Winning open source vulnerabilities without loosing your deveopers - Azure DevOps meetup

Winning Open Source vulnerabilities
Without Loosing your developers
WhiteSource Software Internal and Proprietary
Tsaela Pinto
Director of Knowledge R&D

World’s
TOP
Open source
Knowledge
Base
2

Recent insights
Open source
vulnerabilities
are on the rise
Vulnerabilities handling
is inefficient
Prioritization
is the key
Usage analysis might
reduce alerts by 70% to
85%

Reported open source security
vulnerabilities are on the rise

8
If they knew how
it was going
to change
their
lives...

Heartblee
d
Stagefright
Shellshock
POODLE
Celebrities vulnerabilities
in OpenSSL in Bash
in Android operating system
in SSL 3.0
protocol

And it’s rising
51%the observed YoY rise
of reported vulnerabilities in 2017

96%of the developers are relying on
open source components
>
Affected developers

A lot of Vulnerable projects
32%of the top 100 open source
projects
have been reported with a
vulnerability

Most of them are already fixed
97%of the reported vulnerabilities
have a suggested fix

Where can we find them?
Just 86%
Are in the NVD

The Handling of Vulnerabilities
Is inefficient

Top Challenge in using open source component
One challenging area is
1VULNERABILITIES

How much time is spent?
None
1 - 10 hours
11 - 20 hours
21 - 35 hours
36 - 60 hours
Over 60 hours
15 hours/month
spent on average by every developer
on security vulnerabilities

What are the common tasks?
99%appear responsive
and reactive…
Nothing
Research to better understand the vulnerability and its impact
Remediate based on the open source community recommendation
Report to the other teams (Security/DevOps) or a manager
Remediate only through patches (if available)

Common prioritization methods
Criticality of the project that might be impacted by the vulnerability
Availability of the suggested fix
Perceived impact of the vulnerability on projects
Number of software libraries containing the vulnerability
Vulnerability severity
Creation date of the vulnerability alert
56 %
opt for
security/business-oriented
prioritization

Vulnerabilities are not Necessarily EFFECTIVE

Vulnerabilities effectiveness - new approach
EFFECTIVE VULNERABILITY
proprietary code may call
vulnerable code
INEFFECTIVE VULNERABILITY
proprietary code does NOT call
vulnerable code

Based on testing of 2,000 Java applications…
Over ten hours saved. Per developer. Per month.
70% 30%
INEFFECTIVE
EFFECTIVE
10.5
10

Usage analysis will eliminate 70%-
85%
Of the vulnerabilities

100% of the projects found vulnerable
86% vulnerabilities are ineffective
36% projects are effective
Impact-based Prioritization: Real-life Observations
90% in transitive dependencies

Takeaways
1. Open source code is essential
2. 30% of the packages are vulnerable, and rising
3. Open source vulnerabilities are matters
4. If you can’t beat them - prioritize them

Practical tools
TO BEAT
open source
vulnerabilities
31

WhiteSource Bolt
Free Azure DevOps Extension for
Open Source Security
For Azure DevOps

WhiteSource Bolt
Fully integrated within Azure DevOps
“We want Microsoft’s users to have
access to the best industry solutions
for open source management. That’s
why we reached out to partner with
WhiteSource.”
Sam Guckenheimer, Group Product
Planner, Microsoft

What is WhiteSource Bolt
Find & Fix Open Source
Vulnerabilities
Detect vulnerable
components & see
actionable fix
recommendations
Generate Inventory
Reports
Ensure License
Compliance
Get a detailed BoM
with all transitive
dependencies
Discover all used
open source
licenses in your project

How Can i fix if
i don’t know
what i have??
36

Generate Inventory report
● Automated Inventory reports
● Database of over 100M components & 70M source files
● Generating project and build level reports

Security DevOps Developers
PRIORITIZATION IS KEY TO OPEN SOURCE
VULNERABILITY MANAGEMENT

The cost of fixing security and quality issues is rising significantly,
as the development cycle advances.
Source: Ponemon Institute Research
Coding
$80/Defect
Build
$240/Defect
QA & Security
$960/Defect
Production
$7,600/Defect
Detect Issues As Early As Possible

Find & Fix Vulnerabilities
● Over 200K vulnerabilities from multiple sources
● Actionable fix suggestions
● Accurate matching with no false positives

Fully integrated with dev environment

Open source components - Licenses
● GitHub - Repo

● GitHub - Tag
Version 0.16 Version
1.4.4

● NpmJS

● Nuget

Ensure Licenses compliance
● Detection of components and dependencies' licenses
● Providing origin links for due diligence reports
● Generating project and build level reports

Azure lab
54
https://www.azuredevopslabs.com/labs/vstsextend/whitesource/

What Is WhiteSource?
Get Full Visibility Throughout The SDLC
Manage your entire pipeline, including your binary repositories, package managers,
build tools and CI servers and container environments, covering over 200 languages.
Enforce Policies Automatically to approve, reject, reassign or even open an issue
ticket to get full control and automate current manual time-consuming tracking and
approval processes.
Effective Usage Analysis
Prioritization tool that can reduce 70% of all security alerts by usage analysis technology
Licenses Compliance
Full visibility on all open source licenses in use4
3
2
1

WhiteSource Leads
the Way with the
highest score for current
offering and strategy in
the latest Forrester
Wave™ SCA Report.
The Forrester Wave:
Software Composition Analysis 2019

THANK YOU
57
Tsaela Pinto
tsaela.pinto@whitesourcesoftware.com

Winning open source vulnerabilities without loosing your deveopers - Azure DevOps meetup

More Related Content

What's hot

Similar to Winning open source vulnerabilities without loosing your deveopers - Azure DevOps meetup

More from WhiteSource

Recently uploaded

Winning open source vulnerabilities without loosing your deveopers - Azure DevOps meetup