In the recent seminar on “Unlocking Innovation” held by NTUitive in collaboration with Infocomm Media Development Authority’s (IMDA) Open Innovation Platform, we have come together as a community to help build a vibrant tech ecosystem in the hopes of enabling innovation and co-creation in speed and scale across various partners. Dr Liu Yang shared Scantist’s expertise in managing application security across all levels of the software development lifecycle. Watch the seminar on-demand here.
Digitalisation and modern technology in today’s world gave rise to the development of various applications in order to meet the business needs of a quicker turnaround time. As such, open source has become an integral part of the fast-paced software development life cycle in organisations large and small.
While the widespread use of open source can be attributed by its various characteristics we’ve highlighted in our earlier blog post, the same characteristics are also often exploited by adversaries to breach applications. As seen in the Equifax breach which occured in 2017, the root cause of the disclosure of personal data of 143 million people was the vulnerability in Apache Struts, a highly popular open source library in Java.
60% to 90% of enterprise application codes are open source and 1 out of 4 data breaches occur as a result of vulnerable open source components. This presents a real and immediate threat for organisations but the topic on open source security ownership has been a constant debate. The weight of responsibility in vulnerability prevention is unfortunately shifted from vendors to developers.
While developers are responsible for the codes they write, they have a myriad of priorities - pushing out new products or applications quickly, releasing new versions of their applications with improved functionalities - all of which supersede the need for consistent checks on their codes. Fortunately, the amount of effort required for organisations to secure their open source components can be minimised by automating the detection and remediation of vulnerabilities.
With a Software Composition Analysis (SCA) tool, developers do not need to waste time in determining the next secure version to patch to, or worry about incompatible patch versions. Scantist’s SCA tool helps manage open source security and compliance risks in a proactive manner by providing greater visibility into your organisation’s software supply chain. We provide a comprehensive bill of materials to identify all open source components in your application, detailing the direct and transitive dependencies in your codes. Our proprietary vulnerability and security knowledge base has 16TB worth of data which covers all popular open source libraries - making sure we do not miss a single one of it.
Scantist’s developer focused remediation recommendations help you complete security fixes faster and accelerate your time-to-market with in-built issue management to enable clear delegation and tracking. Our SCA tool provides root level fixes which can be implemented instantly and includes a compatibility analysis or it can be as simple as a one-click-fix for all vulnerabilities. Our license and policy management system also improves your legal compliance through a customised policy enforcement as per your organisation’s needs.
As with dealing with any security vulnerability, the efficient way in managing such risks is not to try patching every single vulnerability – big or small. Organisations should prioritise the vulnerabilities they need to patch, typically the ones that can cause severe consequences, are easiest to exploit, but are also easiest to deal with. With a good SCA tool, organisations can lower the costs of fixing high priority vulnerabilities even without the need for security expertise and prevent adversaries from breaching their applications.