The Linux Foundation published a new report, Maintainer Perspectives on Open Source Software Security, based on a survey of OSS maintainers and core contributors, to understand perspectives on OSS security and the uptake and adoption of security best practices by maintainers, core contributors, end users, and other members of the OSS ecosystem.
On using software composition analysis (SCA) and static application security testing (SAST) tools to evaluate the security of OSS packages, Varun Badhwar, CEO and co-founder of Endor Labs said: "SCA tools are insufficient because they only focus on two challenges - license and vulnerability compliance. And the way they address one of those two risks, vulnerability management, can actually make developers less productive because there’s no context into which vulnerabilities are reachable in the enterprise, causing developers to waste time patching components that can be deprioritized as they don’t impact the application."
"SCA tools also suffer from three main shortcomings:
This helps explain why, according to the log4j report released by the Department of Homeland Security Cyber Safety Review Board, at least one government agency spent 33,000 hours responding to the log4j vulnerability. As the authors noted, security teams simply can’t identify where the errant software exists within the environment.
Newer program analysis and code and pipeline governance technologies can help enterprises understand how code is actually being used in their organization, and which vulnerabilities within their code are actually dangerous and reachable. They can help developers prioritize fixes into what needs attention now, what needs a fix tomorrow, and which vulnerabilities you don’t need to address at all, and why. The technologies can scan both source code and the OSS ecosystem to provide a holistic risk score encompassing quality, activity, popularity, and security.
They can also develop detailed dependency graphs without requiring any agents or proxies in runtime. This makes implementation much easier, and allows organizations to quickly understand how developers are using these dependencies; which are being called from their code; which are unused; and more. This means that the next time an organization faces a log4j-like incident, it can find the problem in minutes rather than weeks."
"As we enter a new stage in the maturity of OSS consumption, organizations need to find ways to maintain the speed and productivity OSS enables, without compromising security. The first steps are to examine the process of selecting OSS dependencies, and understanding how to select more sustainable ones that will reduce long-term risk," said Henrik Plate, CISSP security researcher at Endor Labs about reducing developer fatigue and improving productivity.
"Developers waste over 50% of their time dealing with noisy application security alerts. Code and pipeline governance technologies let them prioritize only the risks that truly affect their environment, reducing false positives by 80% compared to software composition analysis tools," added Varun Badhwar.
Address:
1855 S Ingram Mill Rd
STE# 201
Springfield, Mo 65804
Phone: 1-844-277-3386
Fax:417-429-2935
E-Mail: contact@appdevelopermagazine.com