JFrog announced a new machine learning (ML) lifecycle integration between JFrog Artifactory and MLflow, an open source software platform originally developed by Databricks.
Open source isn't a strategy, it's a philosophy of collaboration. It's the fabric of millions of commercial projects in industries like FinTech, IT and AI. But there's something curious about open source — it makes up the majority of codebases, so surely the packages have hundreds of eyes keeping watch on their security posture? Unfortunately not. But there's good news on the horizon, as the 2023 OSSRA report found the number of applications with high-risk vulnerabilities is at its lowest level in four years (the SBOM Executive Order and SCA uptake get kudos for this). Is there light at the end of the tunnel?
Start with SCA: The New Savior of Open Source Software - Part 1
Good Offense is Good Defense
In mid 2022, the Open Source Software Security Foundation (OpenSSF) launched a 10-point plan to promote and improve the security of open source software. Here are their observations in combination with our own.
Define a Policy
The best and worst part of open source software is its lack of centralized guidance, but this fluctuation shouldn't apply to your organization. You can combine the standardization of proprietary code with the functionality of open source by defining an internal usage policy. Start with the basics and identify the stakeholders who will decide if a package is suitable and procure it. On a deeper level, consider how open source packages fit into your short- and long-term business goals.
Create an Approval Process
Pre-approve a list of open source packages you can trust, and simultaneously define how you give them the stamp of approval. Ideally, you can consider factors like project maturity, the level of support, and vulnerability patterns. This strategy helps your organization avoid vulnerable, unpatched, or out-of-date packages that could compromise operations.
Promote Security Education
Technical and non-technical employees should understand the ins and outs of open source security. Investing in security education improves workflows and development in the long run and reduces the risks of improper open source software usage. Security education can still take a developer-first approach, as the right SCA tool should be easy to integrate with the development tools you already employ.
Build a SBOM For Everything
SCA tools have the ability to generate and export SBOMs, allowing your organization to provide concrete assurance to your customers. With SCA, you can automatically generate a SBOM in seconds to map out all third-party and OSS code dependencies throughout your codebases, therefore eliminating manual analysis and helping maintain high velocity.
Leverage Continuous Monitoring
Patching quickly isn't enough — you'll need to continuously monitor all open source packages. While this sounds like a nightmare for busy developers and security teams, leveraging AI and ML-powered SCA tools does the heavy lifting for you. This type of automation helps you classify the exploitability of OSS dependencies in your code and manage risk without needing to manually manage anything — simply view your SCA product's recommendations.
How to Choose a SCA Vendor
Choosing the right threat intelligence solution is a business-critical decision, and here are a few essential features to help you select yours.
Code Security From Day Zero
Early detection is never early enough when it comes to open source vulnerabilities. A SCA tool should check your dependencies for threats as soon as you declare them (as early as pre-commit), helping you uncover threats and information like the presence of cryptominers, exploitability, and package maintenance history. The vendor should provide alerts regarding out-of-date libraries and block known and unknown OSS packages from reaching your SDLC.
An Advanced Portfolio and a Developer First Approach
Vendors with a strong reputation will always come out on top. By choosing a trusted brand with a range of security tools in its portfolio, you will benefit from the reliability, coverage, and ease of integration with a tool from the same vendor. Simply integrate SCA with your existing systems and development tools thanks to native build plugins. The emergence of SCA has shed a light on its synergy with SAST, as both assist in prioritization and auto-remediation. The right SCA tool will enable development and security teams to control, recognize, and minimize risk without altering your tech stack, so you can keep the developer-first approach.
Automated and Actionable Threat Intelligence
With a suitable SCA tool, eliminating the risk of malicious or compromised OSS packages shouldn't negatively impact your workflows. Manual intervention can lead to errors and false positives, meaning you could waste time resolving vulnerabilities that are not definite threats. Industry-leading OSS risk management solutions leverage AI and ML to classify the exploitability of OSS dependencies in your code and provide actionable threat intelligence.
Continuously Monitor Your Codebase for Open Source Security Threats
SCA is integral for applying consistent open source policies, monitoring operational risk, and gaining visibility over your codebase. Preventing open source exploitation is significantly more efficient in the long run than scrambling to fix the consequences. Take action today by selecting a SCA tool, and let it do the work for you.
Industry News
Copado announced the general availability of Test Copilot, the AI-powered test creation assistant.
SmartBear has added no-code test automation powered by GenAI to its Zephyr Scale, the solution that delivers scalable, performant test management inside Jira.
Opsera announced that two new patents have been issued for its Unified DevOps Platform, now totaling nine patents issued for the cloud-native DevOps Platform.
mabl announced the addition of mobile application testing to its platform.
Spectro Cloud announced the achievement of a new Amazon Web Services (AWS) Competency designation.
GitLab announced the general availability of GitLab Duo Chat.
SmartBear announced a new version of its API design and documentation tool, SwaggerHub, integrating Stoplight’s API open source tools.
Red Hat announced updates to Red Hat Trusted Software Supply Chain.
Tricentis announced the latest update to the company’s AI offerings with the launch of Tricentis Copilot, a suite of solutions leveraging generative AI to enhance productivity throughout the entire testing lifecycle.
CIQ launched fully supported, upstream stable kernels for Rocky Linux via the CIQ Enterprise Linux Platform, providing enhanced performance, hardware compatibility and security.
Redgate launched an enterprise version of its database monitoring tool, providing a range of new features to address the challenges of scale and complexity faced by larger organizations.
Snyk announced the expansion of its current partnership with Google Cloud to advance secure code generated by Google Cloud’s generative-AI-powered collaborator service, Gemini Code Assist.
Kong announced the commercial availability of Kong Konnect Dedicated Cloud Gateways on Amazon Web Services (AWS).
Pegasystems announced the general availability of Pega Infinity ’24.1™.