days
-4
-4
hours
0
-4
minutes
-3
-1
seconds
-2
-4
search
Interview with Yossi Weinberg, software developer at WhiteSource

“Users aren’t taking responsibility for their open source usage – This has to change”

Dominik Mohilo
© Shutterstock / iQoncept

Open source has a lot of benefits, no one can argue that. However, it is also uniquely positioned to face the threats of today’s security concerns. We talked with Yossi Weinberg, software developer at WhiteSource about how WhiteSource is making sure users’ projects are secure, why open source management is essential and the impact Microsoft’s acquisition of GitHub will have on the open source community.

JAXenter: Hi Yossi and thanks for taking the time to answer these questions. WhiteSource was developed to secure users’ projects, especially if they contain open source software. What’s the process? How are you making sure users’ projects are secure? 

Yossi Weinberg: WhiteSource was actually developed to help software companies using open source components in their products to use open source securely. We do that by detecting vulnerable open source components in real-time and providing remediation support.

The detection of all open source components in every product in real-time is done with plugins that integrate with repositories, build tools, CI servers etc. Once components are detected, we identify the vulnerable components and vulnerability information, risk assessment and actionable remediation guides.

JAXenter: Can you please share some details about the structure of WhiteSource’s functionality? How does the infrastructure look like?

The problem with open source vulnerabilities is that once a vulnerability is released, a race between hackers and users starts as all the information is publicly available.

Yossi Weinberg: The open source community is doing a great job at securing and maintaining open source projects, but the information is scattered all over the web and the majority of databases are not properly indexed which makes it impossible for users of these projects to learn about security and quality issues.

This is why WhiteSource aggregates information from the open source community across the entire web, validates it and indexes it. Our platform also integrates with the different developments tools to detect open source components in real-time and then cross-references the information with our database. This enables us to alert software development, DevOps and software security teams in real time whenever a vulnerable or problematic open source component is added. It also alerts whenever a vulnerability is detected in a deployed product since many open source vulnerabilities are detected years after the impacted library was released.

JAXenter: How does WhiteSource compare to other tools that provide the overall same functionality? What is WhiteSource’s unique selling point?

Yossi Weinberg: WhiteSource is able to prioritize open source vulnerabilities through its impact on the security of the product helping teams to focus on the important issues. On top of that, our product provides developers with full trace analysis to help them understand how they are using these vulnerabilities and how to remediate it.

Just as important, we’re the only solution to support over 200 programming languages, covering all common software development tools.

JAXenter: Why is “open source management” such a critical topic for projects?

Yossi Weinberg: Open source components account for 60%-80% of the code base in commercial applications. Vulnerabilities in open source components cannot be detected using tools like SAST which can find vulnerabilities in proprietary code.

Not using ‘open source management’ tools or otherwise referred to as ‘Software Composition Analysis’ tools leaves 60%-80% of the code base exposed.  Also, as open source adoption continues to rise and the awareness of security rises in the community, the number of reported CVEs rapidly increases. Just in 2017, the number of reported vulnerabilities more than doubled.

The problem with open source vulnerabilities is that once a vulnerability is released, a race between hackers and users starts as all the information is publicly available.

SEE ALSO: “Open source is not any more or less secure than proprietary or commercial code”

JAXenter: What is your take on the concept of open source? How will the future of open source look like?

Yossi Weinberg: Open source is one of the main driving forces when it comes to software innovations. It enables software teams to focus their resources on developing new technologies rather than re-inventing the wheel. It’s also a necessity for software teams required to continuously increase the speed of software deployment.

The open source community is doing a great job at securing and maintaining open source projects, but the information is scattered all over the web and the majority of databases are not properly indexed.

Open source usage will only continue to rise and the awareness of the open source community will also rise. Many lessons were learned after the Heartbleed vulnerability. But the biggest gap right now is that the users of open source projects – the software development teams – are not taking responsibility for their open source usage.

This must change; the question is how many data breaches like Equifax, which resulted in open source vulnerabilities, will happen until then.

JAXenter: Microsoft just acquired GitHub; do you think this will have a big impact on the open source community? GitHub is the go-to-platform for hosting your open source projects, after all.

Yossi Weinberg: This deal emphasizes the importance of open source in modern software products. Microsoft’s goal is to deepen its relationship with developers and what better way to do that than acquiring the go-to hosting site and repository for open source code.

We believe this will only empower the community as Microsoft will strengthen GitHub’s offering to deepen their relationship with the open source community and will not work against the community or try to limit it in any way.

Thank you!

    DevOpsCon Whitepaper 2018

    Free: BRAND NEW DevOps Whitepaper 2018

    Learn about Containers,Continuous Delivery, DevOps Culture, Cloud Platforms & Security with articles by experts like Michiel Rook, Christoph Engelbert, Scott Sanders and many more.

asap

Author
Dominik Mohilo
Dominik Mohilo studied German and sociology at the Frankfurt University, and works at S&S Media since 2015.

Leave a Reply

Be the First to Comment!

avatar
400
  Subscribe  
Notify of