SlideShare a Scribd company logo

Tackling the Risks of Open Source Security: 5 Things You Need to Know

WhiteSource, profile picture
WhiteSource

This document discusses open source security risks and provides recommendations. It contains 5 sections: 1. Open source risk is on the rise as open source code accounts for 60-80% of software and reported vulnerabilities are increasing. 2. Developers must change their mindset as open source vulnerabilities differ from proprietary vulnerabilities in detection, publicity and remediation. 3. Prioritizing security vulnerabilities is key as developers spend too much time on ineffective vulnerabilities. 4. Security responsibilities must be delegated between security, DevOps and developers to bridge gaps. 5. Shifting security left by empowering developers and integrating tools earlier can turn developers into advocates and detect issues cheaper.

Software
1 of 23
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Tackling the Risks of Open Source Security 5 Things You Need to Know 1 Sharon Sharlin, Product Marketing Manager
2 5 Things To Know About Open Source Security 01 Open Source Risk Is On The Rise 03 Prioritize Security Vulnerabilities 02 It’s Time To Change Your Mindset 04 Delegate Security Responsibilities 05 Shift Left Is At Its Best With Open Source
3 01 Open Source Risk Is On The Rise
4 Are You Spending Enough In AppSec? The Level of Risk (# of Breaches Multiplied By Severeness) The Level of Annual Spending (Investment) in IT Security Gaps in Security Risks and the Allocation of Spending Source: Ponemon Institute: The Increasing Risk to Enterprise Applications
Open Source Components Account For 60%-80% Of The Average Software Product 5%-10% 1998 30%-50% 2008 60%-80% 2018 Proprietary Code Open Source Code Source: North Bridge Future Of Open Source Survey Open Source Code Proprietary Code
96.8% of developers rely on open source components Frequency of Use of Open Source Components
The Number of Reported Vulnerabilities is Rising
8 02 It’s Time To Change Your Mindset
Potential vulnerability detected (SAST & DAST) No public information Need to research to find a fix During development Detection Publicity Remediation Scan Phase Known vulnerability All information is publicly available Actionable remediation(s) are available Continuous monitoring (incl. post release) PROPRIETARY VULNERABILITIES OPEN SOURCE VULNERABILITIES Open Source Security is a Different Game It’s time to change your mindset
10 03 Prioritize Security Vulnerabilities
DEVELOPERS ARE NOT EFFICIENTLY MANAGING OPEN SOURCE VULNERABILITIES How much time is spent? hours/month None 1 - 10 hours 11 - 20 hours 21 - 35 hours 36 - 60 hours Over 60 hours 15 spent on average by every developer on security vulnerabilities Developers Are Investing Too Much Time On Vulnerabilities Assessment and Remediation 3.8 hours/month spent on security vulnerabilities remediation
EFFECTIVE VULNERABILITY INEFFECTIVE VULNERABILITY Vulnerability Effectiveness: a novel approach to prioritization Prioritization Is Key To Save Wasted Time On Vulnerabilities Management
13 After testing 2,000 Java applications, WhiteSource found that 85% of all detected vulnerabilities were deemed ineffective.
14 04 Delegate Security Responsibilities
15 Bridging the Gap is a Must Security DevOps Developers
16 05 Shift Left Is At Its Best With Open Source.
17 Turn Developers Into Security Advocates Empower developers with more flexible selection and approval processes Project Planning Requirements Definition Design Development Integration & Test Installation & Acceptance
18 Organizations of all sizes are shifting their operational security to software development teams Who owns security in your organization, by company size?
19 The impact of developers taking over security is: Integrating security tools earlier in the SDLC of developers are taking action towards application testing on build stage or before. 66% In what stage of the SDLC do you spend most of your time implementing security measures?
20 The cost of fixing security and quality issues is rising significantly, as the development cycle advances. Coding $80/Defect Build $240/Defect QA & Security $960/Defect Production $7,600/Defect Detect Issues As Early As Possible
21 Detect Issues As Early As Possible - Shift Left The cost of fixing security and quality issues is rising significantly, as the development cycle advances.
22 Analyze and prioritize open source security vulnerability remediation Streamline policies with better integration options Shift-left security processes to establish better practices
Thank You! 23

More Related Content

PDF
The State of Open Source Vulnerabilities Management
WhiteSource
 
PDF
Taking Open Source Security to the Next Level
WhiteSource
 
PDF
Open Source Security at Scale- The DevOps Challenge 
WhiteSource
 
PDF
Empowering Financial Institutions to Use Open Source With Confidence
WhiteSource
 
PPTX
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
WhiteSource
 
PDF
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
WhiteSource
 
PDF
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
DevOps.com
 
PDF
Open Source Security: How to Lay the Groundwork for a Secure Culture
WhiteSource
 
The State of Open Source Vulnerabilities Management
WhiteSource
 
Taking Open Source Security to the Next Level
WhiteSource
 
Open Source Security at Scale- The DevOps Challenge 
WhiteSource
 
Empowering Financial Institutions to Use Open Source With Confidence
WhiteSource
 
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
WhiteSource
 
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
WhiteSource
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
DevOps.com
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
WhiteSource
 

What's hot (20)

PDF
Winning open source vulnerabilities without loosing your deveopers - Azure De...
WhiteSource
 
PPTX
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
WhiteSource
 
PDF
Tackling the Container Iceberg:How to approach security when most of your sof...
WhiteSource
 
PDF
The Challenges of Scaling DevSecOps
WhiteSource
 
PDF
5 things about os sharon webinar final
DevOps.com
 
PPTX
The State of Open Source Vulnerabilities - A WhiteSource Webinar
WhiteSource
 
PDF
Security & DevOps - What We Have Here Is a Failure to Communicate!
DevOps.com
 
PDF
Pentest as a Service Impact 2020
DevOps.com
 
PDF
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
WhiteSource
 
PPTX
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
DevOps.com
 
PPTX
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
PPTX
DevSecOps outline
Nickleus Jimenez
 
PPTX
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
WhiteSource
 
PPTX
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
PPTX
DevSecOps
Joel Divekar
 
PDF
PIACERE - DevSecOps Automated
PIACERE
 
PDF
Demystifying DevSecOps
Archana Joshi
 
PDF
The State of Open Source Vulnerabilities Management
SBWebinars
 
PPTX
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
PPTX
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevOps Indonesia
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
WhiteSource
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
WhiteSource
 
Tackling the Container Iceberg:How to approach security when most of your sof...
WhiteSource
 
The Challenges of Scaling DevSecOps
WhiteSource
 
5 things about os sharon webinar final
DevOps.com
 
The State of Open Source Vulnerabilities - A WhiteSource Webinar
WhiteSource
 
Security & DevOps - What We Have Here Is a Failure to Communicate!
DevOps.com
 
Pentest as a Service Impact 2020
DevOps.com
 
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
WhiteSource
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
DevOps.com
 
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
DevSecOps outline
Nickleus Jimenez
 
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
WhiteSource
 
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DevSecOps
Joel Divekar
 
PIACERE - DevSecOps Automated
PIACERE
 
Demystifying DevSecOps
Archana Joshi
 
The State of Open Source Vulnerabilities Management
SBWebinars
 
DEVSECOPS: Coding DevSecOps journey
Jason Suttie
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevOps Indonesia
 
Ad

Similar to Tackling the Risks of Open Source Security: 5 Things You Need to Know (20)

PDF
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
FINOS
 
PPTX
WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...
WhiteSource
 
PDF
Open Source Security for Newbies - Best Practices
Black Duck by Synopsys
 
PPTX
Security in the Age of Open Source
Black Duck by Synopsys
 
PPTX
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck by Synopsys
 
PPTX
Welcome & The State of Open Source Security
Jerika Phelps
 
PPTX
Managing Open Source in Application Security and Software Development Lifecycle
Black Duck by Synopsys
 
PDF
Open Source Security: How to Lay the Groundwork for a Secure Culture
DevOps.com
 
PDF
OWF14 - Plenary Session : David Jones, Chief Solutions Architect, Sonatype
Paris Open Source Summit
 
PPTX
A question of trust - understanding Open Source risks
Tim Mackey
 
PPTX
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon
 
PDF
Sonatype's 2013 OSS Software Survey
Sonatype
 
PDF
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
Sonatype
 
PDF
Myths and Misperceptions of Open Source Security
Black Duck by Synopsys
 
PPTX
Open Source 360 Survey Results
Tim Mackey
 
PPTX
September 13, 2016: Security in the Age of Open Source:
Black Duck by Synopsys
 
PPTX
Security in the age of open source - Myths and misperceptions
Tim Mackey
 
PPTX
Open Source Insight: CVE-2017-2636 Vuln of the Week & UK National Cyber Secur...
Black Duck by Synopsys
 
PDF
Webinar–2019 Open Source Risk Analysis Report
Synopsys Software Integrity Group
 
PPTX
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
FINOS
 
WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...
WhiteSource
 
Open Source Security for Newbies - Best Practices
Black Duck by Synopsys
 
Security in the Age of Open Source
Black Duck by Synopsys
 
Black Duck & IBM Present: Application Security in the Age of Open Source
Black Duck by Synopsys
 
Welcome & The State of Open Source Security
Jerika Phelps
 
Managing Open Source in Application Security and Software Development Lifecycle
Black Duck by Synopsys
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
DevOps.com
 
OWF14 - Plenary Session : David Jones, Chief Solutions Architect, Sonatype
Paris Open Source Summit
 
A question of trust - understanding Open Source risks
Tim Mackey
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon
 
Sonatype's 2013 OSS Software Survey
Sonatype
 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
Sonatype
 
Myths and Misperceptions of Open Source Security
Black Duck by Synopsys
 
Open Source 360 Survey Results
Tim Mackey
 
September 13, 2016: Security in the Age of Open Source:
Black Duck by Synopsys
 
Security in the age of open source - Myths and misperceptions
Tim Mackey
 
Open Source Insight: CVE-2017-2636 Vuln of the Week & UK National Cyber Secur...
Black Duck by Synopsys
 
Webinar–2019 Open Source Risk Analysis Report
Synopsys Software Integrity Group
 
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 
Ad

More from WhiteSource (15)

PDF
Securing Container-Based Applications at the Speed of DevOps
WhiteSource
 
PDF
Deep Dive into Container Security
WhiteSource
 
PDF
Fire alarms vs. Fire hoses: Keeping up with Dependencies
WhiteSource
 
PDF
DevSecOps: Closing the Loop from Detection to Remediation
WhiteSource
 
PDF
Barriers to Container Security and How to Overcome Them
WhiteSource
 
PDF
SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...
WhiteSource
 
PDF
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
WhiteSource
 
PPTX
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
WhiteSource
 
PPTX
Automating Open Source Security: A SANS Review of WhiteSource
WhiteSource
 
PDF
Top Open Source Licenses Explained
WhiteSource
 
PPTX
WhiteSource Webinar What's New With WhiteSource in December 2018
WhiteSource
 
PDF
Find Out What's New With WhiteSource September 2018- A WhiteSource Webinar
WhiteSource
 
PPTX
Find Out What's New With WhiteSource May 2018- A WhiteSource Webinar
WhiteSource
 
PPTX
Strategies for Improving Enterprise Application Security - a WhiteSource Webinar
WhiteSource
 
PPTX
How temenos manages open source use, the easy way combined
WhiteSource
 
Securing Container-Based Applications at the Speed of DevOps
WhiteSource
 
Deep Dive into Container Security
WhiteSource
 
Fire alarms vs. Fire hoses: Keeping up with Dependencies
WhiteSource
 
DevSecOps: Closing the Loop from Detection to Remediation
WhiteSource
 
Barriers to Container Security and How to Overcome Them
WhiteSource
 
SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...
WhiteSource
 
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
WhiteSource
 
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
WhiteSource
 
Automating Open Source Security: A SANS Review of WhiteSource
WhiteSource
 
Top Open Source Licenses Explained
WhiteSource
 
WhiteSource Webinar What's New With WhiteSource in December 2018
WhiteSource
 
Find Out What's New With WhiteSource September 2018- A WhiteSource Webinar
WhiteSource
 
Find Out What's New With WhiteSource May 2018- A WhiteSource Webinar
WhiteSource
 
Strategies for Improving Enterprise Application Security - a WhiteSource Webinar
WhiteSource
 
How temenos manages open source use, the easy way combined
WhiteSource
 

Recently uploaded (20)

PDF
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
PDF
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PDF
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
PPTX
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
PDF
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
PDF
System and Network Administraation Chapter 3
jaramharo
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PPTX
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PDF
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PPTX
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
PDF
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
System and Network Administraation Chapter 3
jaramharo
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
System and Network Administration Chapter 2
jaramharo
 
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 

Tackling the Risks of Open Source Security: 5 Things You Need to Know

  • 1. Tackling the Risks of Open Source Security 5 Things You Need to Know 1 Sharon Sharlin, Product Marketing Manager
  • 2. 2 5 Things To Know About Open Source Security 01 Open Source Risk Is On The Rise 03 Prioritize Security Vulnerabilities 02 It’s Time To Change Your Mindset 04 Delegate Security Responsibilities 05 Shift Left Is At Its Best With Open Source
  • 4. 4 Are You Spending Enough In AppSec? The Level of Risk (# of Breaches Multiplied By Severeness) The Level of Annual Spending (Investment) in IT Security Gaps in Security Risks and the Allocation of Spending Source: Ponemon Institute: The Increasing Risk to Enterprise Applications
  • 5. Open Source Components Account For 60%-80% Of The Average Software Product 5%-10% 1998 30%-50% 2008 60%-80% 2018 Proprietary Code Open Source Code Source: North Bridge Future Of Open Source Survey Open Source Code Proprietary Code
  • 6. 96.8% of developers rely on open source components Frequency of Use of Open Source Components
  • 7. The Number of Reported Vulnerabilities is Rising
  • 8. 8 02 It’s Time To Change Your Mindset
  • 9. Potential vulnerability detected (SAST & DAST) No public information Need to research to find a fix During development Detection Publicity Remediation Scan Phase Known vulnerability All information is publicly available Actionable remediation(s) are available Continuous monitoring (incl. post release) PROPRIETARY VULNERABILITIES OPEN SOURCE VULNERABILITIES Open Source Security is a Different Game It’s time to change your mindset
  • 11. DEVELOPERS ARE NOT EFFICIENTLY MANAGING OPEN SOURCE VULNERABILITIES How much time is spent? hours/month None 1 - 10 hours 11 - 20 hours 21 - 35 hours 36 - 60 hours Over 60 hours 15 spent on average by every developer on security vulnerabilities Developers Are Investing Too Much Time On Vulnerabilities Assessment and Remediation 3.8 hours/month spent on security vulnerabilities remediation
  • 12. EFFECTIVE VULNERABILITY INEFFECTIVE VULNERABILITY Vulnerability Effectiveness: a novel approach to prioritization Prioritization Is Key To Save Wasted Time On Vulnerabilities Management
  • 13. 13 After testing 2,000 Java applications, WhiteSource found that 85% of all detected vulnerabilities were deemed ineffective.
  • 15. 15 Bridging the Gap is a Must Security DevOps Developers
  • 16. 16 05 Shift Left Is At Its Best With Open Source.
  • 17. 17 Turn Developers Into Security Advocates Empower developers with more flexible selection and approval processes Project Planning Requirements Definition Design Development Integration & Test Installation & Acceptance
  • 18. 18 Organizations of all sizes are shifting their operational security to software development teams Who owns security in your organization, by company size?
  • 19. 19 The impact of developers taking over security is: Integrating security tools earlier in the SDLC of developers are taking action towards application testing on build stage or before. 66% In what stage of the SDLC do you spend most of your time implementing security measures?
  • 20. 20 The cost of fixing security and quality issues is rising significantly, as the development cycle advances. Coding $80/Defect Build $240/Defect QA & Security $960/Defect Production $7,600/Defect Detect Issues As Early As Possible
  • 21. 21 Detect Issues As Early As Possible - Shift Left The cost of fixing security and quality issues is rising significantly, as the development cycle advances.
  • 22. 22 Analyze and prioritize open source security vulnerability remediation Streamline policies with better integration options Shift-left security processes to establish better practices