Virtualization Technology News and Information
Get Ahead By Fixing CVEs Before The Alert Goes Live

cves 84 percent 

One of the biggest pain points in managing application security in cloud native environments - and open source security in particular - is the quick remediation of open source vulnerabilities.

DevSecOps tools and practices are increasingly being put in place to ensure that application security is addressed from the earliest stages of the DevOps pipeline. These efforts must also include managing open source components, which have become a basic building block in today's applications, comprising up to 80% of our software products.

As AppSec practices shift left into development, the task of ensuring the open source libraries they use are up to date and secure falls on developers' shoulders - and it is quite a task. Open source libraries are composed of a tangled web of direct and transitive dependencies. Ensuring they are all updated to secure versions as soon as a vulnerability is detected without breaking the build or slowing down development might often feel like a losing battle.

84% Of Open Source Security Vulnerabilities Are Published After The Fix Is Already Available

Data from WhiteSource research shows that 84% of open source security vulnerabilities have a fix available before the vulnerability is published on the NVD. That means that in theory, developers can fix most security vulnerabilities even before they are published on the NVD. However, anyone that's been in the trenches knows that is easier said than done. Manually tracking CVEs or released fixes of vulnerable open source components is virtually impossible.

As the number of disclosed open source vulnerabilities rises exponentially every year, it's become clear that it's impossible to address every single issue. The challenge is figuring out which security issue poses the greatest risk to your organization and addressing those first.

Keeping Open Source Components Up To Date Is Required

In addition to tracking all open source dependencies in the code base, staying on top of newly disclosed security vulnerabilities and fixing them quickly is another complicated task. Developers need to track the publication of new security vulnerabilities across multiple bug trackers and security advisories, which may or may not include fix recommendations.

Because of the decentralized and distributed nature of the open source community, open source vulnerabilities are managed differently than vulnerabilities in proprietary applications. The open source community is made up of a growing group of projects and contributors that work independently or are sponsored by commercial companies in the software development ecosystem.

Open source project managers depend on their community to help uncover vulnerabilities and create fixes as quickly as possible. When a vulnerability is detected in an open source library, it's often reported to the National Vulnerability Database (NVD). However, it's important to remember that open source issues are also published on community resources outside of the NVD.

Once published, it's up to developers to make sure that they are using secure versions of open source components. Developers are tasked with tracking all of the open source libraries in their codebase, along with tracking the publication of new open source security vulnerabilities. Ideally, when a new vulnerability is published with a fix available, the vulnerable version in their code is updated to a fixed version as soon as possible.

Steps To Enable Faster Detection To Remediation

As the increase in security debt plagues organizations across all industries and verticals, it's clear that quick vulnerability remediation is an ongoing challenge for most organizations.

While everyone agrees that vulnerable open source versions must be fixed as soon as possible, overlooking the complexities of this process or ignoring the barriers to implementing quicker remediation only exacerbates the problem.

Simply telling developers to remediate quickly won't help minimize security dept or cut down your organization's backlog of security alerts. Developers must be provided with actionable remediation insights that identify:

  • What to fix first
  • Which vulnerabilities are actually reachable by applications
  • Which vulnerabilities pose the most risk
  • Where exactly the problematic component is and how stable the updated version is

When provided with this type of support, developers have a better chance of addressing security issues without slowing down development or breaking the build.


To hear more about cloud native topics, join the Cloud Native Computing Foundation and cloud native community at KubeCon+CloudNativeCon North America 2021 - October 11-15, 2021       


Sam Quakenbush Global SE Director, WhiteSource

Sam Quakenbush 

As the Global Director of Sales Engineering at WhiteSource Software, Sam Quakenbush specializes in providing enterprise organizations with application security solutions and has helped numerous companies empower developers to deliver secure applications.

Published Wednesday, October 06, 2021 7:47 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<October 2021>