Open source components have become the basic building blocks of software products, composing about 80% of modern applications. The question that arises in software development organizations is: who manages these components? Recently WhiteSource VP of Marketing, Maya Rotenberg, spoke to Website Planet and Safety Detective about how WhiteSource helps organizations secure their open source components.
Who’s Responsible for Open Source Security?
Rotenberg described a number of challenges that organizations relying on open source components must address. The first is that many developers don’t realize that once they add open source into their code, they need to take ownership of open source security. In order to achieve this, organizations need to track and manage the open source components that they are using. Another challenge is the difficulty of tracking security updates about open source components published across the large and decentralized open source community.
Rotenberg explained that WhiteSource helps connect open source users with this information by continuously collecting information from millions of sources in the open source community and indexing the security data in a comprehensive database. This helps users track and manage their open source components and security vulnerabilities by using one automated tool that helps them securely harness the power of open source.
The Challenge of Prioritization
As security testing tools trend, a relatively new challenge that software development and security teams are required to address is the ever-growing number of security alerts they receive. Organizations are testing their application security frequently and continuously, presenting teams with a mountain of new security vulnerabilities that need to be fixed.
Since remediating every security vulnerability in a timely manner is unrealistic, organizations need to find a way to ensure that they are fixing the most important and urgent issues first. Prioritizing security alerts requires teams to understand which issues present the most immediate risk to the organization.
Most organizations rely on a variety of different parameters like a vulnerability’s severity score or how easy it is to remediate when attempting to decide which issues to address first. A recent report from WhiteSource and CYR3CON suggests a new and more effective way to prioritize vulnerabilities: check which vulnerabilities attackers seek out in order to understand which vulnerabilities to fix first.
While taking responsibility for application security is important, it doesn’t have to be an onerous task as long as you use tools that automate the process and prioritize the results.
Automation Is Key for Security
Rotenberg points out that WhiteSource’s solution is part of a much wider trend towards adopting automated tools for security. As release cycles become shorter and shorter, and application security has become a top concern for organizations, Rotenberg is pleased to see that automated testing is “finally getting the credit it deserves.”
Automation allows teams to test frequently and continuously. It enables managers and team leaders to easily view and understand trends, performance, and the current security status of their applications without having to wait for a team to perform periodic testing. Automated security testing tools (AST) help software development and security teams work together to integrate application security processes and practices without having to compromise on speed or agility.