Posted by Rajiv Chikapanchiah on January 8, 2018
In today’s fast-paced world with rapid technological advancements, few people need any introduction to the dangers of security vulnerabilities lurking in open source and third-party code.
Open source software has come a long way from being a techno-hippie dream in the late ’80s. Today, it exists nearly everywhere and is a pervasive component of all current major technological innovation. We find open source software components in our Linux operating systems, Apache web servers, Android mobile environments, and Hadoop big data frameworks, among others. Consequently, many companies, both enterprises and startups alike, must figure out ways to incorporate more open source modules into their proprietary code—or at the very least, expose capabilities in their software to interact with open source code.
But this transition toward the widespread use of open source code has not been without risks, and we don’t have to look far to understand that. In Sept. 2017, Equifax, a major consumer credit reporting agency and a Fortune 100 firm, was hacked by cyber criminals. Its data was compromised owing to a flaw in the open source software the company used, leading to severe financial repercussions for the company and loss of consumer trust.
In light of such imposing threats, companies are scrambling for approaches to better manage and use their open source and third-party code more securely. Synopsys has been helping companies manage risk and legal compliance with Protecode, an advanced automated software composition analysis tool. Protecode continually monitors and updates the ability to detect newer security vulnerabilities and license definitions for open source software. Organizations can also gain substantial efficiency by taking a two-pronged approach:
Synopsys Static Analysis (Coverity) is a comprehensive static application security testing (SAST) platform that finds critical defects and security weaknesses in code before they become vulnerabilities or crashes, or degrade the overall quality of your software.
After listening to our customers’ needs and pain points, Synopsys has established a set of best practices and a workflow that integrates Protecode SC and Coverity Connect. Protecode SC identifies the security vulnerabilities, and the Coverity Connect interface is used to triage them. This approach makes it possible to customize triaging for specific software group needs, set up charts, track vulnerability trends, and establish a baseline to manage open source security vulnerabilities.
For groups who have already deployed the Coverity platform, the integration will be able to leverage an existing software development life cycle (SDLC) workflow around Coverity, saving time and cost. There’s no need for additional resources to design and set up a new workflow. In addition, team and company supervisors can simplify code complexity by using a common interface to monitor all security-related defects requiring developer attention. This ability is especially useful when open source code is spread across many applications and engineering divisions.
The Protecode SC / Coverity Connect integration is facilitated by Python scripts. Additionally, it can be deployed as a plug and play feature within any operating environment that supports Coverity Analysis. You can configure the integration results via the Coverity Connect interface, and you can also layer on custom features. For example, you can organize results with CVSS ratings and scores, and customize technical description to comply to a specific industry standard. You can also support more tailored workflows for individual development teams. In summary, the integration offers three key benefits for software organizations from a security standpoint:
A sample customization
The interface links the identified vulnerability to the National Vulnerability Database (NVD) and displays relevant triage information, such as the CVSS score, rating, and so on.
Get the latest Software Integrity news, thought leadership, and more.