Your browser is not supported

For the best experience, use Google Chrome or Mozilla Firefox.

What is Open Source Security?

bg

Overview

Open Source Security, commonly referred to as Software Composition Analysis (SCA), is a methodology to provide users better visibility into the open source inventory of their applications. This is done by examining components via binary fingerprints, utilizing professionally curated and proprietary research, matching accurate scans against that proprietary intelligence, as well as proving developers this intelligence directly inside their favorite tools.

What is Open Source?

What is Open Source?

Open source refers to any software with accessible source code that anyone can modify and share freely. Source code is the part of software that users don't see; it's the code programmers can create and edit to change how software works. By having access to a program’s source code, developers or programmers can improve the software by adding features to it or fixing parts that don't always work correctly.

Why Use Open Source Software?

In today’s fast paced business world, software teams have adopted agile development practices such as DevOps to keep up with business demand. These practices put a lot of pressure on developers to build and deploy applications more quickly. To successfully achieve their goals within short software release cycles, developers frequently use open source software components. Open Source Software (OSS) is distributed freely, making it very cost-effective. Many developers benefit by starting with OSS and then tweaking it to suit their needs. Since the code is open, it's simply a matter of modifying it to add the functionality they want.

Is Open Source a Security Risk?

It’s no secret... developers use open source software.

Still, there are questions around how it should be managed – and for good reason.

Here’s why:

  • Open source components are not created equal. Some are vulnerable from the start, while others go bad over time.
  • Usage has become more complex. With tens of billions of downloads, it’s increasingly difficult to manage libraries and direct dependencies.
  • Transitive dependencies: if you are using dependency management tools like Maven (Java), Bower (JavaScript), Bundler (Ruby), etc., then you are automatically pulling in third party dependencies – a liability that you can’t afford.
  • 300,000+ open source components are downloaded annually by the average company
  • In 2018, across billions of open source component release downloads, 1 in 10 open source components had known security vulnerabilities (10.3%).
  • 51% of JavaScript package downloads contained known security vulnerabilities.
  • 71% increase in confirmed or suspected open source related breaches since 2014

How do I identify Open Source Vulnerabilities in my software?

Enterprises need to secure not just the code they write, but also the code they consume from open source components. That’s why many organizations are using Sonatype to automate open source governance at scale across the entire SDLC, shifting security left within development and build stages.

Discover the best-in-class, integrated solution for custom code and open source code security with Fortify by OpenText™ and Sonatype. Precise open source intelligence provides a 360-degree view of application security issues across the custom code and open source components in a single scan. You can perform searches for Open Source and Custom Code Vulnerabilities in a Single Scan and Dashboard.

Fortify also offers open source intelligence and security through Debricked using state-of-the-art machine learning for faster, more precise results. Debricked is a cloud-native software composition analysis solution that developers want to use and, in turn, increases productivity. This solutions employs a holistic approach with seamless integrations into the DevOps lifecycle to proactively manage software supply chain risks.

Resources

Assets

What is Cyber Security?
Software Composition Analysis with Sonatype
2019 State of the Software Supply Chain
Software Composition Analysis: Getting to the signal through the noise
5 ways to shift your appsec team’s focus to the supply chain
OpenText Security, Risk & Governance Trends
OpenText Application Security Solutions
OpenText Breach Defense Solutions
OpenText Compliance Solutions
OpenText Data Privacy Solutions
OpenText Data Governance Solutions
What is DAST
What is Cyber Resilience?
Infographic: AppSec Cheat Sheet
Forrester Wave: Static Application Security Testing
Fortify Customer Success Stories
What is OWASP Top 10?
Debricked Documentation

Related Products

Fortify on Demand by OpenText™

Application security as a service with security testing, vulnerability management, expertise, and support.

View solution page

Fortify Static Code Analyzer by OpenText™

Build secure software fast. Find security issues early and fix at the speed of DevOps.

View solution page

Fortify Software Security Center by OpenText™

Integrate and automate security testing with dev and get complete visibility of application security risks.

View solution page
    See all related products
    What is Open Source Security?

    Get started today.

    Learn more
    release-rel-2023-9-2-9373 | Wed Sep 20 05:02:54 PDT 2023
    9373
    release/rel-2023-9-2-9373
    Wed Sep 20 05:02:54 PDT 2023
    AWS