“Open source is not any more or less secure than proprietary or commercial code”
Open source has a lot of benefits, no one can argue that. However, it is also uniquely positioned to face the threats of today’s security concerns. We talked with Rami Sass, CEO and co-founder of WhiteSource about some of the potential pitfalls in open source components, its challenges and more.
JAXenter: What should developers pay attention to when choosing an open source solution?
Rami Sass: The goal of using an open source management solution is to automate the entire process of open source components selection, approval, and detection of vulnerabilities or license compliance issues. Automating these processes will not only free up your developers to focus on their key role but will also significantly increase your accuracy and will detect many issues organization have no way to have visibility on without an automated solution.
The basic requirement of such a tool is to support all languages used in the organization to ensure one tool will support all products.
Another basic requirement should be a tool that aggregates vulnerability information from the entire open source community. Information should be sourced not just from the National Vulnerability Database (NVD), but also from security advisories and open source projects issue trackers. If you’re not out meeting developers and researchers where they are, then you are only showing a part of the picture.
One other important thing to consider is the level of automation to ensure they are able to automatically enforce policies, initiate workflows and generate reports, thus dramatically reducing the drag on time and focus.
JAXenter: What is WhiteSource and how does it plan to make developers’ lives easier?
Far too often, developers will use an open source component for their product without checking to see if it has any known vulnerabilities.
Rami Sass: WhiteSource is the Software Composition Analysis market leader, providing a solution for securing open source components in software products, ensuring license compliance policies, and helping developers to build higher quality applications.
We automate the entire process of open source component tracking and approval, so developers can focus on coding, instead of tracking usage in spreadsheets and ticketing systems, asking approval by email, etc. We also generate inventory, risk, and deployment reports within minutes to save them time and effort.
In addition, our Web Advisor tool is a browser extension that provides information on open source components while developers are browsing resource sites like Stack OverFlow, Maven Central, and more. It helps developers choose the best, secure components before they even make a pull request, shifting us about as far left as possible
JAXenter: What’s the mechanism behind it?
Rami Sass: WhiteSource’s plugin integrates into your repositories, build tools, package managers, CI servers, and more. Every time you run your build or a commit a code, we identify all open source components, including transitive dependencies, in real-time and provide all relevant information on these components in terms of security, license compliance, and quality.
JAXenter: Could you name some of the potential pitfalls in open source components? Any advice on how not to fall into those pitfalls?
Rami Sass: Far too often, developers will use an open source component for their product without checking to see if it has any known vulnerabilities. Even worse, they are probably not keeping proper track of the components they are using due to lack of visibility, and it makes dealing with newly discovered vulnerabilities trickier down the line.
Think about it like this, you can’t patch what you don’t know you have. If an open source component with a known vulnerability or license that is not compliant with the organization’s policies makes its way into the product, it can cause a delay before the release when security or legal teams reject the use of the component. This means that developers have to go back in and start costly tear and replace ops that nobody wants to do.
The only way to prevent this is to know the status of the open source components that you are putting into your code, tracking it and aggregating data from all the relevant sources. This is no easy task for an organization to undertake. Therefore we recommend that they adopt a Software Composition Analysis solution like WhiteSource to keep their products secure and compliant.
JAXenter: What is the Contextual Pattern Matching Engine and what is its main benefit?
Rami Sass: WhiteSource has been evolving its detection capabilities, using diverse factors like: multiple hashes, file metadata, full dependency resolution or package manifests, to provide best-in-class detection. The result has been our CPM engine, which has given us a significant boost for speed and accuracy, reducing sensitivity to local files edits, copying files between different systems, and various minor changes.
The primary benefit that we have heard from customers has been the 80% improvement in associating source files accurately to source libraries.
JAXenter: With everything that’s happening lately and all the security issues, how much is too much open source? How important is it to know exactly where your code is from?
Hackers have seen open source as a free lunch that they can use to attack organizations, using published, known vulnerabilities for carrying out their breaches without the need to put in the work of discovering them themselves.
Rami Sass: We don’t believe that there can be “too much open source” since there’s no point of investing your resources on reinventing the wheel. Your organization should develop their own code only when it comes to building an innovative and differentiating feature.
Open source is not any more or less secure than proprietary or commercial code. The question that organizations need to think about more is what are the processes that they are doing to use secure and manage the open source components they use, with automated solutions.
Developers trust Linux, Apache, and many other open source projects for good reason. The open source community is doing a good job securing and improving the code with their “thousand eyes”, and offering quick fixes to newly discovered vulnerabilities. The problem starts when organizations are consuming open source components, but not taking responsibility for them. If software teams will know what they are using and will ensure that they are getting updates on issues found and new releases, then they will be able to harness the power of open source without increasing their risks.
Luckily, there are several solutions in the market offering to automate the entire process and help teams improve their security while automating many manual processes.
JAXenter: What is the value of open source? How about its challenges?
Rami Sass: Open source components are the building blocks of software development. They comprise between 60-80% of modern applications, giving developers the tools they need to create fantastic software without the need to reinvent the wheel every time.
As for the challenges, there are a few that organizations need to overcome. However, these issues can be easily contained if teams step up and take responsibility for their open source consumption.
Probably the first challenge to contend with is that there is a lot of information regarding vulnerabilities out there, and it is distributed among a wide array of sources. This “bazaar” situation means that an organization will face an uphill battle attempting to track all of these sources on their own.
Second is the fact that application security testing tools that organizations are using for their proprietary code are simply not designed to deal with open source. Instead, we need to trust that the community will find the vulnerabilities for us. Thankfully, the community appears to be doing a stellar job, finding more vulnerabilities every year, giving us the opportunity to keep our products safe. It then becomes our responsibility to listen to them when they find new issues and implement the required fixes.
Third, hackers have seen open source as a free lunch that they can use to attack organizations, using published, known vulnerabilities for carrying out their breaches without the need to put in the work of discovering them themselves. They are looking at the same sources that the security community is, and using it to target those organizations who have been too slow to patch. This puts the onus on software teams to step up their game, using the right solutions like SCA and making remediations as needed.