On the Frontline – Open Source Software Risk Management Solution

0
30

New Actionable Intelligence and Management Capabilities in Insignary Clarity™ 2.0 Make it a Compelling Frontline OSS Risk Management Solution

Cyber Defense Magazine expert Gary Miliefsky estimates that between 2018 and 2022, more than $1.5 trillion will be spent, cumulatively, on cyber security products and services. As a managed services provider (MSP), we look to help our clients harden the software and systems they use in order to operate each day. One of the most challenging to address is open source software.

More than 90% of the software in use and written today contains open source software (OSS) code. Part of that is due to good code reuse. If a software snippet, library or other component is very useful, it has the potential to be reused across a spectrum of software platforms, applications, middleware and firmware. The problem is that if a vulnerability resides in that piece of code – it can be in millions of places, and very hard to track down.

Another issue is that OSS is updated quite frequently; it can be cumbersome to keep track of updates to software libraries and components.

Perhaps the greatest risk is from third-party code that is procured as a finished product, or to be used within a product or platform. It is challenging to know exactly what open source code is in it, and to ensure that it has the latest bug fixes.

Of late, one of the best tools in our arsenal is a fingerprint-based binary code scanner.

With a fingerprint-based binary code scanner, we can determine what we call the software composition facts. With this tool, we can find out very quickly what a software platform, application, middleware or piece of firmware is comprised of, without having to have it reverse engineered and then scanned. It tells you the truth about the code our clients receive in binary format – which is the majority of it.

This has enabled us to more effectively manage open source software-related license and security risks. Once software is scanned, we can to go through and either patch known security vulnerabilities that have not been addressed in the code, develop workarounds that eliminate the security risks or have the software vendors address these issues.

However, the one area we have wanted the product to be more robust is in its reporting and management features.

Well, I am happy to share that Insignary has just launched Clarity 2.0. With it comes an improved user interface and a significant number of very useful reporting and management capabilities. Now, executives and managers can quickly determine, at a glance, the most critical OSS security and licensing issues and allocate their DevOps and security resources to most effectively address them.

Specifically, some of the new features include:

  • A Dashboard – It gives a summarized overview of OSS security vulnerability status and license compliance issues across all projects or by each project.
  • Setting Policies Executives and managers can set OSS usage and security policies for different projects and notifies managers if there are uses of open source components that may contain certain security vulnerabilities or license issues.
  • Scan Results Diff – Organizations can compare scan results side by side. And, before distributing updated versions of software, managers can focus on the newly identified license risks or security vulnerabilities since the last scan.
  • View Customization – Gives users a choice in how precisely they would like to view their scan results, as an overall summary or as minutely detailed information.
  • A Custom Database – Companies can distinguish between third-party OSS components and in-house, extended OSS projects.

As with any software security implementation we manage on behalf of our clients, we rely on a portfolio of products to improve our capabilities. With the new features that are now available in Clarity 2.0, we will have a very effective frontline OSS risk management solution.

About the Author

Bill Cameron serves as a Principal at Warrenton Global Solutions; supporting cyber security initiatives and international business development.

Prior to joining WGS, Bill spent more than 26 years as a United States Naval Officer in national defense and security roles.

For more information, he can be reached at info@warrentonglobalsolutions.com.