Case Studies

Northern Safety-case stady

Issue link:

Contents of this Issue


Page 3 of 3

Creating a Policy and Sticking to it Receiving a full range of essential services for open source security and license management, Bailey says that he relies most on WhiteSource's ability to keep components with high risk vulnerabilities from entering into his code. So how does Bailey know that his products are safe from risky components or unwanted licenses? In his initial setup with WhiteSource, he applied the policies that fit his organization's security and legal standards, as well as the corresponding automated enforcement response if someone tried to violate the policy. This meant that if a library was found to have a known vulnerability, he could choose to have it blocked from entering his environment, going so far as to fail the build if a non-compliant piece of code entered in where it was not supposed to be. If there is a policy violation, Bailey and his security manager will receive a notification to follow up with information about the offending component. Since he has set policies that will block any libraries that do not meet his standards, he doesn't have to worry about vulnerabilities or unwanted licenses getting into his build, eliminating the need to go back and tear out the bad code. Constantly running in the background, Bailey knows that WhiteSource is continuously updating their database with new vulnerabilities from multiple sources, beyond what is produced by the National Vulnerabilities Database (NVD), sending him alerts for necessary patches. He notes how his team is currently working on patching a vulnerability that WhiteSource had pointed to in a specific project where they were using Angular.js, explaining that since they use the versions that were identified as high impact on their public facing eCommerce page, it saved them from a potential XSS attack. Along with their QA and code reviews, Bailey says that "WhiteSource is a part of our safety net in terms that it alleviates the developer from having to be constantly reviewing any vulnerability issues, or always checking out the latest version of the Angular platform codes to see if there's a new vulnerability that started. So, they can just develop, rather than have to worry about that." What I like about this is that it runs in the background, and therefore doesn't disrupt the developer's workflow. They can develop, but at the same time, as a manager, I can become aware of any potential issues, and have them resolved. " " Case Study | Northern Safety & Industrial

Articles in this issue

view archives of Case Studies - Northern Safety-case stady