Open Source Is a Mainstay in Modern Development
It goes without saying that modern applications are rarely built from scratch today. Open-source software (OSS) communities are well-organized and licensing is usually pretty clear. Thus, when developers build applications, their first instinct is to use open source. Open source can provide most of the functionality required in an application, reducing the amount of custom code required to a mere fraction of the codebase.
Development teams, recognizing that open source enables them to build feature-rich applications at speed, still need to be wary of securing OSS libraries instituted in their code. After all, open source is no more or less secure than any other commercial software. As a result, it stands to reason that OSS must undergo the same level of scrutiny to ensure there are no glaring attack vectors that can be exploited by bad actors.
Developer Buy-in Equates To Success
One of the biggest challenges facing application security teams is the need to secure developer buy-in―especially when it comes to securing their open-source libraries. Too often, developers are overwhelmed with the number of alert findings presented to them by traditional application security tools. This includes software composition analysis (SCA) tools that analyze application vulnerabilities in open-source libraries. As Contrast Security revealed in its 2020 Application Security Observability Report, an average of 55% of open-source libraries are not actively used by the application in question.
To solve these challenges, application security teams need the ability to prioritize vulnerability remediation that accounts for both vulnerabilities in custom and open-source code. In the case of open source, the default is often to prioritize fixes by Common Vulnerabilities and Exposures (CVE) severity. However, this model may not always be applicable, depending on where and how the library in question is used. The result is that application security and development teams find themselves blindly trying to determine which vulnerabilities are worth fixing and which ones are just alert noise (false positives). This leads to less time spent on actually making the necessary fixes.
Contrast Security’s Approach to SCA
Development teams need a means to prioritize which vulnerable open-source libraries pose the most imminent risk in their applications. This means classifying which vulnerable libraries are actually called by the application in runtime―namely, those with the highest likelihood of exploitation by an attacker. Instead of relying solely on CVE severity rankings to prioritize risk, Contrast performs runtime library analysis to accurately identify if a library is actively called by the application. It then identifies which specific classes, files, or modules of a library are used. Showcasing specific components of a library in use presents developers with a much more efficient and actionable remediation plan―an outcome that enables application security and development teams to avoid hours of needless triage work.
See It in Action. Contrast Runtime Library Usage Enables Faster Remediation
See Contrast runtime in action: https://share.vidyard.com/watch/tzbBavZmkZzRj2xmeMYA2U?
Everyone Wins When Vulnerabilities Can Be Fixed Faster
The focus for developers is always going to be innovating business-critical applications at speed. Anything that takes them away from that goal is almost always going to be perceived as a development blocker. Application security teams can help foster goodwill with their developer counterparts by taking the burden of sifting through security findings off their plate. Integrating an SCA solution enables developers to automate open-source discovery and to prioritize library remediation based on runtime usage. This will help build better relations between application security and development teams, as the amount of work is drastically reduced for all parties involved. Everyone wins.
For more information on the Contrast approach to software composition analysis (SCA), check out our on-demand webinar on the topic and download the Contrast OSS data sheet.
You can also sign up for a free demo to understand how Contrast can help remove the burden of securing your open-source assets.