WhiteSource has, to date, sent its users over 14,000 security alerts as security vulnerabilities were discovered in the open source libraries they use to build their software. The WhiteSource solution is now available for the immediate detection of the newly discovered Shellshock too.
The growing use of open source components in today’s product development introduces new challenges to ISVs and their customers.
In-house developed code is closely managed and analyzed to ensure quality and early discovery of bugs and security vulnerabilities.
However, open source components, which make an average of 80% of commercially developed software, are sometimes undermanaged, and may introduce substantial quality and security issues into the products they are part of.
The newly discovered Shellshock bug is a great example. Shellshock, disclosed on 24 September 2014, is a security bug in the widely used Unix Bash shell.
A significant benefit of using open source components is the fact that there is an entire community of developers and users that test, use, fix and improve them.
But users of these open source components need to make sure that they know about newly discovered vulnerabilities, available fixes and new versions. Since most commercial products use hundreds of open source components, this is not a small task.
WhiteSource closes the loop for its customers.
When a developer uses open source he chooses the latest version of the library, but from that point on, there is usually no one tasked with continuously monitoring the various repositories for newly discovered security vulnerabilities or fixes. says Rami Sass, CEO of WhiteSource. As a result, software products are often shipped with known vulnerabilities and other bugs hidden within the open source components they rely on. A recent research we have conducted discovered that 24% of commercial software projects contained known security vulnerabilities, even though in most cases (98%) a fix was already available. This represents a significant risk for the customer using the software, and ultimately for the software vendor itself, says Mr. Sass.
WhiteSource continuously searches the various repositories for security vulnerabilities, as well as for new versions that fix these vulnerabilities and other bugs.
Since WhiteSource knows the exact open source content of each project of each of our customers at any given point in time, we can proactively and immediately alert them when relevant vulnerabilities are found, as well as when they are fixed. This provides a tremendous and immediate value to R&D, QA, and Support teams, adds Rami.
WhiteSource customers are automatically notified when a security vulnerability is discovered in specific open source component used in one of their projects, as well as when a new version is available that fixes it.
Companies worried about Shellshock and other open source vulnerabilities can now use WhiteSource’s solution to detect components that are afflicted with the Shellshock bug.
The solution will be explained and demoed in a free webinar on October 1st, 9:30 am PST, by Mr. Rami Sass, CEO at WhiteSource.
The webinar is recommended to R&D executives, information security managers, legal and compliance professionals.
To pre-register for the event, please visit webinar registration page.
WhiteSource lets R&D executives effortlessly manage the open source components that are used within their products. Specifically, WhiteSource allows them to easily manage and control open source inventory, license risks and compliance, and security vulnerabilities patches.
Commercial software today routinely combines proprietary code and open source components. However, the open source components are sometimes substantially undermanaged for legal and technical risks.
WhiteSource sets out to make management of open source components effortless, and accessible to companies of all sizes.
The WhiteSource solution fully automates all open source management needs. It automatically discovers all open source components, and continuously detects new components as they are added. Licenses are automatically identified and their risks and requirements are analyzed and presented. Acceptance policies can be automatically enforced across all development environments. Proactive alerts are provided whenever new security vulnerabilities are discovered in open source used in a customer product.
WhiteSource integrates easily and natively into the software development environment using simple to install plugins.
For more information, visit http://www.whitesourcesoftware.com/