Tsaela Pinto, Director of Knowledge R&D at WhiteSource, spoke at the Azure DevOps meetup in Tel Aviv about how develpers should part in maintaining open source security
Winning open source vulnerabilities without loosing your deveopers - Azure DevOps meetup
1. Winning Open Source vulnerabilities
Without Loosing your developers
WhiteSource Software Internal and Proprietary
Tsaela Pinto
Director of Knowledge R&D
20. Top Challenge in using open source component
One challenging area is
1VULNERABILITIES
21. How much time is spent?
None
1 - 10 hours
11 - 20 hours
21 - 35 hours
36 - 60 hours
Over 60 hours
15 hours/month
spent on average by every developer
on security vulnerabilities
22. What are the common tasks?
99%appear responsive
and reactive…
Nothing
Research to better understand the vulnerability and its impact
Remediate based on the open source community recommendation
Report to the other teams (Security/DevOps) or a manager
Remediate only through patches (if available)
24. Common prioritization methods
Criticality of the project that might be impacted by the vulnerability
Availability of the suggested fix
Perceived impact of the vulnerability on projects
Number of software libraries containing the vulnerability
Vulnerability severity
Creation date of the vulnerability alert
56 %
opt for
security/business-oriented
prioritization
29. 100% of the projects found vulnerable
86% vulnerabilities are ineffective
36% projects are effective
Impact-based Prioritization: Real-life Observations
90% in transitive dependencies
30. Takeaways
1. Open source code is essential
2. 30% of the packages are vulnerable, and rising
3. Open source vulnerabilities are matters
4. If you can’t beat them - prioritize them
33. WhiteSource Bolt
Fully integrated within Azure DevOps
“We want Microsoft’s users to have
access to the best industry solutions
for open source management. That’s
why we reached out to partner with
WhiteSource.”
Sam Guckenheimer, Group Product
Planner, Microsoft
34. What is WhiteSource Bolt
Find & Fix Open Source
Vulnerabilities
Detect vulnerable
components & see
actionable fix
recommendations
Generate Inventory
Reports
Ensure License
Compliance
Get a detailed BoM
with all transitive
dependencies
Discover all used
open source
licenses in your project
41. The cost of fixing security and quality issues is rising significantly,
as the development cycle advances.
Source: Ponemon Institute Research
Coding
$80/Defect
Build
$240/Defect
QA & Security
$960/Defect
Production
$7,600/Defect
Detect Issues As Early As Possible
42. Find & Fix Vulnerabilities
● Over 200K vulnerabilities from multiple sources
● Actionable fix suggestions
● Accurate matching with no false positives
55. What Is WhiteSource?
Get Full Visibility Throughout The SDLC
Manage your entire pipeline, including your binary repositories, package managers,
build tools and CI servers and container environments, covering over 200 languages.
Enforce Policies Automatically to approve, reject, reassign or even open an issue
ticket to get full control and automate current manual time-consuming tracking and
approval processes.
Effective Usage Analysis
Prioritization tool that can reduce 70% of all security alerts by usage analysis technology
Licenses Compliance
Full visibility on all open source licenses in use4
3
2
1
56. WhiteSource Leads
the Way with the
highest score for current
offering and strategy in
the latest Forrester
Wave™ SCA Report.
The Forrester Wave:
Software Composition Analysis 2019