliance solution and what she sees in store for the future.
Additionally, WhiteSource Senior Director of Product Marketing, Jeff Crum, will discuss recent analysis of the Software Composition Analysis (SCA) market, including takeaways from The Forrester Wave™: Software Composition Analysis, Q2 2019.
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...Jerika Phelps
Learn how fast-growing authentication and mobile security solutions provider Entersekt leverages Black Duck Hub for competitive advantage by automating open source security risk management throughout the Software Development Lifecycle (SDLC)
An information security survey was conducted among the top 100 companies in Russia in 2014. The survey found that all companies experienced information security incidents in 2013, with 58% affecting internal infrastructure availability. The most common threats were vulnerabilities allowing network perimeter hacking in 2 steps, with 82% of attacks being successful despite low attacker qualification. Unpatched software left 57% of systems vulnerable to critical vulnerabilities, and some updates took as long as 9 years to install.
Accelerating Innovation with Software Supply Chain ManagementSonatype
We are going to compare building cars with building software – what we are going to realize is the car industry is leaps ahead of the software industry in managing their supply chain – the question is what can we learn from them? We will explore the question, does closely managing our supply chain have benefit in the software industry?
Find Out What's New With WhiteSource September 2018- A WhiteSource WebinarWhiteSource
The document summarizes a product update webinar held by David Habusha in September 2018. Key points include:
- The release of a new Effective Usage Analysis technology to help identify vulnerabilities that pose an actual risk.
- Support for additional platforms and package managers in the Unified Agent, as well as new build/CI tools.
- Enhancements to the Fortify SSC integration including synchronized alerts.
- Various workflow enhancements like user access control and conditional failing of builds.
- Faster navigation features and a new customer community portal.
- An outlook on additional features coming in Q4 2018 like enhanced GitHub integration and release reports.
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Join Black Duck and our customer experts on best practices for application security in DevOps.
You’ll learn:
-New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments
-Best practices for designing and incorporating an automated approach to application security into your existing development environment
-Future development and application security challenges organizations will face and what they can do to prepare
Welcome & The State of Open Source SecurityJerika Phelps
This document summarizes information from a conference on open source software. It discusses trends showing that open source adoption continues to increase rapidly and is now essential to most development strategies. However, open source security and management practices have not kept pace. Many organizations do not have formal policies or processes to track, inventory, or remediate known open source vulnerabilities. Common vulnerabilities in widely used open source components continue to be exploited years later. The document outlines challenges but also the value that open source brings through reduced costs, accelerated innovation, and time to market. It concludes by emphasizing the need for sustained efforts to promote more secure use of open source.
Find Out What's New With WhiteSource May 2018- A WhiteSource WebinarWhiteSource
In our latest webinar, we learned about our latest product updates here at WhiteSource. We unveiled our new, revolutionary technology as well as highlighting other cool releases and enhancements.
Stalled at the intersection of dev ops and security v2matthewabq
The majority of enterprises are very concerned about the security of the software they are developing, but how can they secure their software without slowing down their velocity - or put another way - how can they move past being stalled at the intersection of DevOps and Security? With this in mind, we explore the qualities of a security scanning tool that is "plug-and-play" with a modern devOps shop.
Over 6,000 new open source vulnerabilities have been discovered since 2014. In Q1 2016, 960 new vulnerabilities were found, a 20% increase over Q1 2015. Common vulnerability types include buffer errors and input validation issues. Notable vulnerabilities included issues in glibc and OpenSSL (DROWN). It can be difficult for companies to manage open source security due to a lack of centralized responsibility and patching. A software bill of materials that tracks components and vulnerabilities is recommended to address this problem.
The document outlines seven habits that DevOps teams can adopt to increase application security. The habits are: 1) Increase trust and transparency between development, security, and operations teams. 2) Understand the probability and impact of specific security risks. 3) Discard detailed security roadmaps in favor of incremental improvements. 4) Use continuous delivery pipelines to incrementally improve security practices. 5) Standardize and continuously update third-party software. 6) Govern with automated audit trails. 7) Test security preparedness through "security games". Adopting these habits helps integrate security across the development lifecycle to reduce vulnerability discovery and remediation time.
In this webinar we will explore the findings from the recent PtaaS Impact Report: 2020, which aims to unravel the benefits and challenges of deploying a SaaS-based pentesting model in a modern software development environment.
Join us as Cobalt Chief Strategy Officer Caroline Wong, Cobalt.io customer Ryan Stinson and experienced technology executive Dr. Chenxi Wang discuss how DevOps is changing the adoption of application security measures and how a PtaaS solution adapts to meet this change.
This webinar will cover:
The impact of DevOps on application security
Why SaaS-driven companies are expanding pentesting scopes and frequency
How PtaaS adapts to meet the speed of DevOps
In the movie, RoboCop is given three primary directives: "Serve the public trust, Protect the innocent, and Uphold the law". We built our own RoboCop in order to bring law and order to our CI/CD pipeline. DevOps practices are all about enabling fast and frequent delivery of new software. In order to keep pace in a DevOps culture, application security must be reliably integrated into the CI/CD pipeline.
2015 saw continued growth for open source software across many dimensions, a trend expected to continue in this coming year and a range of interesting developments that we reviewed in the last webinar.
In this webinar, the panelists will discuss:
- Open source and application security
- Community-centered compliance as reflected in OpenChain and SPDX
- The explosion of company involvement in collaborative projects
- The direction of the VMware case and other topics we anticipate being hot this year
Register now to join Black Duck, Mark Radcliffe and Karen Copenhaver on to discuss the hot topics generating buzz in the year to come.
Shifting the conversation from active interception to proactive neutralization Rogue Wave Software
When did we forget that old saying, “prevention is the best medicine”, when it comes to cybersecurity? The current focus on mitigating real-time attacks and creating stronger defensive networks has overshadowed the many ways to prevent attacks right at the source – where security management has the biggest impact. Source code is where it all begins and where attack mitigation is the most effective.
In this webinar we’ll discuss methods of proactive threat assessment and mitigation that organizations use to advance cybersecurity goals today. From using static analysis to detect vulnerabilities as early as possible, to managing supply chain security through standards compliance, to scanning for and understanding potential risks in open source, these methods shift attack mitigation efforts left to simplify fixes and enable more cost-effective solutions.
Webinar recording: http://www.roguewave.com/events/on-demand-webinars/shifting-the-conversation-from-active-interception
Some of the most famous information breaches over the past few years have been a result of entry through embedded and IoT system environments. Often these breaches are a result of unexpected system architecture and service connectivity on the network that allows the hacker to enter through an embedded device and make their way to the financial or corporate servers. Experts in embedded security discuss key security issues for embedded systems and how to address them.
Thanks to the cloud and open source tools, DevOps teams have access to unprecedented infrastructure and scale. But that also means they can be approached by some of the most nefarious actors on the Internet, as they risk the security of their business with every application deployment. Perimeter-class security is no longer viable in such a distributed environment, so now companies need to adapt to more micro-level security. This merging of DevOps and security operations – a concept called DevSecOps – is one of the most important new developments in security and IT deployment. In this session, our expert will discuss how teams are now collaborating as peers to achieve optimal security.
You Can’t Live Without Open Source - Results from the Open Source 360 SurveyBlack Duck by Synopsys
Today, open source drives technology and development, and its worldwide adoption ranges from companies with a single employee to large corporations like Microsoft and Apple. All of these organizations rely on open source to innovate, reduce development costs, and speed time to market. Recent research reports point out that open source comprises 80% to 90% of the code in a typical application. Our Open Source 360° survey provides an update on the rapid evolution of open source development, use and management.
The 2017 Open Source 360° survey was conducted through Black Duck’s Center for Open Source Research & Innovation (COSRI), focusing on four important areas of open source – usage, risk, contributions and governance/policies. Our respondents include input from new players, established leaders, and influencers across vertical markets and communities. This range of respondents drives broad industry awareness and discussions of these key issues.
Open source software is widely used but faces security challenges as vulnerabilities have been found in widely used open source components. While most companies do not currently monitor open source code for security issues, the open source community is adapting to improve security. New approaches for security processes and tools are emerging and will provide increased choices for addressing open source security over time.
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckBlack Duck by Synopsys
Presented August 11, 2016 by Michael Right, Senior Product Manager, HPE Security Fortify; Mike Pittenger, VP of Security Strategy, Black Duck.
Open source software is an integral part of today’s technology ecosystem, powering everything from enterprise and mobile applications to cloud computing, containers and the Internet of Things.
While open source offers attractive economic and productivity benefits for application development, it also presents organizations with significant security challenges. Every year, thousands of new open source security vulnerabilities – such as Heartbleed, Venom and Shellshock – are reported. Unfortunately, many organizations lack visibility into and control of their open source. Addressing this challenge is vital for ensuring security in applications and containers.
Whether you’re building software for customers or for internal use, the majority of the code is likely open source and securing it is no easy task. In this session, you’ll learn about:
• The evolving DevOps and software security assurance lifecycle in the age of open source
• The software security considerations CISOs, security, and development teams must address when using open source
• An automated approach to identifying vulnerabilities and managing software security assurance for custom and open source code.
Open Source Insight: SCA for DevOps, DHS Security, Securing Open Source for G...Black Duck by Synopsys
It’s an acronym-filled issue of Open Source Insight, as we look at the question of SCA (software composition analysis) and how it fits into the DevOps environment. The DHS (Department of Homeland Security) has concerning security gaps, according to its OIG (Office of Inspector General). Can the CVE (Common Vulnerabilities and Exposures) gap be closed? The GDPR (General Data Protection Regulation) is bearing down on us like a freight train, and it’s past time to include open source security into your GDPR plans.
Plus, an intro to the Open Hub community, looking at security for blockchain apps, and best practices for open source security in container environments are all featured in this week’s cybersecurity and open source security news.
Open Source Insight: Global Response to COSRI 2017 Open Source Security and R...Black Duck by Synopsys
Many Black Duck-related news stories in this week’s edition of Open Source Insight, thanks to the release of our 2017 Open Source Security and Risk Analysis detailing significant cross-industry risks related to open source vulnerabilities and license compliance challenges.
Black Duck conducts hundreds of open source code audits annually, primarily related to merger and acquisition transactions. For the 2017 analysis, our Center for Open Source Research & Innovation (COSRI) analyzed over 1,000 applications and found both high levels of open source usage — 96% of the apps examined contained open source — and significant risk to open source security vulnerabilities — more than 60% of the apps contained open source security vulnerabilities. All security professionals concerned about vulnerabilities and license compliance will want to review the report, which can be downloaded from the Black Duck website.
Emphasizing the need to stay on top of software security vulnerabilities is the NVD CVE listing for the month of April 2017, which now exceeds 900 entries, including CVE-2016-4899, a high to critical flaw where the datamover module in the Linux version of NovaBACKUP DataCenter before 09.06.03.0353 is vulnerable to remote command execution via unspecified attack vectors.
On to this week’s top open source and open source security news…
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Join Black Duck and our customer experts on best practices for application security in DevOps.
You’ll learn:
-New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments
-Best practices for designing and incorporating an automated approach to application security into your existing development environment
-Future development and application security challenges organizations will face and what they can do to prepare
Matteo Meucci Software Security in practice - Aiea torino - 30-10-2015Minded Security
Matteo Meucci did a talk on software security in practice, describing the actual scenario and the roadmap for the enterprise to improve their maturity in the SDLC.
DevSecOps aims to integrate security practices into DevOps workflows to deliver value faster and safer. It addresses challenges like keeping security practices aligned with continuous delivery models and empowered DevOps teams. DevSecOps incorporates security checks and tools into development pipelines to find and fix issues early. This helps prevent breaches like the 2017 Equifax hack, which exploited a known vulnerability. DevSecOps promotes a culture of collaboration, shared responsibility, and proactive security monitoring throughout the software development lifecycle.
Continuous security: Bringing agility to the secure development lifecycleRogue Wave Software
Presented at AppSec California 2017. The fact that software development is moving towards agile methodologies and DevOps is a given, the question is: How do you transform processes and tools to get the biggest advantage? Using application security testing as an example, this talk cuts through all the news, research, and standards to define a holistic process for integrating Agile testing and feedback into development teams. The talk describes specific processes, automation techniques, and the smart selection of tools to help organizations produce more secure, OWASP-compliant code and free up development time to focus on features.
Are you new to Black Duck or open source security? Do you need a refresher? Understanding the fundamentals of open source security is critical to keeping your data and organization safe. During this session, we'll share best practices from the world's leading experts to help you establish a foundation for success.
Matteo meucci Software Security - Napoli 10112016Minded Security
This document discusses software security and how companies can manage it. It begins with an introduction to software security risks from the perspectives of end users and companies. It then explains how companies can implement software security best practices using OWASP (Open Web Application Security Project) standards and processes. This includes incorporating security activities like risk assessments, secure design reviews, and testing throughout the entire software development lifecycle (SDLC). The document emphasizes that without focusing on security, vulnerabilities will exist, and that the OWASP resources can help integrate security practices.
Network intrusion. Information theft. Outside reprogramming of systems. These examples are just a few of the several reasons why software security is becoming increasingly more important to all industries. No system is immune, so it’s more important than ever to understand why secure code matters and how to create safer applications.
With this presentation you'll learn how to:
-Protect your systems from risk
-Comply with security standards
-Ensure the entire codebase is bulletproof
Web app penetration testing best methods tools usedZoe Gilbert
Read this blog to know the best methodologies of web app penetration testing and tools to gain real-world insights by keeping untrusted data separate from commands and queries, with improved access control.
Software composition analysis in business 3.pdfCiente
In contemporary development practices, it has become uncommon for organizations to exclusively craft software code from scratch when creating bespoke software applications.
As presented by Tim Mackey, Senior Technical Evangelist at Black Duck Software, at Open Source Open Standards (GovNet) (http://opensourceconference.co.uk/), this deck covers some of the material which operators of open source data centers and users of container and cloud technologies should be aware of when seeking to be security conscious.
Traditionally, when datacentre operators talk about application security, there has been a tendency to focus on issues related to key management, firewalls and data access. By contrast, application developers have a security focus which is more aligned with code analysis and fuzzing techniques. The reality is, secure application deployment principles extend from the infrastructure layer through the application and include how the application is deployed. With the prevalence of continuous deployment, it’s imperative to focus efforts on what attackers’ view as vulnerable; particularly in an environment where new exploits are being disclosed almost daily.
In this session we’ll present:
- How known vulnerabilities can make their way into production deployments
- How vulnerability impact is maximized
- A methodology for ensuring deployment of vulnerable code can be minimized
- A methodology to minimize the potential for vulnerable code to be redistributed
Similar to The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSource Webinar (20)
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps WhiteSource
Your organization has already embraced the DevOps methodology? That’s a great start. But what about security?
It’s a fact - many organizations fear that adding security to their DevOps practices will severely slow down their development processes. But this doesn’t need to be the case.
Tune in to hear Jeff Martin, Senior Director of Product at WhiteSource and Anders Wallgren, VP of Technology Strategy at Cloudbees, as they discuss:
- Why traditional DevOps has shifted, and what this will mean
- Who should own security in the age of DevOps
- Which tools and strategies are needed to implement continuous security throughout the DevOps pipeline
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your RiskWhiteSource
Have you considered what truly separates accidental vulnerabilities in open source from intentionally malicious releases? Although often grouped together as "vulnerabilities", malicious open source components are very different, right from their very creation through to the way you mitigate and remediate them as an end user. The past 12 months saw a record-breaking time for detection of malicious components in the world's most popular package registries.
Join Rhys Arkins, Director of Product at WhiteSource, as he will discuss:
The key differences between accidental vulnerabilities and malicious releases,
How to manage the risk for each type of vulnerability,
Lessons learned from the most interesting malicious packages spotted during 2019.
Empowering Financial Institutions to Use Open Source With ConfidenceWhiteSource
The days when financial institutions relied solemnly on proprietary code are over. Today, even the largest financial services firms have realized the benefits of using open source technology to build powerful, innovative applications at a reduced time-to-market. However, the financial services industry faces strict regulatory requirements that present it with a unique set of challenges, especially when it comes to open source usage (both consumption and contribution).
FINOS is a non-profit organization whose purpose is to accelerate collaboration and innovation in financial services through the adoption of open source software, standards and best practices. Together with WhiteSource, they are able to provide a safe environment for developers to use open source components freely and fearlessly.
Join FINOS and WhiteSource as they discuss:
The challenges of open source usage
The state of open source vulnerabilities management
How FINOS uses WhiteSource to ensure the security and IP compliance of FINOS-produced open source software
Tackling the Container Iceberg:How to approach security when most of your sof...WhiteSource
Container images are based on many direct and indirect open source dependencies, which most developers are not aware of. What are the security implications of only seeing the tip of the iceberg? What are the challenges one faces when relying so heavily on open source? And how can teams overcome these?
Join Codefresh and WhiteSource, as they embark on a journey to tackle:
The container iceberg - learn what are your blind spots
The main security challenges when using open source in containerized applications
The role of automation in open source security in containers
A live demo showing how WhiteSource & Codefresh can allow you to automate open source security in containers throughout the DevOps pipeline
Securing Container-Based Applications at the Speed of DevOpsWhiteSource
Thanks to containerization and automation, applications are being developed and delivered faster than ever. With tools such as AWS ECR, developers are able to store, manage and deploy Docker container images without having to worry about operating their own container repositories or scaling the underlying infrastructure. With this, however, arise challenges around managing the security and compliance aspect of your container images. With tools such as WhiteSource, developers are able to manage the security of their containers and container images with no impact on agility and speed.
Join Shiri Ivtsan, Product Manager at WhiteSource and Carmen Puccio, Solutions Architect at AWS, as they discuss the following:
Effectively managing and deploying your container images
Gaining full visibility into your container images
Building and automating security into each layer of the container environment to ensure a continuous process throughout the SDLC
Demonstrating a live example using a vulnerable container image
Organizations enjoy the speed that DevOps brings to development and delivery. However, most security and compliance monitoring tools have not been able to keep up, becoming the most significant barrier to continuous delivery.
Now some good news: you can easily integrate security into your existing processes to solve this challenge.
In this session, Shiri Ivtsan, Senior Product Manager at WhiteSource, will discuss:
- Leveraging the DevSecOps approach to help speed up security
- Scaling security into your agile processes
- 5 easy ways to start driving DevSecOps in your organization
Open Source Security: How to Lay the Groundwork for a Secure CultureWhiteSource
Open-source components are prevalent in approximately 97% of modern applications and dominate anywhere between 60-80% of their codebases. This is hardly surprising given how integrating open source accelerates software development and enables organizations to keep up with today's frantic release pace and standards of constantly supplying new features and improvements.
However, taking into consideration the fact that recent years have seen an upsurge in reported open-source vulnerabilities, whose details and exploits are publicly available, it's no wonder that organizations are increasingly directing focus towards ensuring that their open-source components are securely integrated into their software.
Join Guy Bar-Gil, Product Manager at WhiteSource, as he discusses:
1. The four layers of open-source security
2. How to integrate continuous security into your SDLC
3. Best practices for organizations to own and execute the security process
"Many organizations are using containers to develop and manage their applications. Containers enable development teams work faster, deploy more easily and efficiently,
and operate at a much larger scale. However, there are many security measures that need to be taken across the entire software development lifecycle, especially when it
comes to open source security.
In this session, Shiri Ivtsan, Product Manager at WhiteSource, will discuss:
1) The complexity and security challenges with containers
2) The greatest risks when deploying containers
3) The three steps to take before shipping a Docker container
4) How to automate your container security process"
Fire alarms vs. Fire hoses: Keeping up with DependenciesWhiteSource
Today no one can claim ignorance about the need for an open source vulnerability strategy, so what is yours? Are you the fire alarm type, who prefers to sit tight unless a vulnerability alert is ringing in your inbox? Or are you the fire hose type, staying ahead of the game with a never-ending stream of open source updates to apply? Join Rhys as he discusses the pros and cons of these two approaches, as well as whether there's a magical middle ground between the two which doesn't involve a fire analogy.
DevSecOps: Closing the Loop from Detection to RemediationWhiteSource
"DevSecOps sets out to relieve the costly and stressful delays that can occur when security testing is performed late in the game, by setting up processes and tools for
""shifting left"" so security testing can happen early and often. As organizations continue to embrace this DevSecOps approach, testing tools and practices are integrated
even further left in the development pipeline.
Join Senior Product Manager, Shiri Ivtsan, as she discusses:
Where and how developers are implementing DevSecOps in the SDLC;
Best practices for developers to adopt DevSecOps and more efficiently handle vulnerabilities;
Necessary steps for implementing a process for detection, prioritization, and remediation of open source vulnerabilities."
Barriers to Container Security and How to Overcome ThemWhiteSource
Over the past few years, more and more companies are turning to containerized environments to scale their applications.
However, keeping containers secure throughout the development life cycle presents many challenges to security and development teams. In order to address them, organizations need to adopt a new set of security processes and tools.
This session will focus on the three most vulnerable areas of container security and the best practices to help teams develop and deploy securely.
Join Jeffrey Martin, Senior Director of Product at WhiteSource, as he discusses:
The top challenges to security in containerized environments
How DevSecOps addresses security in containerized environments
Tips and tricks for successfully incorporating security into the container lifecycle
SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...WhiteSource
Organizations tend to overlook open source security, due to the misconception that proprietary vulnerabilities and open source security vulnerabilities are detected and remediated in the same way.
Vulnerable open source components can’t be detected by SAST, DAST, and other application security testing tools. Managing open source security vulnerabilities requires a different set of tools.
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...WhiteSource
In Collaboration with DevOps.com, WhiteSource's Shiri Ivtsan discussed in this webinar the main security challenges organizations face when using containers.
Automating Open Source Security: A SANS Review of WhiteSourceWhiteSource
In this webinar, SANS's Serge Borso and WhiteSource's Rami Elron provide a product review of our solution. In this webinar, you will learn how WhiteSource's solution can be easily integrated into the software development lifecycle to, detect open source vulnerabilities in real time, prioritize and remediate vulnerabilities and automate policy enforcement throughout the SDLC.
CI/CD pipeline security from start to finish with WhiteSource & CircleCIWhiteSource
This document provides an agenda for a webinar on securing CI/CD pipelines from start to finish with CircleCI and WhiteSource. The agenda includes brief introductions to CircleCI and WhiteSource, an overview of CircleCI Orbs and how they can simplify integrations, a discussion of the state of open source usage and security, and a demo of WhiteSource scanning functionality directly within a CircleCI pipeline using an Orb.
Open source licenses can be more than a little confusing for those of us that just want to write a little bit of code. However, with open source components playing such a big part in the products that we create, open source licenses and compliance simply can’t be ignored.
We’ve compiled the one stop resource guide for working compliantly with open source components, including answers to FAQs about the most popular licenses in 2018. Read all about the hottest licensing trends that you need to be following and some predictions for 2019.
WhiteSource Webinar What's New With WhiteSource in December 2018WhiteSource
- The webinar covered updates to Whitesource products including WhiteSource for Containers, workflow enhancements, the unified agent, integration updates for CircleCI, GitHub, and more.
- It also discussed updates to WhiteSource Advise, WhiteSource Prioritize, and API enhancements.
- Finally, it provided news about the Community Portal product idea zone and Q&A session.
Strategies for Improving Enterprise Application Security - a WhiteSource WebinarWhiteSource
This document debunks 3 common myths about open source security: 1) That security and agility are mutually exclusive, noting that shifting security processes left and mitigating rather than just reacting can minimize vulnerabilities while maximizing agility. 2) That security responsibilities can be delegated, and should empower developers through flexible selection processes. 3) That security vulnerabilities can be prioritized, as research shows 70% of reported vulnerabilities in open source libraries are not referenced by code. It recommends improving security through shifting left, streamlining policies, and prioritizing remediation.
How temenos manages open source use, the easy way combinedWhiteSource
The extensive use of open source in commercial software requires engineering executives to set processes and measures that will enable their organization and their customers to make the most of what open source can offer without assuming the accompanying risks.
See how Temenos manages their open source components.
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
Ready to Unlock the Power of Blockchain!Toptal Tech
Imagine a world where data flows freely, yet remains secure. A world where trust is built into the fabric of every transaction. This is the promise of blockchain, a revolutionary technology poised to reshape our digital landscape.
Toptal Tech is at the forefront of this innovation, connecting you with the brightest minds in blockchain development. Together, we can unlock the potential of this transformative technology, building a future of transparency, security, and endless possibilities.
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSource Webinar
1. Combler le fossé:
les trois principales stratégies afin de
réduire votre risque de vulnérabilité
concernant la sécurité des
composants open source
Presented by: Reut Netzer
2. Open Source Components Account For
60%-80% Of The Average Software Product
5%-10%
1998
30%-50%
2008
60%-80%
2016
Proprietary Code
Open Source Code
Source: North Bridge Future Of Open Source Survey
3. Number of New CVEs Discovered More
Than Doubled YoY in 2017
0
2000
4000
6000
8000
10000
12000
14000
16000
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
# of Vulnerabilities
5. What Makes It The Weakest Link?
Awareness Responsibility
You carry 100% responsibility over
your open source usage
• 97% of enterprises do not have a process in
place to detect usage of components with
known vulnerabilities
• Current DAST/SAST tools cannot detect open
source vulnerabilities
• The information is public and available to all
7. Potential vulnerability detected
(SAST & DAST)
No public information
Need to research to find a fix
During development
Detection
Publicity
Remediation
Scan Phase
Known vulnerability
All information is publicly available
Actionable remediation(s) are available
Continuous monitoring (incl. post release)
PROPRIETARY VULNERABILITIES OPEN SOURCE VULNERABILITIES
Open Source Security is a different game -
change your mindset
0
1
9. On average, 70%* of reported
security vulnerabilities
in open source libraries
are not referenced
by the developers’ code.
Effective vs Ineffective
* Based on preliminary research by WhiteSource
Open Source Code
70%
30%
Ineffective
Effective
0
2
11. The cost of fixing security and quality issues is rising significantly,
as the development cycle advances.
Source: Ponemon Institute Research
Coding
$80/Defect
Build
$240/Defect
QA & Security
$960/Defect
Production
$7,600/Defect
0
3Detect Issues As Early As Possible
14. How Does It Work?
Step One
• Local agent calculates
Unique Identifier for each
file
• All identifiers are sent to
our server
• No proprietary source code
scanning
Step Two
• The UIDs are matched against
our master DB
• All data – security, licensing and
quality – is then compiled for the
specific OSS inventory
Step Three
• Your account is updated
• All data is available online
16. Not all open source components
are created equal…
We’ll help your developers to make the right choice the first time.
The Web Advisor detects open source package references and
provides full information including meeting company’s policies,
license type, if it’s used in the organization, security vulnerabilities
and more.
WhiteSource Web Advisor
19. Of Open Source
Vulnerabilities
Have A Fix
Get actionable suggested fixes from the
open source community with direct links
to new patches, version, configuration
changes and more.
20. The #1 Choice of Our Ecosystem
“We want Microsoft’s users to have access to the best
industry solutions for open source management.
WhiteSource is a thought leader in the Rugged DevOps
space and we are happy that this partnership will bring
the confidence, time and money savings they deliver to
their customers”
Sam Guckenheimer
“We conducted a thorough search to identify the right
solution to embed into our product and WhiteSource’s
combination of the most comprehensive security
vulnerabilities database in the market, alongside their
unique remediation capabilities, made the solution an easy
choice for our team.”
David Marshak
“Checkmarx is delighted to be working with WhiteSource to
offer a complete solution for our users. We both share the
same approach of creating solutions developers actually
want to use”
Emmanuel Benzaquen
“The deep integration with Dimensions CM helps our
customers to boost the security and efficiency that
Serena’s ALM customers are looking. With this
partnership No longer will teams collaborating on
projects have to manually track open source usage, or
speculate whether they are using vulnerable
components.”
Ashley Owen
Application Security Tools:
ALM suite:
Open source components are the core building blocks of application software nowadays, providing developers with a wealth of possibilities that they can use for assembling their products faster and more efficiently.
According to several analyst firms, nowadays, Open source components, the libraries and frameworks which are written and maintained by the open source community, account for 60-80% of the code base in modern web applications.
The challenge is that with the massive usage of more open source components in applications, there will statistically also be a rise in the number of newly discovered vulnerabilities that developers will have to address. In 2017 alone, more than double of the open source vulnerabilities were added to the CVE, impacting tens of thousands of components. As open source usage continues to rise, 2018 is likely to see even more
Therefore, open source clearly is the weakest link your code. Why?
Despite the heavy reliance on open source, the software industry has been generally lax when it comes to ensuring that these components meet basic security standards. This is due in large part to their underestimation of the amount of open source components that they are actually using in their products, and that the nature of open source vulnerabilities are fundamentally different than those found in proprietary code. It was found that 97% of enterprises do not have a process in place to detect usage of components with known vulnerabilities.
In addition, Unlike proprietary code, which uses tools like Static Application Security Testing (SAST) to detect vulnerabilities, the technology for open source vulnerability detection works in a different fashion. Application security testing tools that can detect vulnerabilities in your code, like SAST, are not applicable on open source components, as they depend on following a set of guidelines that are laid out in white lists. This model works just fine when the code is being managed by a single team, working under a single logic.
Open source, however, is run more as a distributed group of contributors adding their work to the code. This makes solutions that rely on white lists untenable for testing the code, and will only lead to a mountain of false positives that no developer wants to run down.
The information regarding vulnerabilities is easily findable on public databases. These known vulnerabilities, with the details on which versions are affected and how the exploit can be carried out, are available to all with the necessary information to help security and development teams perform the necessary fixes to secure their applications. The flip side is that hackers will also follow these publications in order to gain free knowledge of how to carry out attacks with minimal effort on their part, saving them the work of having to find their own way into your backend.
Therefore, you carry 100% of the responsibility over your open source usage… but who is carrying the responsibility? The developers? Security teams? This is not always very clear.
Therefore, we have developed 3 approaches and best practices that security teams should implement in order to enable their developers to harness the power of open source and to reduce your organizations exposure to open source security risk.
Approach number 1 – it’s time to change your mindset
(all written in the slide)
Now once you have distinguished between proprietary and open source vulnerabilities, and have identified which open source vulnerabilities you are exposed to, you need to prioritize the security vulnerabilities you need to remediate.
developers need to find ways to prioritize which issues need to be fixed first. There is an obvious consideration for wanting to tackle the vulnerabilities with the highest CVSS scores, such as vulnerabilities that could give hackers remote execution access to their systems.
However, there are additional factors that need to be taken into account when prioritizing your team’s plan of action. You need to first tackle the vulnerabilities that have the highest impact on the security of your product even before concerning yourself with their CVSS scores. How?
Open source components are reusable and are usually developed to fit different customers and use cases. Therefore, open source components tend to package many functionalities. As developers are using open source components “as is”, meaning using the entire package and not just a snippet for supportability purposes, in most cases the application is making calls to only a rather small percentage of the functionalities in each component. These are called effective functionalities.
So, what is the impact of the functionalities that are not being effectively used by the product? They are not having an impact on the product as the proprietary code is not making calls to that functionality. This can be understood as being an ineffective functionality since it is essentially cut off from the rest of the chain that comprises our functionalities which serve our application.
Our preliminary research on vulnerabilities in Java products shows that only 30% of the vulnerabilities are deemed to be within functionalities that are effective and can have an actual impact on the security of your product. Conversely, this means that the remaining 70% of vulnerabilities detected in these products that while still considered vulnerable, do not have an impact on your product as they lie within ineffective functionalities.
By being able to narrow down our resolution of which vulnerable components are effective, and which are not, developers can considerably improve their efficiency by allowing them to focus on the critical issues that require their attention.
Improving your ability to detect and remediate open source vulnerabilities is not enough to secure your application, since the minute an open source vulnerability is published, developers are in a race against time to implement their fixes before they are targeted by hackers.
In order to ensure you will be able to detect issues as quickly as possible and remediate, you need to automate the entire process of detecting and remediating open source vulnerabilities. It is also very important to understand the unique opportunity of shift left when it comes to open source security when automating your processes.
The growing challenge of speeding up the development process without compromising on the quality of each release was one of the main drivers to the mass implementation of the shift left concept. The idea behind “shift left” is to incorporate software testing earlier in the process and automate it. By moving software testing closer to the developer (that is, to the “left” of the delivery chain), teams are able to detect issues earlier in the development process when it is easier, quicker, and cheaper to fix.
Shifting security testing “left” helps developers to detect issues before it becomes complex “tear and replace” operations, and therefore become more complex and costly. According to the Ponemon Institute’s “The Cost of Data Breach” research, the cost of replacing a vulnerable component during the coding stage of the development process costs only ~1% of the cost of replacing the same component post deployment.
When it comes to securing the open source components in your software, the potential for shifting left is much greater than in proprietary code. The reason is that with open source security, all the information is already public and available and you do not need to run time intensive tests in order to detect the issues. This means that you can actually detect components with known vulnerabilities before even downloading a component and integrating it with your product.
Providing information on open source components to developers will help empower them to make better choices when selecting the open source components they intend to use. This is a huge advantage that shifts security all the way to the left.
SCA tools are shifting left open source management as a whole, and not only the security aspect, since software teams need to ensure compliance with open source licenses, ensure the quality of the newly added open source components, and detect newly released versions with performance improvements, new functionalities, and/or fixes for bugs.
This section you know super well, so based on your time for the parts before, feel free to dive in as much as possible or to be more light on it