Resources Blog DevSecOps and Open Source Risk: Why the Devil is in the ...

DevSecOps and Open Source Risk: Why the Devil is in the Details and the Truth Will Set You Free

To compete effectively on a global playing field, companies aren’t just writing software — they’re manufacturing it as fast as they can using machine automation, DevOps style processes, and an infinite supply of open source components.

The good news is that most components are good -- like little angels -- and can help you dramatically accelerate the pace of software innovation.

The bad news is that some components are nasty little devils -- and if you're not careful -- can expose your business to significant risks.

To effectively manage open source risk at the speed of DevOps, organizations must distinguish good components from bad ones.  There are two ways that you can try and do this:

  1. Utilize legacy intelligence from SCA vendors
  2. Utilize next generation intelligence from Sonatype.

At Sonatype, we have hundreds of customers who previously attempted to govern open source risk using legacy intelligence from SCA vendors.  Through head-to-head competition, we've seen how frustrating it is for customers to be overwhelmed by false positives because of open source vulnerability data that is fundamentally flawed.  Through these same experiences, we've learned exactly why legacy SCA data is flawed and we've become proficient in proving why our data is superior.

Simply stated, there are three reasons why Soantype's data is better:

  1. Experience:  Starting from scratch in 2011, our mission was to precisely identify individual components so we could fully automate risk controls with respect to open source.  Similar to traditional SCA vendors, our initial plan was to use the Common Platform Enumeration (CPE) Dictionary to match component names against CVEs in the NVD.  Different from traditional SCA vendors, we immediately realized the architectural limitations of this approach.  Thus, we alone embarked on an audacious effort to build the world's first database to definitively identify the authoritative finger prints (hashes) of every open source component.
  2. Investment:  Different from legacy SCA vendors, we don't buy component data from third-party feeds.  Instead, we've hired 65 expert researchers and invested more than _____ man hours to create a proprietary data feed which we own and operate ourselves.  Equipped with proprietary techniques, artificial intelligence, and machine learning tools, this incredible team is dedicated to a 24x7x365 effort to research vulnerabilities emerging from a wide range of sources including the National Vulnerability Database (NVD), GitHub event processing, OSS Index, Project advisories, Google alerts, Internal 0-Day research, Vulnerability sites, Customer reported issues, FSISAC alerts, Secondary expansions, Blogs, Tweets, etc.  In summary, we know more about the quality of open source than anyone else in the world.
  3. Value:  Different from legacy SCA vendors, our customers do not waste their valuable time researching an enormous volume of false positives.  Instead, they are empowered with remarkably precise intelligence and developer friendly remediation guidance which enables them to focus their precious time on building and continuously delivering great software applications.

Here's the bottom line.  Data doesn't lie.  Our open source component intelligence is vastly superior compared to legacy SCA vendors.  But don’t take our word for it.  To see the devil in the details for yourself -- we invite you compare our data us against the competition.

Picture of Matt Howard

Written by Matt Howard

Matt is a proven executive and entrepreneur with over 20 years experience developing high-growth software companies, at Sonatype, he leads corporate marketing, strategic partnering, and demand generation initiatives.