On 12/2/22 4:56 am, Radoslaw Skorupka wrote:
Well, who said it is not a problem???
I do. I maintain that proprietary code has just as many vulnerabilities as open source. In fact, I would suggest that open source code is better as the standard of engineer tends to be much higher than your average Joe coder working for a bank. Also, the code is in the open and can be scrutinized by millions of people. Who do you think develops open source software? Is it hobbyists, enthusiasts, students, academics etc? The truth is it's mostly engineers from big tech who are getting paid to develop open source. Check out the authors of Apache Commons components and it's IBMers https://github.com/apache/commons-bsf/blob/master/AUTHORS.txt. IBM were the organization that stumped up the cash and resources to develop Eclipse. A huge amount of Apache open source code is written and maintained by IBM and it's used extensively in their products.
It sounds like "open source is free of bugs". However I have never heard such claim.
Nobody is saying that. That would be ignorant and stupid. All software has bugs.
More: companies use some kind of whitelisting open source software. In many cases software developer is not allowed to use "fancy, shining code" just because there some requirements are on met. It can be community, reputation, maturity, etc.
How can a company whitelist open source software if they purchase a product from a vendor or IBM that uses open source? As our products are sold and marketed by IBM we provide them with a Certificate of Originality which is a bill of materials that lists all of the open source software (with versions) that we use. We scan all of our products as part of our DevOps pipeline. There are three types of scans:
SCA (Software Composition Analysis) detects open source libraries with known vulnerabilities. Also checks for license violations against policies such as forbidding GPL licensed software. It's interesting that nobody has posted about the JNDI vulnerability [1] found in the H2 database which was similar to Log4Shell. As soon as the CVE was lodged our infosec team had scanned the Blackduck bill of materials data base and contacted all product owners that were using h2. A thread was also started in Slack so we could collaborate. SCA does not require source code. We use Blackduck.
SAST (Static Application Security Testing) scans source code and detects vulnerabilities in proprietary code, written in house. Shifts security left to detect vulnerabilities as early as possible. SAST scans provide a lot of false of false positives but it can find flaws. I regard it highly. We use Polaris.
DAST (Dynamic Application Security Testing) black box testing which can try to find vulnerabilities at runtime such as MITM attacks, SQL injection, DOM injection etc. We use Veracode.
Customers also scan our code using their tools. We took a case from a bank who had used Veracode to scan some of our HTTP client code and it discovered we were defaulting to TLSv1.1 for secure TCP connections. They wanted us to fix it to default to TLSV1.3, which we did.
[1] https://jfrog.com/blog/the-jndi-strikes-back-unauthenticated-rce-in-h2-database-console/
<https://www.whitesourcesoftware.com/resources/blog/software-composition-analysis/> ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
