Skip to main content

Leveraging Secure Open Source
Libraries Is Critical to Your Success

Your competitors are moving faster than ever before, constantly releasing features that delight their customers and help them gain market share. They do this by leveraging open source code, which ensures that their developers spend 90 percent of their time writing code that differentiates them in the market, rather than writing code that is purely table stakes. There are some inherent risks with the use of open source libraries, since you are putting trust in developers not employed by your company. However, the use of these libraries, in and of themselves, is not a problem; it’s not knowing whether those libraries contain vulnerabilities and if they’re impacting your application that is.

Open Source Risk - What value do Open Source

What Value Do Open Source Libraries Bring?

Today, up to 90 percent of an application’s code is made up of open source libraries.

Every application on the market shares some level of common features with other applications – or what we would call your “table stakes” features.  These are things like user profiles, login screens, password resets, file uploads, and frameworks.  Customers expect your application to have these features already, and aren’t going to pick you over your competitor because your file upload is better than theirs.  So to have your developers spend the majority of their time recreating these features from the ground up is drastically hurting the velocity of your business. 

Instead, the goal should be to free up that time by enabling developers to leverage open source libraries that are secure, so they can focus the majority of their time on the 10 percent of the application that actually sets your business apart. And as security leaders, you can, in turn, have a drastic positive impact on the velocity of your development organization.

Combating Open Source Vulnerabilities


Simply enabling developers to leverage open source libraries without knowing if they are secure or not can hinder your company in the long run, cost you money, and bring development velocity to a screeching halt. To combat that, it’s critical that you can help answer these three questions.



    Which Libraries Are We Using?


    Do The Libraries Contain Any Vulnerabilities, and Do They Impact Our Applications?

  • blue-stopwatch

    Can We React Fast Enough to New Vulnerabilities?



And while not necessarily related to your Open Source Risk specifically, it’s also important to keep in mind: “How do I do all of this at scale?”

Open Source Risk - Which libraries are we using?

Which Libraries Are We Using?

If you do not think that your applications are already using open source libraries of some type, then either your development is much slower than the competition’s or your developers are and you just don’t know it yet.

You can’t begin to take steps securing what you don’t know exists – so it's critical to have a way to keep inventory of everything that is available to your developers to use, as well as what is actually being used, and how. This is the baseline for securing against open source risk, and the place where you have to start first.


Simply using open source libraries is not a security threat to the business.

The real problem is not knowing that what you are using contains vulnerabilities, and that they are
exploitable in your application. See how Veracode can help you secure these issues:

Download the whitepaper
Open Source Risk - Do the libraries contain

Do the Libraries Contain Vulnerabilities and Do They Impact our Applications?

Once you know which libraries exist in your development ecosystem, it’s important to track which contain vulnerabilities and understand how those vulnerabilities may impact your applications.  An important component of this is knowing not only whether the libraries in active use contain vulnerabilities, but also what vulnerabilities are in other versions of that library.  It is very possible that upgrading a library to a version that fixed a vulnerability could in fact introduce more vulnerabilities to the application.

Another big issue is how to keep track of the vulnerabilities that exist.  Most companies will reference the National Vulnerability Database (NVD), which is an excellent source of vulnerability data.  However, not every vulnerability makes it into the NVD, so you have to find a way to track down vulnerabilities that are not yet known nor disclosed.

Open Source Risk Page - Can we react fast enough

Can We React Fast Enough to New Vulnerabilities?

As more open source libraries are introduced, and more developers contribute code to open source libraries, the chance to introduce new flaws increases dramatically.  When that happens, your organization needs to have a system in place that allows you to stay on top of anything new that has hit the public realm, determine whether it’s in your application, and how to remediate the issue to secure your application.

Software Composition Analysis (SCA)

Solving these problems is where a Software Composition Analysis (SCA) product comes into play. There are many of them on the market that all seek to solve for the same problem: to help you identify and avoid vulnerabilities introduced through open source libraries, however they tend to approach them very differently.

Veracode’s approach to solving your open source risk problems is by giving you the flexibility to fit Application Security to the way your organization develops software, while providing the features and capabilities to answer the 3 most important questions:


  • green-box

    Which Libraries Are We Using?

  • pink-bug

    Do The Libraries Contain Any Vulnerabilities, and Do They Impact Our Applications?

  • blue-stopwatch

    Can We React Fast Enough to New Vulnerabilities?


To find out how Veracode helps companies solve these issues, visit our SCA product page here

To find out how Veracode helps companies solve
these issues, visit our SCA product page here:

Download the Whitepaper
Open Source Risk - How do we operate at scale?

How Do We Operate at Scale?

Choosing a cloud vendor that has done this for years is how you can quickly and easily implement an AppSec program that scales with the needs of your business.  Veracode is not just a tool that you use – we take a programmatic approach to the way companies secure their software.  Security programs are only as good as the implementation, adoption, and utilization of the solutions they encompass – and this is where Veracode excels beyond the competition.

Get A Demo