Most applications contain open source code, which can expose companies to risks if left unchecked. Make the most of your open source vulnerability management with the right approach and tooling.
Open source software continues to solidify its role in a successful DevOps environment. It offers many unique benefits to the CI/CD pipeline that make it attractive to developers, such as the ability to be customized and ease of integration. However, you must be aware of the application security challenges it can bring. Open source software, while no more or less secure than commercial software, puts the responsibility of updating and monitoring for new vulnerabilities on the consumer, and that can be difficult to manage without a proper approach and tooling.
Open source vulnerability management is no easy task, but it’s necessary if you want to provide secure, dependable applications for both internal and external customers. To address vulnerabilities while avoiding interruptions to the CI/CD pipeline, organizations should approach open source vulnerability management by relying on these four critical elements.
You can’t just rely on one data source for open source security vulnerabilities. Pulling together multiple sources including your own primary research, a National Vulnerability Database (NVD) data feed, a validated set of security sources, third-party security vendors, open source risk analysis, and component distributors is a great start. But the truly vital piece is to infuse this information directly into the software development life cycle (SDLC), and as far left as possible. If developers have known vulnerability information at their fingertips as they code, it will save time and resources later in the SDLC.
In order to pinpoint vulnerable components in your applications, you have to first identify ALL the open source components in your applications. Doing so requires that you consider all versions and forks of the code, detect components in source and binary form, analyze commercial software where open source is frequently embedded, and look beyond just what has been declared in package managers. Automating this task saves teams from having to keep manual and often inaccurate inventories of open source. It also makes it possible to very quickly pinpoint vulnerable components as they’re pulled in, and know immediately when new vulnerabilities are reported. The full inventory is the first step, because if you don’t know you have it, you can’t make sure you patch it.
Once you have your inventory, and your diverse set of sources has surfaced all the known vulnerabilities, you might be left with a daunting list of things to fix. Being able to leverage additional information about the vulnerabilities will help the team prioritize the list and make sure they fix what’s most critical first. Data such as severity, exploitability, the impact of an exploit, reachability, and available solutions can all be vital to this task. The key to DevOps, though, is not just to have the information, but to automate the prioritization using this data and your business rules, so fixes happen quickly and alerts appear where developers are already working.
Finally, once you have your inventory, understand your known vulnerabilities, and know which ones to fix first, the last step is to actually make the fix. Patch information needs to come with the alert and must be clear and concise and get to the right person quickly. Armed with the information, the team has to quickly determine if the patch is compatible with the fork, and ensure it won’t cause any other downstream issues.
We’ve laid out the challenges of open source vulnerability management, and outlined the necessary elements to help you manage it. But the real key is finding a tool that allows you to achieve this without slowing you down.
We understand the importance of an unimpeded flow of information through the DevOps pipeline. Black Duck® offers Black Duck Security Advisories (BDSAs), which are detailed open source vulnerability records that are sourced, curated, and analyzed by the Synopsys Cybersecurity Research Center (CyRC). BDSAs provide the critical vulnerability information required to manage remediation, delivered directly into the DevOps pipeline.
Black Duck is powered by the most comprehensive KnowledgeBase of open source software, and it contains thousands of Black Duck Security Advisories for known open source vulnerabilities. In addition, the CyRC team is continuously monitoring thousands of security feeds for new vulnerabilities and adding them to the KnowledgeBase, on average two weeks before they appear in the NVD.
To ensure you have a complete Bill of Materials (BoM), Black Duck takes a multifactor approach to open source discovery, finding far more than just what has been declared. Our additional methods for open source discovery help you find undeclared, modified, and even partial open source in your applications. Armed with a complete BoM, you can be sure you are finding and fixing all critical vulnerabilities in the codebase.
Finally, our CyRC team researches each vulnerability and provides this enhanced information directly to your BoM. Critical data like technical descriptions, exploitability, available solutions, CVSS scoring (including temporal metrics critical to understanding true severity), CWE, and reachability are all right at your fingertips. Armed with this information, you can automate the prioritization of remediation activities and ensure you have a viable solution or workaround to get to work fixing the issue and moving on.
Our white paper “Managing Software Vulnerabilities in a DevOps Environment” dives deeper into vulnerability management challenges and requirements, and explores how Black Duck can help your organization keep its applications secure.