With the projected revenue of open source services set to double in the next few years, coupled with the emergence of open source software registries, such as NPM (Node Package Manager) and Nuget, developers are downloading packages from increasingly variegated sources, sometimes with a host of security vulnerabilities. Yet the developer community is taking positive steps to solve this issue.
Automating Vulnerability Scanning
Vulnerability scanning is a process in which vulnerabilities are identified in a system via automation. Within the context of open source software, developers are now building tools to identify potential vulnerabilities.
Snyk, a London-based technology start-up is addressing the issue through its open source vulnerability scanning solution, helping developers to write more secure code.
The firm was named a 2018 Gartner Cool Vendor in Application and Data Security for this month for its work in this area. CEO at Snyk, Guy Podjarny (former CTO at Akamai) said this week:
“We started Snyk with the belief we can build a security solution developers love, and one that truly addresses your open source security concerns. We believe this report validates our developer first approach and remediation automation focus are what customers need as they embrace open source and accelerate their digital transformation.”
In addition, the CEO addressed the difficulty of firms simultaneously being agile and secure, which is key given that over 70 percent of organisations report using some form of agile (a particular approach to project management that is used in software development) according to PMI.
NPM Audit
Last month’s release of NPM v6, the prominent software package registry (with over 2 billion downloads per week) included a new auditing tool – much like Snyk.
This equipped developers with code auditing capabilities out-of-the-box, with a simple command-line interface. This new tool audits the dependency tree of a code project, identifying known vulnerabilities based on a database with an index of such issues.
The NPM team’s long-term view is to increase the visibility of vulnerabilities amongst developers, placing the onus on project maintainers to resolve these issues for the wider community is vital.
“In the longer term, prominent vulnerability warnings and actionable security alerts will raise the floor for everyone. When a developer of a popular package notices they have been bringing in a vulnerable dependency and switches to using a fixed version, instead, every package that depends upon this popular package will now grow safer, too. Everyone stands to benefit from this network effect,” they said in a blog.
I wanted to let you know that next Tuesday, WhiteSource will announce the launch of its next generation Software Composition Analysis Solution for Open Source Security.
WhiteSource joins the Party
WhiteSource’s Effective Usage Analysis tool, which it is releasing Tuesday May 22, meanwhile, also uses automation to redefine the model for open source security.
Rather than forcing developer teams to sift through hundreds of alerts to determine which threat is most severe, it can differentiate between vulnerable functionalities that are effective (i.e. getting calls from the proprietary code) and those that are not – reducing the number of alerts developers get by 70 percent, the company claims.
“Ours is the first tool to equip developer teams with the ability to pinpoint the exact path to the vulnerable functionality in the code with full trace analysis. This enables developers to spend less time on open source vulnerability remediation and more time doing their jobs”, WhiteSource said in an emailed statement.
A Step in the Right Direction
With the continual growth of open source technology and the concurrent identification of security vulnerabilities, it seems the developer community are combining efforts to resolve these widespread issues. While there is still work to be done, it is good to see the community taking the issues seriously with some innovative new solutions.