MacStadium announced that it has obtained Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR) Level 1, meaning that MacStadium has publicly documented its compliance with CSA’s Cloud Controls Matrix (CCM), and that it joined the Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.
SCA: The New Savior of Open Source Software - Part 2
April 25, 2023
Open source isn't a strategy, it's a philosophy of collaboration. It's the fabric of millions of commercial projects in industries like FinTech, IT and AI. But there's something curious about open source — it makes up the majority of codebases, so surely the packages have hundreds of eyes keeping watch on their security posture? Unfortunately not. But there's good news on the horizon, as the 2023 OSSRA report found the number of applications with high-risk vulnerabilities is at its lowest level in four years (the SBOM Executive Order and SCA uptake get kudos for this). Is there light at the end of the tunnel?
Start with SCA: The New Savior of Open Source Software - Part 1
Good Offense is Good Defense
In mid 2022, the Open Source Software Security Foundation (OpenSSF) launched a 10-point plan to promote and improve the security of open source software. Here are their observations in combination with our own.
Define a Policy
The best and worst part of open source software is its lack of centralized guidance, but this fluctuation shouldn't apply to your organization. You can combine the standardization of proprietary code with the functionality of open source by defining an internal usage policy. Start with the basics and identify the stakeholders who will decide if a package is suitable and procure it. On a deeper level, consider how open source packages fit into your short- and long-term business goals.
Create an Approval Process
Pre-approve a list of open source packages you can trust, and simultaneously define how you give them the stamp of approval. Ideally, you can consider factors like project maturity, the level of support, and vulnerability patterns. This strategy helps your organization avoid vulnerable, unpatched, or out-of-date packages that could compromise operations.
Promote Security Education
Technical and non-technical employees should understand the ins and outs of open source security. Investing in security education improves workflows and development in the long run and reduces the risks of improper open source software usage. Security education can still take a developer-first approach, as the right SCA tool should be easy to integrate with the development tools you already employ.
Build a SBOM For Everything
SCA tools have the ability to generate and export SBOMs, allowing your organization to provide concrete assurance to your customers. With SCA, you can automatically generate a SBOM in seconds to map out all third-party and OSS code dependencies throughout your codebases, therefore eliminating manual analysis and helping maintain high velocity.
Leverage Continuous Monitoring
Patching quickly isn't enough — you'll need to continuously monitor all open source packages. While this sounds like a nightmare for busy developers and security teams, leveraging AI and ML-powered SCA tools does the heavy lifting for you. This type of automation helps you classify the exploitability of OSS dependencies in your code and manage risk without needing to manually manage anything — simply view your SCA product's recommendations.
How to Choose a SCA Vendor
Choosing the right threat intelligence solution is a business-critical decision, and here are a few essential features to help you select yours.
Code Security From Day Zero
Early detection is never early enough when it comes to open source vulnerabilities. A SCA tool should check your dependencies for threats as soon as you declare them (as early as pre-commit), helping you uncover threats and information like the presence of cryptominers, exploitability, and package maintenance history. The vendor should provide alerts regarding out-of-date libraries and block known and unknown OSS packages from reaching your SDLC.
An Advanced Portfolio and a Developer First Approach
Vendors with a strong reputation will always come out on top. By choosing a trusted brand with a range of security tools in its portfolio, you will benefit from the reliability, coverage, and ease of integration with a tool from the same vendor. Simply integrate SCA with your existing systems and development tools thanks to native build plugins. The emergence of SCA has shed a light on its synergy with SAST, as both assist in prioritization and auto-remediation. The right SCA tool will enable development and security teams to control, recognize, and minimize risk without altering your tech stack, so you can keep the developer-first approach.
Automated and Actionable Threat Intelligence
With a suitable SCA tool, eliminating the risk of malicious or compromised OSS packages shouldn't negatively impact your workflows. Manual intervention can lead to errors and false positives, meaning you could waste time resolving vulnerabilities that are not definite threats. Industry-leading OSS risk management solutions leverage AI and ML to classify the exploitability of OSS dependencies in your code and provide actionable threat intelligence.
Continuously Monitor Your Codebase for Open Source Security Threats
SCA is integral for applying consistent open source policies, monitoring operational risk, and gaining visibility over your codebase. Preventing open source exploitation is significantly more efficient in the long run than scrambling to fix the consequences. Take action today by selecting a SCA tool, and let it do the work for you.
Industry News
May 08, 2024
The Cloud Native Computing Foundation® (CNCF®) released the two-day schedule for CloudNativeSecurityCon North America 2024 happening in Seattle, Washington from June 26-27, 2024.
May 08, 2024
Sumo Logic announced new AI and security analytics capabilities that allow security and development teams to align around a single source of truth and collect and act on data insights more quickly.
May 08, 2024
Red Hat is announcing an optional additional 12-month EUS term for OpenShift 4.14 and subsequent even-numbered Red Hat OpenShift releases in the 4.x series.
May 08, 2024
HAProxy Technologies announced the launch of HAProxy Enterprise 2.9.
May 08, 2024
ArmorCode announced the general availability of AI Correlation in the ArmorCode ASPM Platform.
May 08, 2024
Octopus Deploy launched new features to help simplify Kubernetes CD at scale for enterprises.
May 08, 2024
Cequence announced multiple ML-powered advancements to its Unified API Protection (UAP) platform.
May 07, 2024
Oracle announced plans for Oracle Code Assist, an AI code companion, to help developers boost velocity and enhance code consistency.
May 07, 2024
New Relic launched Secure Developer Alliance.
May 07, 2024
Dynatrace is enhancing its platform with new Kubernetes Security Posture Management (KSPM) capabilities for observability-driven security, configuration, and compliance monitoring.
May 07, 2024
Red Hat announced advances in Red Hat OpenShift AI, an open hybrid artificial intelligence (AI) and machine learning (ML) platform built on Red Hat OpenShift that enables enterprises to create and deliver AI-enabled applications at scale across hybrid clouds.
May 07, 2024
ServiceNow is introducing new capabilities to help teams create apps and scale workflows faster on the Now Platform and to boost developer and admin productivity.
May 06, 2024
Red Hat and Oracle announced the general availability of Red Hat OpenShift on Oracle Cloud Infrastructure (OCI) Compute Virtual Machines (VMs).
May 06, 2024
The Software Engineering Institute at Carnegie Mellon University announced the release of a tool to give a comprehensive visualization of the complete DevSecOps pipeline.
