SlideShare a Scribd company logo

The State of Open Source Vulnerabilities - A WhiteSource Webinar

Download as PPTX, PDF
WhiteSource, profile picture
WhiteSource

Open source security vulnerabilities are increasing, with a 51.2% rise in reported vulnerabilities in 2017, highlighting the need for better management practices. Developers often spend excessive time addressing these vulnerabilities, with only a small portion of their efforts dedicated to effective remediation. Implementing prioritization based on usage analysis can significantly reduce the workload and improve security efficiency.

Internet
Related topics:
Application Security
1 of 23
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
THE STATE OF OPEN SOURCE VULNERABILITIES MANAGEMENT Presented by: Rami Elron, Senior Director of Product Management at WhiteSource
Key Findings: 1 Reported open source security vulnerabilities are on the rise. 2 The absence of standard practices and developer- focused tools lead to inefficient handling of open source vulnerabilities. 3 Prioritization is crucial to ensure companies address the most critical vulnerabilities on time. 4 Prioritization based on usage analysis can reduce security alerts by 70% to 85%.
OPEN SOURCE SECURITY VULNERABILITIES ARE ON THE RISE
The number of disclosed open source vulnerabilities rose by over 50% in 2017 NUMBER OF REPORTED OPEN SOURCE VULNERABILITIES ROSE BY 51.2% IN 2017
FREQUENCY OF USE OF OPEN SOURCE COMPONENTS of developers rely on open source components 96.8%
of all open source projects are vulnerable, but when it comes to the most popular open source projects… 7.5%
But, it's not all bad. The rise in awareness also led to a sharp rise in suggested fixes… of all reported vulnerabilities have at least one suggested fix in the open source community 97.4%
Information about vulnerabilities is scattered across hundreds of resources, usually poorly indexed and therefore unsearchable OF REPORTED OPEN SOURCE VULNERABILITIES APPEAR IN THE CVE DATABASE 86% OVER
DEVELOPERS ARE NOT EFFICIENTLY MANAGING OPEN SOURCE VULNERABILITIES
Developers rated security vulnerabilities as the #1 challenge when using open source components TOP CHALLENGES IN USING OPEN SOURCE COMPONENTS
Developers spend 15 hours each month dealing with open source vulnerabilities (e.g. reviewing, discussing, addressing, remediating, etc.) The cost is even higher, considering that the more experienced developers are the ones remediating HOURS SPENT ON OPEN SOURCE VULNERABILITIES PER DEVELOPERS' EXPERIENCE
WHAT DO YOU DO WHEN A VULNERABILITY IS FOUND? 1.0% 34.1% 13.3% 18.7% 33.0% Out of the monthly 15 hours only 3.8 hours are invested in remediation. The lack of set practices and tools can explain these inefficiencies.
PRIORITIZATION IS KEY TO OPEN SOURCE VULNERABILITY MANAGEMENT
Perfect security is impossible. Zero risk is impossible. We must bring prioritization of application vulnerabilities to DevSecOps. In a futile attempt to remove all possible vulnerabilities from applications, we are slowing developers down and wasting their time chasing issues that aren’t real. 10 Things to Get Right for Successful DevSecOps Neil MacDonald, Gartner
25.2% 11.6% 15.1% 17.3% Survey results show that developers prioritize remediation of vulnerabilities based on available information, not necessarily on the impact of a vulnerability on the security of an application. 14.7% 16.2%
Security teams analyze and prioritize vulnerabilities Sending emails or opening issues/tickets Closing the loop on resolution is hard The Common Way of Handling Security Vulnerabilities
Bridging the Gap is a Must Security DevOps Developers
WhiteSource Software Confidential ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Reported Vulnerabilities Can you really handle all of them? Which ones constitute a real risk? Which ones should be addressed first? Effective Vulnerabilities Less to deal with. Much less.vs. The Secret to Prioritization: Reported Vulnerabilities are not Necessarily EFFECTIVE Focusing on Effective Vulnerabilities Could Enable: Better development efficiency Better development effectiveness Better security
A new approach to prioritizing vulnerabilities - based their impact on an application’s security EFFECTIVE VULNERABILITY If the proprietary code is making calls to the vulnerable functionality INEFFECTIVE VULNERABILITY If the proprietary code is NOT making calls to the vulnerable functionality EFFECTIVE VS INEFFECTIVE VULNERABILITIES IN A COMPONENT
After testing 2,000 Java applications, WhiteSource found that 72% of all detected vulnerabilities were deemed ineffective. Based on the data collected in our survey, this can be translated to saving 10.5 hours per month per each developer (70% of 15 monthly hours).
EFFECTIVE USAGE ANALYSIS
Effective Usage Analysis is the technology of prioritizing open source vulnerabilities based on the way they are used by the application. Our beta testing on 25 commercial applications from 12 organizations showed that: analyzed projects were found to be vulnerable of the vulnerabilities (effective and ineffective) were found in transitive dependencies of all vulnerability alerts were found to be ineffective of all analyzed projects were found to contain only ineffective vulnerabilities ALL 90% 86% 64%
Q&A

More Related Content

PPTX
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
WhiteSource
 
PPTX
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
WhiteSource
 
PPTX
Automating Open Source Security: A SANS Review of WhiteSource
WhiteSource
 
PPTX
WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...
WhiteSource
 
PPTX
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
WhiteSource
 
PDF
The State of Open Source Vulnerabilities Management
WhiteSource
 
PDF
Open Source Security at Scale- The DevOps Challenge 
WhiteSource
 
PDF
Winning open source vulnerabilities without loosing your deveopers - Azure De...
WhiteSource
 
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
WhiteSource
 
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
WhiteSource
 
Automating Open Source Security: A SANS Review of WhiteSource
WhiteSource
 
WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...
WhiteSource
 
5 Things Every CISO Needs To Know About Open Source Security - A WhiteSource ...
WhiteSource
 
The State of Open Source Vulnerabilities Management
WhiteSource
 
Open Source Security at Scale- The DevOps Challenge 
WhiteSource
 
Winning open source vulnerabilities without loosing your deveopers - Azure De...
WhiteSource
 

What's hot (20)

PDF
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
WhiteSource
 
PPTX
WhiteSource Webinar What's New With WhiteSource in December 2018
WhiteSource
 
PDF
Tackling the Risks of Open Source Security: 5 Things You Need to Know
WhiteSource
 
PDF
Taking Open Source Security to the Next Level
WhiteSource
 
PDF
The State of Open Source Vulnerabilities Management
SBWebinars
 
PPTX
Supply Chain Solutions for Modern Software Development
Sonatype
 
PPTX
7 Reasons Your Applications are Attractive to Adversaries
Derek E. Weeks
 
PDF
The AppSec Path to Enlightenment
Black Duck by Synopsys
 
PPTX
A question of trust - understanding Open Source risks
Tim Mackey
 
PPTX
Find Out What's New With WhiteSource May 2018- A WhiteSource Webinar
WhiteSource
 
PDF
PCI and Vulnerability Assessments - What’s Missing?
Black Duck by Synopsys
 
PDF
Find Out What's New With WhiteSource September 2018- A WhiteSource Webinar
WhiteSource
 
PDF
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
PPTX
Open Source 360 Survey Results
Tim Mackey
 
PPTX
Accelerating Innovation with Software Supply Chain Management
Sonatype
 
PDF
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...
Jerika Phelps
 
PDF
Information Security Incidents Survey in Russia
Positive Hack Days
 
PPTX
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
DevOps.com
 
PPTX
Software Security Assurance for Devops
Jerika Phelps
 
PPTX
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Salil Kumar Subramony
 
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
WhiteSource
 
WhiteSource Webinar What's New With WhiteSource in December 2018
WhiteSource
 
Tackling the Risks of Open Source Security: 5 Things You Need to Know
WhiteSource
 
Taking Open Source Security to the Next Level
WhiteSource
 
The State of Open Source Vulnerabilities Management
SBWebinars
 
Supply Chain Solutions for Modern Software Development
Sonatype
 
7 Reasons Your Applications are Attractive to Adversaries
Derek E. Weeks
 
The AppSec Path to Enlightenment
Black Duck by Synopsys
 
A question of trust - understanding Open Source risks
Tim Mackey
 
Find Out What's New With WhiteSource May 2018- A WhiteSource Webinar
WhiteSource
 
PCI and Vulnerability Assessments - What’s Missing?
Black Duck by Synopsys
 
Find Out What's New With WhiteSource September 2018- A WhiteSource Webinar
WhiteSource
 
8 Patterns For Continuous Code Security by Veracode CTO Chris Wysopal
Threat Stack
 
Open Source 360 Survey Results
Tim Mackey
 
Accelerating Innovation with Software Supply Chain Management
Sonatype
 
Leveraging Black Duck Hub to Maximize Focus - Entersekt's approach to automat...
Jerika Phelps
 
Information Security Incidents Survey in Russia
Positive Hack Days
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
DevOps.com
 
Software Security Assurance for Devops
Jerika Phelps
 
Secure Code review - Veracode SaaS Platform - Saudi Green Method
Salil Kumar Subramony
 
Ad

Similar to The State of Open Source Vulnerabilities - A WhiteSource Webinar (20)

PDF
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
FINOS
 
PDF
5 things about os sharon webinar final
DevOps.com
 
PDF
Taking Open Source Security to the Next Level
SBWebinars
 
PDF
PDF The complete guide to developer first application security By Github.Co...
eivimayuyu
 
PPTX
Intelligence on the Intractable Problem of Software Security
Tyler Shields
 
PPTX
One login enemy at the gates
Eoin Keary
 
PDF
We are excited to announce that our new State of Software Security (SOSS) rep...
Ampliz
 
PDF
The State of Software Security 2022 SOSS - Solution
NeelKamalSingh8
 
PPTX
How do YOU compare to others in Mobile DevOps Performance, Productivity, and ...
AnnaBtki
 
PPTX
Amy DeMartine - 7 Habits of Rugged DevOps
SeniorStoryteller
 
PDF
Aliens in Your Apps!
All Things Open
 
PPTX
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
WhiteSource
 
PPTX
Software Security Assurance for DevOps
Black Duck by Synopsys
 
PDF
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
Sonatype
 
PDF
Infographic: Heartbleed - Everything Was Secure Until, Suddenly, It Wasn't
Sonatype
 
PDF
Case Closed with IBM Application Security on Cloud infographic
IBM Security
 
PPTX
The Illusion of Control: Seven Deadly Wastes in Your Devops Practice
matthewabq
 
PPTX
Why Patch Management is Still the Best First Line of Defense
Lumension
 
PPTX
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 
PPT
Risk Based Software Planning
Muhammad Alhalaby
 
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
FINOS
 
5 things about os sharon webinar final
DevOps.com
 
Taking Open Source Security to the Next Level
SBWebinars
 
PDF The complete guide to developer first application security By Github.Co...
eivimayuyu
 
Intelligence on the Intractable Problem of Software Security
Tyler Shields
 
One login enemy at the gates
Eoin Keary
 
We are excited to announce that our new State of Software Security (SOSS) rep...
Ampliz
 
The State of Software Security 2022 SOSS - Solution
NeelKamalSingh8
 
How do YOU compare to others in Mobile DevOps Performance, Productivity, and ...
AnnaBtki
 
Amy DeMartine - 7 Habits of Rugged DevOps
SeniorStoryteller
 
Aliens in Your Apps!
All Things Open
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
WhiteSource
 
Software Security Assurance for DevOps
Black Duck by Synopsys
 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
Sonatype
 
Infographic: Heartbleed - Everything Was Secure Until, Suddenly, It Wasn't
Sonatype
 
Case Closed with IBM Application Security on Cloud infographic
IBM Security
 
The Illusion of Control: Seven Deadly Wastes in Your Devops Practice
matthewabq
 
Why Patch Management is Still the Best First Line of Defense
Lumension
 
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 
Risk Based Software Planning
Muhammad Alhalaby
 
Ad

More from WhiteSource (15)

PDF
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
WhiteSource
 
PDF
Empowering Financial Institutions to Use Open Source With Confidence
WhiteSource
 
PDF
Tackling the Container Iceberg:How to approach security when most of your sof...
WhiteSource
 
PDF
Securing Container-Based Applications at the Speed of DevOps
WhiteSource
 
PDF
The Challenges of Scaling DevSecOps
WhiteSource
 
PDF
Open Source Security: How to Lay the Groundwork for a Secure Culture
WhiteSource
 
PDF
Deep Dive into Container Security
WhiteSource
 
PDF
Fire alarms vs. Fire hoses: Keeping up with Dependencies
WhiteSource
 
PDF
DevSecOps: Closing the Loop from Detection to Remediation
WhiteSource
 
PDF
Barriers to Container Security and How to Overcome Them
WhiteSource
 
PDF
SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...
WhiteSource
 
PDF
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
WhiteSource
 
PDF
Top Open Source Licenses Explained
WhiteSource
 
PPTX
Strategies for Improving Enterprise Application Security - a WhiteSource Webinar
WhiteSource
 
PPTX
How temenos manages open source use, the easy way combined
WhiteSource
 
Innocent Vulnerabilities vs. Malicious Backdoors: How to Manage Your Risk
WhiteSource
 
Empowering Financial Institutions to Use Open Source With Confidence
WhiteSource
 
Tackling the Container Iceberg:How to approach security when most of your sof...
WhiteSource
 
Securing Container-Based Applications at the Speed of DevOps
WhiteSource
 
The Challenges of Scaling DevSecOps
WhiteSource
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
WhiteSource
 
Deep Dive into Container Security
WhiteSource
 
Fire alarms vs. Fire hoses: Keeping up with Dependencies
WhiteSource
 
DevSecOps: Closing the Loop from Detection to Remediation
WhiteSource
 
Barriers to Container Security and How to Overcome Them
WhiteSource
 
SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...
WhiteSource
 
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
WhiteSource
 
Top Open Source Licenses Explained
WhiteSource
 
Strategies for Improving Enterprise Application Security - a WhiteSource Webinar
WhiteSource
 
How temenos manages open source use, the easy way combined
WhiteSource
 

Recently uploaded (20)

PDF
FINAL CALL-6th International Conference on Networks & IOT (NeTIOT 2025)
IJMIT JOURNAL
 
PDF
Automated vs Manual WooCommerce to Shopify Migration_ Pros & Cons.pdf
CartCoders
 
PDF
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 
PDF
Cloud-Scale Log Monitoring _ Datadog.pdf
MuhammadDhomanhuriMa
 
PPTX
Introduction to Information and Communication Technology
AkmadArzieAyao1
 
PPTX
Funds Management Learning Material for Beg
NKKumar16
 
PDF
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
PPTX
Power Point - Lesson 3_2.pptx grad school presentation
JoyPPD
 
PPTX
PptxGenJS_Demo_Chart_20250317130215833.pptx
itruongva
 
PPTX
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
PPTX
SAP Ariba Sourcing PPT for learning material
NKKumar16
 
PPTX
innovation process that make everything different.pptx
SoumyadipPaul18
 
PDF
Introduction to the IoT system, how the IoT system works
TinBinh
 
PPTX
Introuction about ICD -10 and ICD-11 PPT.pptx
naveenithkrishnan
 
PDF
Smart Home Technology for Health Monitoring (www.kiu.ac.ug)
publication11
 
PPTX
artificialintelligenceai1-copy-210604123353.pptx
b45r14
 
PPTX
Slides PPTX World Game (s) Eco Economic Epochs.pptx
Steven McGee
 
PPTX
artificial intelligence overview of it and more
yafotin445
 
PPTX
E -tech empowerment technologies PowerPoint
kylebalatero12
 
PPT
isotopes_sddsadsaadasdasdasdasdsa1213.ppt
Kenneth James Alamillo
 
FINAL CALL-6th International Conference on Networks & IOT (NeTIOT 2025)
IJMIT JOURNAL
 
Automated vs Manual WooCommerce to Shopify Migration_ Pros & Cons.pdf
CartCoders
 
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 
Cloud-Scale Log Monitoring _ Datadog.pdf
MuhammadDhomanhuriMa
 
Introduction to Information and Communication Technology
AkmadArzieAyao1
 
Funds Management Learning Material for Beg
NKKumar16
 
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
Power Point - Lesson 3_2.pptx grad school presentation
JoyPPD
 
PptxGenJS_Demo_Chart_20250317130215833.pptx
itruongva
 
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
SAP Ariba Sourcing PPT for learning material
NKKumar16
 
innovation process that make everything different.pptx
SoumyadipPaul18
 
Introduction to the IoT system, how the IoT system works
TinBinh
 
Introuction about ICD -10 and ICD-11 PPT.pptx
naveenithkrishnan
 
Smart Home Technology for Health Monitoring (www.kiu.ac.ug)
publication11
 
artificialintelligenceai1-copy-210604123353.pptx
b45r14
 
Slides PPTX World Game (s) Eco Economic Epochs.pptx
Steven McGee
 
artificial intelligence overview of it and more
yafotin445
 
E -tech empowerment technologies PowerPoint
kylebalatero12
 
isotopes_sddsadsaadasdasdasdasdsa1213.ppt
Kenneth James Alamillo
 

The State of Open Source Vulnerabilities - A WhiteSource Webinar

  • 1. THE STATE OF OPEN SOURCE VULNERABILITIES MANAGEMENT Presented by: Rami Elron, Senior Director of Product Management at WhiteSource
  • 2. Key Findings: 1 Reported open source security vulnerabilities are on the rise. 2 The absence of standard practices and developer- focused tools lead to inefficient handling of open source vulnerabilities. 3 Prioritization is crucial to ensure companies address the most critical vulnerabilities on time. 4 Prioritization based on usage analysis can reduce security alerts by 70% to 85%.
  • 4. The number of disclosed open source vulnerabilities rose by over 50% in 2017 NUMBER OF REPORTED OPEN SOURCE VULNERABILITIES ROSE BY 51.2% IN 2017
  • 5. FREQUENCY OF USE OF OPEN SOURCE COMPONENTS of developers rely on open source components 96.8%
  • 6. of all open source projects are vulnerable, but when it comes to the most popular open source projects… 7.5%
  • 7. But, it's not all bad. The rise in awareness also led to a sharp rise in suggested fixes… of all reported vulnerabilities have at least one suggested fix in the open source community 97.4%
  • 8. Information about vulnerabilities is scattered across hundreds of resources, usually poorly indexed and therefore unsearchable OF REPORTED OPEN SOURCE VULNERABILITIES APPEAR IN THE CVE DATABASE 86% OVER
  • 9. DEVELOPERS ARE NOT EFFICIENTLY MANAGING OPEN SOURCE VULNERABILITIES
  • 10. Developers rated security vulnerabilities as the #1 challenge when using open source components TOP CHALLENGES IN USING OPEN SOURCE COMPONENTS
  • 11. Developers spend 15 hours each month dealing with open source vulnerabilities (e.g. reviewing, discussing, addressing, remediating, etc.) The cost is even higher, considering that the more experienced developers are the ones remediating HOURS SPENT ON OPEN SOURCE VULNERABILITIES PER DEVELOPERS' EXPERIENCE
  • 12. WHAT DO YOU DO WHEN A VULNERABILITY IS FOUND? 1.0% 34.1% 13.3% 18.7% 33.0% Out of the monthly 15 hours only 3.8 hours are invested in remediation. The lack of set practices and tools can explain these inefficiencies.
  • 13. PRIORITIZATION IS KEY TO OPEN SOURCE VULNERABILITY MANAGEMENT
  • 14. Perfect security is impossible. Zero risk is impossible. We must bring prioritization of application vulnerabilities to DevSecOps. In a futile attempt to remove all possible vulnerabilities from applications, we are slowing developers down and wasting their time chasing issues that aren’t real. 10 Things to Get Right for Successful DevSecOps Neil MacDonald, Gartner
  • 15. 25.2% 11.6% 15.1% 17.3% Survey results show that developers prioritize remediation of vulnerabilities based on available information, not necessarily on the impact of a vulnerability on the security of an application. 14.7% 16.2%
  • 16. Security teams analyze and prioritize vulnerabilities Sending emails or opening issues/tickets Closing the loop on resolution is hard The Common Way of Handling Security Vulnerabilities
  • 17. Bridging the Gap is a Must Security DevOps Developers
  • 18. WhiteSource Software Confidential ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Reported Vulnerabilities Can you really handle all of them? Which ones constitute a real risk? Which ones should be addressed first? Effective Vulnerabilities Less to deal with. Much less.vs. The Secret to Prioritization: Reported Vulnerabilities are not Necessarily EFFECTIVE Focusing on Effective Vulnerabilities Could Enable: Better development efficiency Better development effectiveness Better security
  • 19. A new approach to prioritizing vulnerabilities - based their impact on an application’s security EFFECTIVE VULNERABILITY If the proprietary code is making calls to the vulnerable functionality INEFFECTIVE VULNERABILITY If the proprietary code is NOT making calls to the vulnerable functionality EFFECTIVE VS INEFFECTIVE VULNERABILITIES IN A COMPONENT
  • 20. After testing 2,000 Java applications, WhiteSource found that 72% of all detected vulnerabilities were deemed ineffective. Based on the data collected in our survey, this can be translated to saving 10.5 hours per month per each developer (70% of 15 monthly hours).
  • 22. Effective Usage Analysis is the technology of prioritizing open source vulnerabilities based on the way they are used by the application. Our beta testing on 25 commercial applications from 12 organizations showed that: analyzed projects were found to be vulnerable of the vulnerabilities (effective and ineffective) were found in transitive dependencies of all vulnerability alerts were found to be ineffective of all analyzed projects were found to contain only ineffective vulnerabilities ALL 90% 86% 64%
  • 23. Q&A