open source security Uncategorized

“Set and Forget” Approach to Open Source Software Creates Security and Compliance Risks

According to two recent security research reports* on open source software, internally developed software contains up to 75% of open-source software.  The report also concludes that open-source used within codebases contain on average 158 vulnerabilities and 60% of the codebases have ‘high risk’ open-source vulnerabilities that have been actively exploited. According to research, the three leading issues that developers state as to why they can’t address these vulnerabilities are:

  • There aren’t enough resources for developers, so vulnerabilities last an average of seven months.
  • Developers don’t have the pertinent information to fix the issues.
  • As a result of developers’ lack of training, 50% of vulnerabilities remain unfixed.

54% of respondents in one of the reports stated that because of the timelines involved in delivering software alongside the demands made on the development team, they seldom check on the legal use of the libraries, putting their compliance posture at risk.

Tools for Software Composition Analysis (SCA) are designed to automate these issues. Unfortunately, the vendors today have one or more of the following challenges:

Limited Coverage in supporting 400 languages. The incumbents that support dependency managers only cover a maximum of 200 languages; consequently, many vulnerabilities go unexposed.

Poor matching of licensing compliance and identifying vulnerabilities.  The outdated algorithms only support one or two detection methods, leading to an inaccurate (SBOM) software bill of materials.

Operational speed performance to meet Agile SDLC.  Of the few vendors that support snippet matching, the results take several hours or days, in addition to the time your team must spend scrubbing the results.

Threatrix detects, reports, and remediates vulnerabilities and licensing violations in open-source software enabling security teams to fix what they can’t see and legal teams to discover what they don’t know. 

The Threatrix advantages:

Breadth of Detection: Threatrix is the only solution that supports every detection method in build time, ensuring security and compliance across 100% of your open source. The incumbents are offline which does not facilitate agile SDLC.

Accuracy: Threatrix True Match is an algorithm built over the last 3 years that certifies your results across all of your open source making us enterprise-ready for your global team.

Speed: We provide build-time snippet matching detection delivered in minutes. 

Language Coverage: Threatrix supports more than 400 languages.

License Compliance: The only solution that automatically annotates source code providing accurate license compliance throughout your organization.

Threatrix software supply chain security and compliance risk management platform is a cutting-edge software composition analysis solution. Our Truematch algorithm ensures the fastest and most accurate software bill of materials allowing our customers to make immediate use of actionable risk data to reduce MTTR by more than 80%.

* Synopsys and Veracode reports

Leave a Reply

Your email address will not be published. Required fields are marked *