Collaboration on open source projects throughout the community produces stronger code, squashing the bugs and catching the vulnerabilities that impact the security of organizations who look to open source components as the key to their application building success.
Thanks in part to the "thousand eyeballs" of the community, the number of reported vulnerabilities in open source projects is on the rise, spiking 51% in 2017 from the previous year.
This is even more concerning since, as shown in the same study, most vulnerabilities are found in popular projects. Data shows that 32% of the top 100 open source projects have at least one vulnerability, meaning that developers have their work cut out for them, no matter which components they are using in their products.
While it is better to know about vulnerabilities that remain in the dark, giving teams the opportunity to patch before being exploited by hackers, keeping up with the workload of remediating vulnerable components can pose a significant challenge for organizations.
The answer would appear to embrace the shift-left model that has long been associated with DevOps, extending the approach to incorporating security practices early in the software development lifecycle.
Security starts with developers, from their creation of the code through the post-deployment remediations where fixing vulnerabilities can be quite time-consuming.
According to our recent survey on challenges facing developers in using open source, respondents reported that they spend 15 hours a month on average dealing with open source vulnerabilities.
While in itself a significant chunk of time, what was surprising was that only 3.8 of these hours actually went towards the work of remediating the vulnerabilities, apparently, the rest of the time was spent trying to understand where to start in tackling the vulnerabilities.
Addressing The Challenge Of Finding And Fixing Vulnerable Open Source Components
Ideally, developers should be able to know early on in their process if a component that they want to use for their product has any known vulnerabilities associated with it before they commit it to their code.
By catching issues before they become a part of the product, developers can save themselves plenty of time that would otherwise be spent before a release, swapping out the vulnerable component and reconfiguring their product that has been built on top of the risky component.
Considering the widespread use of open-source components and the exponential rise in the number of disclosed open source vulnerabilities, performing these checks for known vulnerabilities manually is not a viable option, particularly when developers hope to stick to a schedule without compromising on security.
What they need are automated tools, backed up by comprehensive databases of known vulnerabilities, that can quickly identify which open source components are being used and show the developer at a glance if they have any issues to contend with before making their push.
Introducing WhiteSource Bolt For GitHub
WhiteSource has launched a free tool to simplify working with open source for developers. WhiteSource Bolt is an app on GitHub's marketplace that can alert on vulnerable open source components in your repositories in real-time, provide detailed information and even suggest fixes.
This new offering helps developers use better and more secure open source components from the early stages of coding and, most importantly, provides security alerts to the environment where developers are actually working - GitHub.
The app scans public and private repositories to identify open source components with known vulnerabilities. Security alerts auto-generate issues within GitHub where the user can view important details such as references for the CVE, its CVSS rating, a suggested fix, and other information that can help them to help plan their remediations.
There is even an option to assign the vulnerability to another team member using the milestones feature.
For most developers, GitHub is the first place to go to when looking for a solution to a problem, providing them with the right library or framework to get the job done.
With Bolt for GitHub, WhiteSource gives developers the slimmed down version of our enterprise-level product for free, making it easier for developers to work securely.
By offering this free tool for developers on GitHub, WhiteSource hopes to make open source security simpler, integrating it into the workflow that is already an instinctive part of how developers write code.
By integrating directly into GitHub's platform, developers can ensure the security of their products without ever having to leave the page.
To get started with this free tool, follow this link to download the application.