SlideShare a Scribd company logo

The State of Open Source Vulnerabilities Management

WhiteSource
WhiteSource

Open source security vulnerabilities are increasing, with a 51.2% rise in reported cases in 2017. The lack of standard practices and tools leads to inefficient management, and prioritization based on usage analysis can significantly reduce security alerts. Effective prioritization can enhance developer efficiency and security by focusing on vulnerabilities that truly impact applications.

Software
1 of 23
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
THE STATE OF OPEN SOURCE VULNERABILITIES MANAGEMENT Presented by: Rami Elron, Senior Director of Product Management at WhiteSource
Key Findings: 1 Reported open source security vulnerabilities are on the rise. 2 The absence of standard practices and developer- focused tools lead to inefficient handling of open source vulnerabilities. 3 Prioritization is crucial to ensure companies address the most critical vulnerabilities on time. 4 Prioritization based on usage analysis can reduce security alerts by 70% to 85%.
OPEN SOURCE SECURITY VULNERABILITIES ARE ON THE RISE
The number of disclosed open source vulnerabilities rose by over 50% in 2017 NUMBER OF REPORTED OPEN SOURCE VULNERABILITIES ROSE BY 51.2% IN 2017
FREQUENCY OF USE OF OPEN SOURCE COMPONENTS of developers rely on open source components 96.8%
of all open source projects are vulnerable, but when it comes to the most popular open source projects… 7.5%
But, it's not all bad. The rise in awareness also led to a sharp rise in suggested fixes… of all reported vulnerabilities have at least one suggested fix in the open source community 97.4%
Information about vulnerabilities is scattered across hundreds of resources, usually poorly indexed and therefore unsearchable OF REPORTED OPEN SOURCE VULNERABILITIES APPEAR IN THE CVE DATABASE 86% OVER
DEVELOPERS ARE NOT EFFICIENTLY MANAGING OPEN SOURCE VULNERABILITIES
Developers rated security vulnerabilities as the #1 challenge when using open source components TOP CHALLENGES IN USING OPEN SOURCE COMPONENTS
Developers spend 15 hours each month dealing with open source vulnerabilities (e.g. reviewing, discussing, addressing, remediating, etc.) The cost is even higher, considering that the more experienced developers are the ones remediating HOURS SPENT ON OPEN SOURCE VULNERABILITIES PER DEVELOPERS' EXPERIENCE
WHAT DO YOU DO WHEN A VULNERABILITY IS FOUND? 1.0% 34.1% 13.3% 18.7% 33.0% Out of the monthly 15 hours only 3.8 hours are invested in remediation. The lack of set practices and tools can explain these inefficiencies.
PRIORITIZATION IS KEY TO OPEN SOURCE VULNERABILITY MANAGEMENT
Perfect security is impossible. Zero risk is impossible. We must bring prioritization of application vulnerabilities to DevSecOps. In a futile attempt to remove all possible vulnerabilities from applications, we are slowing developers down and wasting their time chasing issues that aren’t real. 10 Things to Get Right for Successful DevSecOps Neil MacDonald, Gartner
25.2% 11.6% 15.1% 17.3% Survey results show that developers prioritize remediation of vulnerabilities based on available information, not necessarily on the impact of a vulnerability on the security of an application. 14.7% 16.2%
Security teams analyze and prioritize vulnerabilities Sending emails or opening issues/tickets Closing the loop on resolution is hard The Common Way of Handling Security Vulnerabilities
Bridging the Gap is a Must Security DevOps Developers
WhiteSource Software Confidential ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Reported Vulnerabilities Can you really handle all of them? Which ones constitute a real risk? Which ones should be addressed first? Effective Vulnerabilities Less to deal with. Much less.vs. The Secret to Prioritization: Reported Vulnerabilities are not Necessarily EFFECTIVE Focusing on Effective Vulnerabilities Could Enable: Better development efficiency Better development effectiveness Better security
A new approach to prioritizing vulnerabilities - based their impact on an application’s security EFFECTIVE VULNERABILITY If the proprietary code is making calls to the vulnerable functionality INEFFECTIVE VULNERABILITY If the proprietary code is NOT making calls to the vulnerable functionality EFFECTIVE VS INEFFECTIVE VULNERABILITIES IN A COMPONENT
After testing 2,000 Java applications, WhiteSource found that 72% of all detected vulnerabilities were deemed ineffective. Based on the data collected in our survey, this can be translated to saving 10.5 hours per month per each developer (70% of 15 monthly hours).
EFFECTIVE USAGE ANALYSIS
Effective Usage Analysis is the technology of prioritizing open source vulnerabilities based on the way they are used by the application. Our beta testing on 25 commercial applications from 12 organizations showed that: analyzed projects were found to be vulnerable of the vulnerabilities (effective and ineffective) were found in transitive dependencies of all vulnerability alerts were found to be ineffective of all analyzed projects were found to contain only ineffective vulnerabilities ALL 90% 86% 64%
Q&A

More Related Content

What's hot (20)

PPTX
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
WhiteSource
 
PDF
Tackling the Container Iceberg:How to approach security when most of your sof...
WhiteSource
 
PDF
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
DevOps.com
 
PDF
Open Source Security: How to Lay the Groundwork for a Secure Culture
WhiteSource
 
PDF
The Challenges of Scaling DevSecOps
WhiteSource
 
PDF
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
WhiteSource
 
PPTX
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
WhiteSource
 
PDF
The State of Open Source Vulnerabilities Management
SBWebinars
 
PDF
Pentest as a Service Impact 2020
DevOps.com
 
PPTX
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
DevOps.com
 
PPTX
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
PPTX
Practical DevSecOps Using Security Instrumentation
VMware Tanzu
 
PPTX
DevSecOps outline
Nickleus Jimenez
 
PPTX
DevSecOps
Joel Divekar
 
PPTX
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
PDF
DevSecOps in 2031: How robots and humans will secure apps together Log
Stefan Streichsbier
 
PDF
Demystifying DevSecOps
Archana Joshi
 
PDF
PIACERE - DevSecOps Automated
PIACERE
 
PDF
DevSecOps: A New Hope for Security in CI/CD
Franklin Mosley
 
PPTX
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevOps Indonesia
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
WhiteSource
 
Tackling the Container Iceberg:How to approach security when most of your sof...
WhiteSource
 
From Zero to DevSecOps: How to Implement Security at the Speed of DevOps
DevOps.com
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
WhiteSource
 
The Challenges of Scaling DevSecOps
WhiteSource
 
CI/CD pipeline security from start to finish with WhiteSource & CircleCI
WhiteSource
 
The Top 3 Strategies To Reduce Your Open Source Security Risks - A WhiteSour...
WhiteSource
 
The State of Open Source Vulnerabilities Management
SBWebinars
 
Pentest as a Service Impact 2020
DevOps.com
 
The DevSecOps Showdown: How to Bridge the Gap Between Security and Developers
DevOps.com
 
SCS DevSecOps Seminar - State of DevSecOps
Stefan Streichsbier
 
Practical DevSecOps Using Security Instrumentation
VMware Tanzu
 
DevSecOps outline
Nickleus Jimenez
 
DevSecOps
Joel Divekar
 
Benefits of DevSecOps
Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
DevSecOps in 2031: How robots and humans will secure apps together Log
Stefan Streichsbier
 
Demystifying DevSecOps
Archana Joshi
 
PIACERE - DevSecOps Automated
PIACERE
 
DevSecOps: A New Hope for Security in CI/CD
Franklin Mosley
 
DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource
DevOps Indonesia
 

Similar to The State of Open Source Vulnerabilities Management (20)

PDF
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
FINOS
 
PDF
5 things about os sharon webinar final
DevOps.com
 
PDF
Taking Open Source Security to the Next Level
SBWebinars
 
PPTX
7 Reasons Your Applications are Attractive to Adversaries
Derek E. Weeks
 
PDF
PDF The complete guide to developer first application security By Github.Co...
eivimayuyu
 
PPTX
Intelligence on the Intractable Problem of Software Security
Tyler Shields
 
PPTX
One login enemy at the gates
Eoin Keary
 
PDF
We are excited to announce that our new State of Software Security (SOSS) rep...
Ampliz
 
PDF
The State of Software Security 2022 SOSS - Solution
NeelKamalSingh8
 
PPTX
How do YOU compare to others in Mobile DevOps Performance, Productivity, and ...
AnnaBtki
 
PPTX
Amy DeMartine - 7 Habits of Rugged DevOps
SeniorStoryteller
 
PDF
Aliens in Your Apps!
All Things Open
 
PPTX
Software Security Assurance for DevOps
Black Duck by Synopsys
 
PPTX
Software Security Assurance for Devops
Jerika Phelps
 
PDF
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
Sonatype
 
PDF
Infographic: Heartbleed - Everything Was Secure Until, Suddenly, It Wasn't
Sonatype
 
PDF
Case Closed with IBM Application Security on Cloud infographic
IBM Security
 
PPTX
The Illusion of Control: Seven Deadly Wastes in Your Devops Practice
matthewabq
 
PPTX
Why Patch Management is Still the Best First Line of Defense
Lumension
 
PPTX
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
FINOS
 
5 things about os sharon webinar final
DevOps.com
 
Taking Open Source Security to the Next Level
SBWebinars
 
7 Reasons Your Applications are Attractive to Adversaries
Derek E. Weeks
 
PDF The complete guide to developer first application security By Github.Co...
eivimayuyu
 
Intelligence on the Intractable Problem of Software Security
Tyler Shields
 
One login enemy at the gates
Eoin Keary
 
We are excited to announce that our new State of Software Security (SOSS) rep...
Ampliz
 
The State of Software Security 2022 SOSS - Solution
NeelKamalSingh8
 
How do YOU compare to others in Mobile DevOps Performance, Productivity, and ...
AnnaBtki
 
Amy DeMartine - 7 Habits of Rugged DevOps
SeniorStoryteller
 
Aliens in Your Apps!
All Things Open
 
Software Security Assurance for DevOps
Black Duck by Synopsys
 
Software Security Assurance for Devops
Jerika Phelps
 
White Paper: 7 Security Gaps in the Neglected 90% of your Applications
Sonatype
 
Infographic: Heartbleed - Everything Was Secure Until, Suddenly, It Wasn't
Sonatype
 
Case Closed with IBM Application Security on Cloud infographic
IBM Security
 
The Illusion of Control: Seven Deadly Wastes in Your Devops Practice
matthewabq
 
Why Patch Management is Still the Best First Line of Defense
Lumension
 
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 
Ad

More from WhiteSource (16)

PDF
Securing Container-Based Applications at the Speed of DevOps
WhiteSource
 
PDF
Deep Dive into Container Security
WhiteSource
 
PDF
Fire alarms vs. Fire hoses: Keeping up with Dependencies
WhiteSource
 
PDF
DevSecOps: Closing the Loop from Detection to Remediation
WhiteSource
 
PDF
Barriers to Container Security and How to Overcome Them
WhiteSource
 
PDF
SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...
WhiteSource
 
PDF
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
WhiteSource
 
PPTX
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
WhiteSource
 
PPTX
Automating Open Source Security: A SANS Review of WhiteSource
WhiteSource
 
PDF
Top Open Source Licenses Explained
WhiteSource
 
PPTX
WhiteSource Webinar What's New With WhiteSource in December 2018
WhiteSource
 
PPTX
WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...
WhiteSource
 
PDF
Find Out What's New With WhiteSource September 2018- A WhiteSource Webinar
WhiteSource
 
PPTX
Find Out What's New With WhiteSource May 2018- A WhiteSource Webinar
WhiteSource
 
PPTX
Strategies for Improving Enterprise Application Security - a WhiteSource Webinar
WhiteSource
 
PPTX
How temenos manages open source use, the easy way combined
WhiteSource
 
Securing Container-Based Applications at the Speed of DevOps
WhiteSource
 
Deep Dive into Container Security
WhiteSource
 
Fire alarms vs. Fire hoses: Keeping up with Dependencies
WhiteSource
 
DevSecOps: Closing the Loop from Detection to Remediation
WhiteSource
 
Barriers to Container Security and How to Overcome Them
WhiteSource
 
SAST (Static Application Security Testing) vs. SCA (Software Composition Anal...
WhiteSource
 
From Zero To Hero: Continuous Container Security in 4 Simple Steps- A WhiteSo...
WhiteSource
 
The Devops Challenge: Open Source Security Throughout the DevOps Pipline- A W...
WhiteSource
 
Automating Open Source Security: A SANS Review of WhiteSource
WhiteSource
 
Top Open Source Licenses Explained
WhiteSource
 
WhiteSource Webinar What's New With WhiteSource in December 2018
WhiteSource
 
WhiteSource Webinar-New Research Reveals Key Strategy to Manage Open Source S...
WhiteSource
 
Find Out What's New With WhiteSource September 2018- A WhiteSource Webinar
WhiteSource
 
Find Out What's New With WhiteSource May 2018- A WhiteSource Webinar
WhiteSource
 
Strategies for Improving Enterprise Application Security - a WhiteSource Webinar
WhiteSource
 
How temenos manages open source use, the easy way combined
WhiteSource
 
Ad

Recently uploaded (20)

PDF
NSF Converter Simplified: From Complexity to Clarity
Johnsena Crook
 
PDF
Wondershare PDFelement Pro Crack for MacOS New Version Latest 2025
bashirkhan333g
 
PDF
Simplify React app login with asgardeo-sdk
vaibhav289687
 
PPTX
AEM User Group: India Chapter Kickoff Meeting
jennaf3
 
PDF
[Solution] Why Choose the VeryPDF DRM Protector Custom-Built Solution for You...
Lingwen1998
 
PDF
Digger Solo: Semantic search and maps for your local files
seanpedersen96
 
PDF
MiniTool Partition Wizard Free Crack + Full Free Download 2025
bashirkhan333g
 
PPTX
Comprehensive Risk Assessment Module for Smarter Risk Management
EHA Soft Solutions
 
PPTX
Agentic Automation: Build & Deploy Your First UiPath Agent
klpathrudu
 
PDF
Odoo CRM vs Zoho CRM: Honest Comparison 2025
Odiware Technologies Private Limited
 
PPTX
Customise Your Correlation Table in IBM SPSS Statistics.pptx
Version 1 Analytics
 
PPTX
Change Common Properties in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
PDF
AOMEI Partition Assistant Crack 10.8.2 + WinPE Free Downlaod New Version 2025
bashirkhan333g
 
PPTX
Agentic Automation Journey Series Day 2 – Prompt Engineering for UiPath Agents
klpathrudu
 
PPTX
Get Started with Maestro: Agent, Robot, and Human in Action – Session 5 of 5
klpathrudu
 
PDF
Open Chain Q2 Steering Committee Meeting - 2025-06-25
Shane Coughlan
 
PDF
IDM Crack with Internet Download Manager 6.42 Build 43 with Patch Latest 2025
bashirkhan333g
 
PDF
IObit Driver Booster Pro 12.4.0.585 Crack Free Download
henryc1122g
 
PPTX
Coefficient of Variance in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
PDF
TheFutureIsDynamic-BoxLang witch Luis Majano.pdf
Ortus Solutions, Corp
 
NSF Converter Simplified: From Complexity to Clarity
Johnsena Crook
 
Wondershare PDFelement Pro Crack for MacOS New Version Latest 2025
bashirkhan333g
 
Simplify React app login with asgardeo-sdk
vaibhav289687
 
AEM User Group: India Chapter Kickoff Meeting
jennaf3
 
[Solution] Why Choose the VeryPDF DRM Protector Custom-Built Solution for You...
Lingwen1998
 
Digger Solo: Semantic search and maps for your local files
seanpedersen96
 
MiniTool Partition Wizard Free Crack + Full Free Download 2025
bashirkhan333g
 
Comprehensive Risk Assessment Module for Smarter Risk Management
EHA Soft Solutions
 
Agentic Automation: Build & Deploy Your First UiPath Agent
klpathrudu
 
Odoo CRM vs Zoho CRM: Honest Comparison 2025
Odiware Technologies Private Limited
 
Customise Your Correlation Table in IBM SPSS Statistics.pptx
Version 1 Analytics
 
Change Common Properties in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
AOMEI Partition Assistant Crack 10.8.2 + WinPE Free Downlaod New Version 2025
bashirkhan333g
 
Agentic Automation Journey Series Day 2 – Prompt Engineering for UiPath Agents
klpathrudu
 
Get Started with Maestro: Agent, Robot, and Human in Action – Session 5 of 5
klpathrudu
 
Open Chain Q2 Steering Committee Meeting - 2025-06-25
Shane Coughlan
 
IDM Crack with Internet Download Manager 6.42 Build 43 with Patch Latest 2025
bashirkhan333g
 
IObit Driver Booster Pro 12.4.0.585 Crack Free Download
henryc1122g
 
Coefficient of Variance in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
TheFutureIsDynamic-BoxLang witch Luis Majano.pdf
Ortus Solutions, Corp
 

The State of Open Source Vulnerabilities Management

  • 1. THE STATE OF OPEN SOURCE VULNERABILITIES MANAGEMENT Presented by: Rami Elron, Senior Director of Product Management at WhiteSource
  • 2. Key Findings: 1 Reported open source security vulnerabilities are on the rise. 2 The absence of standard practices and developer- focused tools lead to inefficient handling of open source vulnerabilities. 3 Prioritization is crucial to ensure companies address the most critical vulnerabilities on time. 4 Prioritization based on usage analysis can reduce security alerts by 70% to 85%.
  • 4. The number of disclosed open source vulnerabilities rose by over 50% in 2017 NUMBER OF REPORTED OPEN SOURCE VULNERABILITIES ROSE BY 51.2% IN 2017
  • 5. FREQUENCY OF USE OF OPEN SOURCE COMPONENTS of developers rely on open source components 96.8%
  • 6. of all open source projects are vulnerable, but when it comes to the most popular open source projects… 7.5%
  • 7. But, it's not all bad. The rise in awareness also led to a sharp rise in suggested fixes… of all reported vulnerabilities have at least one suggested fix in the open source community 97.4%
  • 8. Information about vulnerabilities is scattered across hundreds of resources, usually poorly indexed and therefore unsearchable OF REPORTED OPEN SOURCE VULNERABILITIES APPEAR IN THE CVE DATABASE 86% OVER
  • 9. DEVELOPERS ARE NOT EFFICIENTLY MANAGING OPEN SOURCE VULNERABILITIES
  • 10. Developers rated security vulnerabilities as the #1 challenge when using open source components TOP CHALLENGES IN USING OPEN SOURCE COMPONENTS
  • 11. Developers spend 15 hours each month dealing with open source vulnerabilities (e.g. reviewing, discussing, addressing, remediating, etc.) The cost is even higher, considering that the more experienced developers are the ones remediating HOURS SPENT ON OPEN SOURCE VULNERABILITIES PER DEVELOPERS' EXPERIENCE
  • 12. WHAT DO YOU DO WHEN A VULNERABILITY IS FOUND? 1.0% 34.1% 13.3% 18.7% 33.0% Out of the monthly 15 hours only 3.8 hours are invested in remediation. The lack of set practices and tools can explain these inefficiencies.
  • 13. PRIORITIZATION IS KEY TO OPEN SOURCE VULNERABILITY MANAGEMENT
  • 14. Perfect security is impossible. Zero risk is impossible. We must bring prioritization of application vulnerabilities to DevSecOps. In a futile attempt to remove all possible vulnerabilities from applications, we are slowing developers down and wasting their time chasing issues that aren’t real. 10 Things to Get Right for Successful DevSecOps Neil MacDonald, Gartner
  • 15. 25.2% 11.6% 15.1% 17.3% Survey results show that developers prioritize remediation of vulnerabilities based on available information, not necessarily on the impact of a vulnerability on the security of an application. 14.7% 16.2%
  • 16. Security teams analyze and prioritize vulnerabilities Sending emails or opening issues/tickets Closing the loop on resolution is hard The Common Way of Handling Security Vulnerabilities
  • 17. Bridging the Gap is a Must Security DevOps Developers
  • 18. WhiteSource Software Confidential ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Reported Vulnerabilities Can you really handle all of them? Which ones constitute a real risk? Which ones should be addressed first? Effective Vulnerabilities Less to deal with. Much less.vs. The Secret to Prioritization: Reported Vulnerabilities are not Necessarily EFFECTIVE Focusing on Effective Vulnerabilities Could Enable: Better development efficiency Better development effectiveness Better security
  • 19. A new approach to prioritizing vulnerabilities - based their impact on an application’s security EFFECTIVE VULNERABILITY If the proprietary code is making calls to the vulnerable functionality INEFFECTIVE VULNERABILITY If the proprietary code is NOT making calls to the vulnerable functionality EFFECTIVE VS INEFFECTIVE VULNERABILITIES IN A COMPONENT
  • 20. After testing 2,000 Java applications, WhiteSource found that 72% of all detected vulnerabilities were deemed ineffective. Based on the data collected in our survey, this can be translated to saving 10.5 hours per month per each developer (70% of 15 monthly hours).
  • 22. Effective Usage Analysis is the technology of prioritizing open source vulnerabilities based on the way they are used by the application. Our beta testing on 25 commercial applications from 12 organizations showed that: analyzed projects were found to be vulnerable of the vulnerabilities (effective and ineffective) were found in transitive dependencies of all vulnerability alerts were found to be ineffective of all analyzed projects were found to contain only ineffective vulnerabilities ALL 90% 86% 64%
  • 23. Q&A