“Set and Forget” Approach to Open Source Software Creates Security and Compliance Risks

According to two recent security research reports* on open source software, internally developed software contains up to 75% of open-source software.  The report also concludes that open-source used within codebases contain on average 158 vulnerabilities and 60% of the codebases have ‘high risk’ open-source vulnerabilities that have been actively exploited. According to research, the three leading issues that developers state as to why they can’t address these vulnerabilities are:

  • Developers don’t have the resources, resulting in vulnerabilities existing for seven months on average.
  • Developers don’t have the pertinent information to address how to fix the issues.
  • Developers don’t have the training to observe these issues, resulting in 50% of the vulnerabilities never getting fixed.

Given the timeframes in delivering software, coupled with the demands placed on the development team, 54% of the respondents in one of the reports stated that they seldom check on the legal use of the libraries which places their organization’s compliance posture at risk.

Software Composition Analysis tools (SCA) were designed to help automate these issues. Unfortunately, the vendors today have one or more of the following challenges:

1.   Limited Coverage in supporting 400 languages. Those vendors that support dependency managers only cover approximately 15 languages consequently many of the vulnerabilities are never exposed.

2.   Poor matching of licensing compliance and identifying vulnerabilities.  The outdated algorithms and only supporting one or two detection methods out of 13 available, leading to an inaccurate (SBOM) software bill of materials.

3.   Operational speed performance to meet Agile SDLC.  Snippet matching, if supported by the existing vendors, takes hours and days along with your team tasked with scrubbing the results.

Threatrix detects, reports, and remediates vulnerabilities and licensing violations in open-source software enabling security teams to fix what they can’t see and legal teams to discover what they don’t know. 

1. Breadth of Detection: Threatrix is the only solution that supports every detection method in build time (ensuring security and compliance across 100% of your open source) whereas the competition is offline which does not facilitate agile SDLC.

2. Accuracy: Threatrix True Match is an algorithm build over the last 3 years that certifies your results across all of your open source which makes this solution enterprise-ready.

3. Speed: Snippet matching detection in minutes while other vendors take hours or days. 

4. Language Coverage: Threatrix supports more than 400 languages while other vendors only support up to 22 languages.

5. License Compliance: The only vendor that automatically annotates source code providing accurate license compliance throughout your organization.

Threatrix software supply chain security and compliance risk management platform is a cutting-edge software composition analysis solution. With support for more than 400 languages and embedded open source detection in build time, Threatrix True Match algorithm ensures the fastest and most accurate software bill of materials allowing our customers to make immediate use of actionable risk data to reduce MTTR by more than 80%.

* Synopsys and Veracode reports

Leave a Reply

Your email address will not be published. Required fields are marked *