Open source code is everywhere, helping developers deliver code quickly and efficiently. But, if those open source components are insecure, the result can be a catastrophic data breach. To prevent this from happening, companies are turning to Software Composition Analysis (SCA) solutions to identify vulnerabilities in the open source libraries they’re using.
Join Veracode to learn how your development teams can easily identify open source libraries in use, their vulnerabilities, licenses, and risks to their applications – helping you protect both your applications and customer data. Want to learn more about the latest solutions?
[2024]Digital Global Overview Report 2024 Meltwater.pdf
Donu’t Let Vulnerabilities Create a Hole in Your Organization
1. Donu’t Let Vulnerabilities Create a
Hole in Your Organization
Javier Perez
Director of Product Management SCA
2. Explosive Grow of Open Source
40M+
* Developers Worldwide
2M+
* Organizations
100M+
* Repositories
40+% grow in 2018
* Source: GitHub as of August 2019
3. 1.1M +
NPM Modules with 803 new/day
309K +
Maven Central Modules with 142 new/day
244K +
Packagist Modules with 113 new/day
202K +
PyPI Modules with 142 new/day
175K +
Nuget Modules with 171 new/day
App Development with Open Source
155K +
Rubygems Modules with 23 new/day
* Source: Modulecounts as of Nov 1st 2019
5. Latest Innovations are Open Source
Augmented Reality
AI, Machine Learning, Deep Learning, Blockchain, Virtual Assistance,…
Virtual RealityAutonomous Cars
Visual Studio Code, Docker, Kubernetes, TensorFlow, React, Linux,…
6. Why Businesses are Adopting OSS?
• To start for free or at a very low cost
• Use of the latest innovations
• Faster pace of bugs and vulnerabilities fixes
• Many options and many sources for support via documentation,
community forums/portals, videos and blog posts
• Developers are becoming full stack developers. Open source stacks
(MEAN, LAMP, others)
• Easier to recruit developers
7. Security and Open Source Software
• Vulnerabilities on Open Source Libraries
• Common Vulnerability and Exposures (CVE)
• Common Vulnerability Score System (CVSS)
• Vulnerabilities outside CVE and NVD
Vulnerability Vulnerability
Discovered
Vulnerability
Fixed
8. Major Challenges Solving OSS Security
Silent Fixes
Risk prioritization
Transitive vulnerabilities
Speed of DevOps
9. Breaking the NVD Model Silent Fixes
• NVD was designed for a different era
• Fewer large commercial vendors
• Manual, tightly controlled process
• OSS development embrace DevOps
• NVD cannot cope with velocity and volume of
submissions
• CVEs do not provide exact library, vulnerable versions, and
vulnerable code segment
• Hackers are watching OSS commits for silent fixes of
vulnerabilities they can exploit in the wild
10. Not Every OSS Vulnerability Is Exploitable Risk prioritization
• Each OSS library may have 100s of functions and methods
• Vulnerabilities are usually only tied to one method
• First party code only calls a handful of methods in the library
• Most solutions don’t allow you to prioritize applications where the
vulnerable function is being called
• Prioritize by Vulnerable Methods and by CVSS score
11. Risk Can Hide Layers Deep
Transitive vulnerabilities
• Vulnerabilities may lie in direct dependencies
or much deeper – in dependencies of
dependencies
• Developers do not test transitive
dependencies
• It’s easy to miss vulnerabilities hidden in
transitive dependencies
1st Party Code
OSS Library OSS Library OSS Library
OSS Library OSS Library OSS Library
OSS Library OSS Library
Vulnerable
Library
12. DevOps Speed and Automation
• Constant development and constant deployment
• Test automation, build automation, but not security
automation
• Security teams become gate keeps instead of
enablers
• App Sec scanning of 1st party code instead of 3rd
party code
Icons by icons8.com
Speed of DevOps
13. Securing the Use of OSS
Software Composition Analysis
• Scan open source code to identify vulnerabilities and licenses in open
source libraries.
• Provide Bill of Materials with all open source libraries and
corresponding open source licenses
• Identify open source libraries versions that have vulnerabilities
• Identify code that uses vulnerable methods in open source libraries
• Provide policy compliance and notifications
• Reporting and integration capabilities
15. Bill of Materials with all Open Source Libraries used including transitive libraries
Identify Dependencies
Source code
Open source library
used - direct
dependency
Transitive library
Transitive library
w/vulnerability
Transitive library
18. Pull Request with Fix
• Git repositories take pull request to update source code
• Automatic pull requests to update vulnerable libraries is the ideal solution
– Scan
– Report Vulnerabilities
– Report Fix
– Create automatically a Pull Request with the Fix
• Pull requests that modify package dependency files with direct dependencies to
safe versions of the library
• Ideal support for GitHub, GitHub Enterprise, GitLab, BitBucket and others.
19. CI CD
Where to Apply Software Composition Analysis
Code Commit Build Test Release Deploy Operate
Agent-based
Scan
Application
Upload
Veracode SCA
21. How to Address OSS Vulnerability Challenges
Silent Fixes
Risk Prioritization
Transitive Vulnerabilities
Speed of DevOps
Proprietary Database with No-CVEs
Prioritized Vulnerable Methods and
Automatic Pull Request Generation
Identify Dependencies
SCA Scan in CI pipelines
22. Software Composition Analysis
Cloud
DevOps
• DevOps: analysis of apps or source code (shift left or right)
• Upload App or Agent-based
• Proprietary Database
• CVEs, Reserved CVEs, No-CVEs & Vulnerable Methods
• Multi-language support
• Prioritized Findings
• Dependency Graphs
• Scores, Policies, Rules, and Alerts
• Identification of license risks
Open
Source