“Manual tracking proved too inaccurate for the due diligence process. While code scanners, like Black Duck and Palamida, were the only automated solutions back then and were too expensive, time-consuming and labor intensive,” explains Sass. After that ordeal, the founders decided they would develop a solution to help software development organizations manage their open source usage automatically and effortlessly. And so WhiteSource was born.
“Today, 50-80 percent of a typical commercial software product consists of open source components, and open source usage is only rising. After all, why should organizations invest resources re-inventing the wheel, when they can focus on developing new innovative technologies that put them ahead of their competition,” remarks Sass. “However, companies must track their open source usage, to detect vulnerable open source components or license compliance issues.”
Typically, when issues are discovered late, it’s often in pre-release, or even post-deployment. At these stages, fixing or replacing components is a complex, painful and costly process. Also, more hackers are becoming aware of the ‘potential’ in exploiting security vulnerabilities in open source components, as one vulnerability can be translated into thousands of victims, if not more. We just need to look at the damage Heartbleed caused. Therefore, you need to detect vulnerabilities affecting your open source vulnerabilities as early as possible.
“Software development teams invest heavily in application security with testing tools like SAST and DAST. These are great for detecting proprietary code security vulnerabilities, but they cannot do the same when it comes to open source. Therefore, unless you’re using security tools designed for open source, you’re putting your products at risk.”
Unless you’re using security tools designed for open source, you’re putting your products at risk
WhiteSource enables software development and security teams to shift left their open source management to the earliest stages of development by integrating with repositories, build tools and CI servers, to continuously monitor the open source components in their software. WhiteSource even offers a unique tool for developers, enabling them to identify problematic components while they’re browsing online repositories like GitHub, Maven Central etc. Thus, developers are alerted on issues before they even download a component.
WhiteSource automates the entire open source management process: security, license compliance, bugs tracking, quality, version and more. It integrates with your software development lifecycle (SDLC) to detect open source components once they’re added to your repository or build. It also provides real-time alerts, offers detailed remediation options for problematic open source components and enforces policies automatically at every stage of your SDLC. Therefore, you can prevent components with copyleft licenses, such as the GNU GPL family, from ever entering your products. WhiteSource also generate a wide range of up-to-date reports within minutes.
Open source is everywhere, and as a famous man once said ‘If you don’t think you’re using open source, you are. And if you think you are, you’re using more than you realize’. And to be honest, if you’re required to develop quality software fast, the benefits open source offers are simply too good to refuse. Organizations shouldn’t be afraid of open source usage, but they should take the appropriate steps to manage it properly.
Organizations have every reason to embrace open source with open arms. Executives just need to take the initiative and promote effective open source management within their organizations.