Modern software development in the era of DevOps preaches the mantra of “test early and often” in hopes of catching bugs early, reducing the need for major overhauls before a release.
In recent years, we have seen the inclusion of security into the SDLC with the transition to the DevSecOps model as developers have stepped into their responsibility for managing issues of vulnerabilities in their code. Staying true to the “test early and often” course, developers are testing for vulnerabilities at increasingly earlier stages of the Software Development Life Cycle (SDLC), utilizing automated AppSec technologies to help make working securely less of an effort.
Moving beyond the build stage, a lot of the effort has shifted left towards the IDE stage where much of the magic happens. A wide range of tools is now available to help developers identify potential vulnerabilities while they are coding, acting as a sort of spell checker before their code is sent on to the next stage. Initially, many of these IDE integrations were aimed at tackling static code analysis for proprietary code, but have expanded to include capabilities to help manage vulnerabilities in open source components.
Often considered the building blocks of software, open source components comprise between 60-80% of the codebase in modern applications, creating a strong incentive for coverage by security tools.
Meet WhiteSource Advise
WhiteSource has recently announced the launch of a new partnership with Codota to bring our industry-leading experience and knowledge base of open source vulnerabilities to reach more developers in their native environment — the IDE.
The partnership looks bring WhiteSource’s powerful open source security solution to Codota’s successful autocompletion technology that helps developers code faster when integrating open source components into their software.
In offering the new plug-in for the IntelliJ IDEA, WhiteSource customers can receive both coding suggestions from Codota as well as real-time alerts on vulnerable open source components when they are added into the product. The plug-in draws its vulnerability data from WhiteSource’s proprietary open source vulnerabilities database, which aggregates from a wide range of security resources including the National Vulnerability Database, project issue trackers, and other security advisories.
Designed to be a lightweight option that is capable of alerting developers to pressing issues without disrupting their workflow in the IDE. Alerts appear at the line of code where the vulnerable component is being added, negating the need to open up additional UIs such as dashboards or issue trackers to receive alerts. Developers can even receive suggested fixes on the spot, saving them the time of having to perform the research themselves.
In using the plug-in, developers may notice that it maintains a low profile. We decided to forego the flash in favor of an approach that would allow developers to receive the information they need to keep their products secure without being overwhelmed.
Security Tools that Focus on Developers
WhiteSource Advise for IntelliJ IDEA is a component of WhiteSource’s goal of building a suite of tools that make using open source components a smoother, more secure experience for developers.
Whereas many of the AppSec technologies were built with security professionals in mind, alerting with high frequency and volume, WhiteSource is creating tools based on the understanding that developers require a different approach for their vulnerability management tasks. It is not enough to bombard them with alerts on vulnerabilities when developers need solutions, fast.
What has emerged is WhiteSource for Developers, an offering that focuses first on shifting left to identify vulnerable open source components at the earliest stages — before making a pull request from a site, in repos, and in the IDE — to prevent a vulnerability from becoming an issue in the first place. Next, WhiteSource Remediate closes the gap from alerting to remediation by automatically generating fix pull requests for vulnerable, outdated versions of components in order to make it easier to stay up to date and secure.
Looking to Future Partnerships and Integrations
Following the successful launch of this plug-in in partnership with Codota, WhiteSource will continue to seek out new avenues to bring powerful functionalities to our customers in their native environments, hopefully bringing new powerful integrations to more platforms in the near future.