How do you know what is really in your software?
Open-source software is present in an overwhelming amount of proprietary codebases and public projects. For the global 2000, the question you should be asking is not “ if you are or aren’t using open source code.” The right question is, “what open-source code you’re using, how much are you using, and where is it located?” If you aren’t aware of what is in your software supply chain, vulnerabilities in your dependencies can affect your application, making your organization vulnerable to being compromised.
Let’s begin with the term “software supply chain security,” what it means, why it is so important, and how Threatrix can help secure all of your project’s supply chain.
Software Supply Chain
A supply chain is everything used to deliver your product, including all components that affect the product’s delivery or the development through the CI/CD pipeline until it reaches deployment. In other words, everything that touches it from beginning to end. Including the code, repository, binaries, package managers, who wrote it, and when, how it’s been reviewed for security issues, known vulnerabilities, supported versions, and license information.
It includes builds and packaging scripts or the software running the infrastructure your application runs on—any information you want to know about the software running to determine any risks in running it.
Why is it Important?
According to Github, your projects use 203 open-source dependencies per repository on average. As much as Ninety-nine percent of codebases contain open source code, and anywhere from 85 to 97 percent of enterprise codebases come from open source. Meaning most applications consists of code that developers copied. The vulnerabilities in third-party or open-source dependencies create significant security risks.
Thousands of users effectively have commit access to your production code. If any of these dependencies have vulnerabilities, your code most likely has vulnerabilities. A dependency could change without you being made aware. If vulnerabilities exist in a dependency today but aren’t exploitable in your application, changes inside or outside of your codebase could make your organization susceptible down the road. A mistake, unpatched vulnerability, or a malicious attack on a dependency in your supply chain can have grave consequences.
Securing all Components in Your Supply Chain
DevSecOps requires approaching security as an ongoing part of software development. Developers need to monitor what dependencies they use and be aware of vulnerabilities in those dependencies, including transitive dependencies—understanding the risks associated with those dependencies, including vulnerabilities and licensing restrictions.
Manage your dependencies when a new security vulnerability is discovered and update to obtain the latest functionality and security patches. Review changes that introduce new dependencies and remove unnecessary dependencies.
Monitor your supply chain. Audit the controls you have to manage your dependencies, and move from audit to enforcement.
Threatrix reduces your risk of the use of open-source software. Our scans produce an accurate bill of materials of all of your open-source software used in your intellectual property. We know which components are associated with your projects. We see what vulnerabilities and licenses are associated with those components and make suggestions to move to a secure version of the component or automatically upgrade it to the next secure version or the latest secure version. We integrate with your existing DevOps environment to automate component detection and provide that data to your developers for easy remediation.
Threatrix can detect and report open source dependencies, undeclared open source components (like whole open-source projects), open-source files copied into a project (like JQuery or other javascript files), and even report on changes made to open source components as small as 256 bytes.
We simplify the process for organizations to efficiently manage the security and license risk associated with their use of open-source software.