As a product manager at WhiteSource, I see many customers who are facing different challenges with open source security. From the very basic issues, like knowing what they are actually using in terms of open source libraries, all the way to licensing and distribution, and of course, security. The greatest challenge, in my opinion, is being able to handle security in an efficient way, while making sure it doesn't slow us down.
These days in development, fast delivery is the secret. Over the past decade, companies that were born online have revolutionized how technology infrastructure is built and maintained, and how software applications are developed and deployed. However, it sometimes looks like processes, such as security, are just going to slow us down while we try to deliver features, or value, to our customers.
Developers rate security as their top concern when dealing with open source components, above integration and functionality. Moreover, a developer will invest an average of 15 hours a month dealing with open source security vulnerabilities. However, most of this time is actually invested in prioritization, research for the best fix, and understanding the vulnerability itself.
One of our missions here in WhiteSource’s product team is to prove that you can have a secure pipeline and code, without slowing down the development process. That’s why we’ve been busy expanding our developer-focused integrations, to provide developers with the open source security tools that they need within their native environments. Our latest technology for developers is our new integration with Atlassian Bitbucket.
Shifting Open Source Security Left with Bitbucket Server
Shifting left is an approach where we move application quality and security processes closer to the developer (or to the “left” of the delivery chain) so that potential issues can be detected and resolved as soon as possible, even before code is committed.
We believe that the ability to easily assess security as early as possible within the development phase will allow us to eliminate potential damage and delays in more advanced stages of the life cycle. This also applies to open source security — where tracking your open source vulnerabilities should be a part of the daily workflow.
How Does it Work?
The WhiteSource Bitbucket Server integration is a Bitbucket Server app that scans your repositories, as part of your WhiteSource account. It is an integrated product within Bitbucket Server that shows a high-level security overview in the Bitbucket repository, detects all open source components and displays all vulnerabilities for these components.
WhiteSource will scan your repos every time you apply a push and will present a new record for every vulnerable open source library dependency the minute it is added.
The overview report lets you have a quick glance of the vulnerabilities in your existing repository. On each commit, you can view the issues for that specific commit along with the severity, CVSS score, and CVE ID.
You can also get a more detailed report with reference links, a dependency tree (if it exists), vulnerability information, and suggested fixes.
open source security report
Using code insights, you can scan opened pull requests to ensure they are not introducing new open source vulnerabilities.
In Bitbucket’s pull request interface, changes are scanned by WhiteSource for new vulnerabilities and you can view detailed annotations next to each change that introduces a new issue. These annotations make it easier to understand the results of the scan and support informed decisions.
WhiteSource also provides continuous automated dependency updates, to help you save time and reduce your security risks. The add-on discovers and processes all dependency files in a repository and automatically opens pull requests with the fixed version for detected vulnerabilities.
With the implementation of this new Bitbucket Server integration, developers can analyze the scan results from within their regular workflow in Bitbucket, without having to move away to WhiteSource for a deeper analysis.
Baking Open Source Security into The DevOps Pipeline
When dealing with open source security, we want developers to be able to address vulnerabilities easily, from their development environments. The WhiteSource Bitbucket Server integration helps developers stay on top of their open source vulnerabilities, and to understand the criticality and remediation course for every open source security vulnerability.
Automated security alerts, detailed dependency trees, and comprehensive information about open source vulnerabilities, along with the option to automatically open pull requests for fixes, provide a seamless way to bake security into the lifecycle, without affecting the pace of the development.