Most of us can agree that open source software (OSS) has had an overwhelmingly positive impact on software development and product innovation. It’s evidenced by its overwhelming use in the enterprise.
Forrester recently reported that open source components made up 75% of all codebases in 2020, up from 36% just five years prior. There were 60 million new repositories created on GitHub in 2020 alone, according to the 2020 State of the Octo-verse report, and 56 million developers made 1.9 billion contributions on the open-source development platform.
But on the flip side of that positive growth is risk.
A record 18,103 security vulnerabilities were disclosed in 2020, at an average rate of 50 CVEs per day, Redscan’s recent analysis of NIST’s National Vulnerability Database (NVD) showed. More than half were classified as being critical or high severity, and there’s been a huge increase in Common Vulnerabilities and Exposures (CVEs) that are limited in complexity, meaning they require no user interaction or limited technical skills to exploit.
If those numbers aren’t enough to get your attention, consider that securing OSS has the attention of the US government. Following high-profile cyberattacks on critical infrastructure, President Joe Biden issued an Executive Order in May of 2021, calling for “action to rapidly improve the security and integrity of the software supply chain.”
This includes requirements for federal agencies to formalize the documentation of open source use and open source dependencies, provide artifacts and a software Bill of Materials (SBoM), and ensure regular audits and enforcement of OSS governance policies.
Central to all of that? The use of automated tooling to scan for vulnerabilities and remediate them.
Want a deep dive on the EO? Check out our recent post on What SaaS Companies Need To Know About The 2021 Cybersecurity Executive Order.
That Executive Order is sure to have broad-reaching effects, touching not only on the federal agencies it covers, but the private industry that supplies them and the environment in which everyone operates. Given all that, we thought we’d scan the market and give a broad overview of OSS vulnerability scanning tools.
It’s important to keep in mind that vulnerability scanning is only one component of Software Composition Analysis (SCA), which minimizes overall risk presented not only by vulnerabilities, but by ensuring OSS license compliance and the development and enforcement OSS governance policies.
At a Glance: Open Source Vulnerability Scanning Tools
There are many tools that offer support for the full software development lifecycle (SDLC), and which aim to embed software composition analysis (SCA) as early as possible in the process, something known in the industry as “shift left.”
Check out some of the SCA and open-source vulnerability scanning tools on the market today:
Dependencies, code referenced and bundled to make a software package work, make up more than 80% or more of most application code in modern software. GitHub’s Dependabot alerts developers to vulnerabilities in public repos, and automatically updates dependencies and versions. It’s turned on by default, and developers can opt out of using it. Developers must opt-in to enable Dependabot in private repositories.
If you need on-premise support, SonarQube, part of the SonarSource product set, provides functionality to help ensure code quality and security scanning. It includes thousands of static code analysis rules to help developers build and release clean, quality code, as well as maintain it and ensure it is secure.
One of the major challenges in adopting SCA can be separating noise from threats that pose a real risk to the organization and users. False positives can become a nuisance for developers and erode confidence in vulnerability scanning. Snyk provides real-time scanning capabilities, using underlying technologies that help developers prioritize fixes and remediate issues. It also provides support for containers and Infrastructure as Code (IaC).
Another complete SCA platform, WhiteSource prioritizes vulnerabilities based on whether your organization’s code utilizes them – which it says reduces security alerts by up to 85%, and enables you to focus on and remediate critical issues. Its offerings cover scanning, OSS licensing compliance, and generating a software Bill of Materials.
A recent Forrester Wave called out Sonatype’s superior policy capabilities – with the technology offering out-of-the-box policies that align to a range of standards, as well as a policy engine that enables the organization to create and assign different policies by types of application.
Another complete SCA tool, Synopsis Black Duck provides tools to support OSS license compliance and OSS security – with support for reducing false positives. This boosts trust in the tool by developers because it quickly and reliably identifies issues that actually present real risk. The tools deliver dependency analysis, binary analysis, code snippet detection and custom component detection.
Noted for its capabilities in remediating vulnerabilities in open source components, and a roadmap that includes enhancing those capabilities in container and IaC, Veracode’s tools scan open source dependencies for known flaws and lean on data-driven recommendations for version updating. This includes strong support for vulnerabilities outside of the National Vulnerability Database (NVD), leveraging cutting-edge data mining, natural language processing, and machine learning to identify vulnerabilities from bug reports and commit messages.
A full SCA suite, Revenera’s capabilities include support for open source license compliance, security vulnerability management, including detection and remediation, and a complete software Bill of Materials that inventories all components, including dependencies and licenses. Revenera also offers automated legal and security compliance checks for software engineers.
Getting On The Same Page To Better Enable Scanning Success
Change management can be a big roadblock in the move to embed security and compliance capabilities earlier in the software development lifecycle. Teams are often distributed, they work in silos, and often don’t have a whole lot of visibility into how their project fits into the whole. It’s why gathering information about the company’s tech stacks in one place is a great way to set the stage for successful vulnerability scanning and SCA efforts.
Knowledge and information about tech stacks are typically spread over wikis, spreadsheets, private version control, chat messages, closed unsearchable email accounts and even listservs.
Private StackShare can help with all of that. You can easily map out and share tech stacks and important technology decisions across internal teams, reduce inefficiencies and duplication of efforts, increase visibility to empower planning, streamline the evaluation of technologies for projects, and more.
Check out our blog post on the top ways to track your tech stack...Excel not included.
The software allows businesses to get a full picture of their software stacks, track and see changes, and facilitate collaboration using technology that can automatically connect to repositories, pull a complete picture of open source technology use across the enterprise, and allow everyone to see it all in a role-based dashboard. Anytime a developer merges a pull request that contains stack changes in a connected repository, that change is automatically documented. The dashboard shows alerts anytime a tool is added, removed or a version is changed.
This all eases and encourages collaboration across engineering teams because colleagues can easily identify and ask those who have used specific technologies for advice, while also proactively alerting developers when a specific technology is tagged in their post.