The days of developers creating every line of code from scratch are over. The intense demand for newer, better software means development speeds have become correspondingly intense. In turn, developers need to rely on the pre-built functionality in open source libraries to keep up. The problem with this practice is that it also introduces a whole new layer of vulnerabilities into organizations’ code, and they are vulnerabilities that are often more difficult to identify than those in first-party code.
In an effort to better address this increasing problem, Veracode recently acquired SourceClear Technologies. With this acquisition, we are enhancing and expanding our software composition analysis offering – helping developers code with both speed and security.
The following are a few of the powerful features of the SourceClear solution that enable developers in a truly unprecedented way:
In many cases, when developers pull in an open source library, they are only using one small piece of it – one method or function. So even if the library is tagged as being vulnerable, your data might not be passing through the vulnerable part, or the method or function you are using might not be vulnerable.
By using control flow analysis, the SourceClear scanner can tell if the function in an open source component containing a vulnerability is actually being called by your first-party code. This allows developers to better prioritize work, and dramatically decreases remediation work, in some cases by up to 90 percent.
SourceClear identifies vulnerabilities that are not in, or haven’t yet made it into, the National Vulnerability Database (NVD). To unearth these vulnerabilities, SourceClear scours all open source repositories and scans not just the code, but also the metadata, commit logs, bug fixes, patch notes, and other developer comments. They then use a machine learning algorithm (verified by humans) to find security issues that have not been found or disclosed yet.
This enhanced database is extremely valuable because it keeps organizations one step ahead of cyberattackers. When a vulnerability is listed in the NVD, it’s essentially being surfaced publicly for the first time – for organizations and for cyberattackers. Organizations then have a limited time to fix the vulnerability before attackers start taking advantage of it. And many companies have been breached due to this exact scenario. With SourceClear’s technology, organizations can find and fix vulnerabilities before they hit the NVD.
SourceClear maintains a list of approved libraries with their up-to-date vulnerability status. With this data, AppSec leaders can create catalogs for their developers with pre-approved open source libraries to leverage.
SourceClear is a SaaS platform with an agent that directly integrates with continuous integration and continuous delivery (CI/CD) platforms, providing a solution that is deeply embedded in the development process. With a variety of SDLC integrations that leverage an agent sitting on the build server, SourceClear allows users to, in most cases, add a single line of code to their build and begin scanning every time a new build is initiated.
When developers are building open source libraries, they often leverage other open source libraries, which, in turn, might contain methods from a third library, and so on and so on. The end result is layers of open source libraries connected together. In fact, it’s common for vulnerabilities in open source libraries to be five or six levels removed from first-party code. SourceClear has the ability to map these dependencies through all the open source code in use. In this way, you can identify vulnerabilities you would never know about otherwise, and get guidance on how to address them.
To learn more about open source library risk and solutions, check out our Virtual Summit, The Open Source Library Conundrum: Managing Your Risk. SourceClear founder Marc Curphey gives the keynote address.