Having been at ActiveState for nearly eight years, I’ve seen many iterations of our product. However, one thing has stayed true over the years: our commitment to the open source community and companies using open source in their code. ActiveState has been helping enterprises manage open source for over a decade. In the early days, open source was in its infancy. We focused mainly on the developer case, helping get open source on platforms like Windows.
Over time, our focus shifted from helping companies run open source to supporting enterprises managing open source when the community wasn’t producing it in the way they needed. We began managing builds at scale, and supporting enterprises in understanding what open source they’re using and if it’s compliant and safe. Managing open source at scale in a large organization can be complex. To help companies overcome this and bring structure to their open source DevSecOps practice, we’re unveiling our end-to-end platform to help manage open source complexity.
The current state of open source and supply chain security has become a fiercely debated topic. It’s inevitable that with the soaring popularity of open source comes an influx of security issues. Open source adoption in modern software applications is significant. Over 90% of applications contain open source components. Open source is now at the core of how we produce software, and we’ve hit a point where it’s the primary vector for bad actors to get access to nearly any piece of software. Attacks have been around forever, but there’s been an increasing number of incidents in recent years.
Identification
Before you can even begin to remediate vulnerabilities, you need to know what you’re using in your code. It’s important to take inventory of all the open source that’s running within your organization. An artifact of this effort could look like a dashboard. Given the diversity and complexity of open source components, it’s essential to maintain an up-to-date and comprehensive view of all the open source libraries, frameworks, and tools in your software stack. This visibility allows organizations to understand their software composition better and take proactive measures to secure it.
A systematic approach to identification involves using automated tools to scan your codebase and catalog every open source component in use. This effort forms the foundation for all subsequent steps in managing open source security and compliance. With a well-designed dashboard, you can quickly identify which components need attention, are outdated, or pose potential security risks. Additionally, maintaining a detailed inventory helps in tracking the lifecycle of each component, ensuring timely updates and patches.
Ranking
Once you have the dashboard, you can start analyzing for vulnerabilities and dependencies and prioritize which to focus on first. Understanding where the risks are in your codebase and triaging them will help you make informed decisions about next steps. The process of ranking vulnerabilities involves assessing the severity and potential impact of each issue. This prioritization ensures that critical vulnerabilities are addressed promptly, reducing the risk of exploitation by malicious actors.
Ranking also includes evaluating the interdependencies between open source components. Identifying which components rely on others helps in understanding the broader implications of vulnerabilities and how they can propagate through your software. By focusing on high-priority vulnerabilities and dependencies first, you can mitigate the most significant risks and enhance the security posture of your organization.
Updating and Managing
Now comes the remediation and change management phase. You’ll want to establish governance and policies for managing open source across your organization to keep everyone aligned across functions and teams. This involves defining clear guidelines for selecting, evaluating, and integrating open source components. Implementing a governance framework ensures that open source usage is consistent and aligned with organizational goals and compliance requirements.
You should also closely manage what dependencies are used in both production and development environments to minimize risk. In our platform, we maintain a large immutable catalog of open source software. We keep a consistent, reproducible record of around 50 million version components, and we are constantly adding to it. It helps our users make sure they can always get back to reproducible builds. It means you can curate the entire internet for open source while trusting it’s secure. This process involves continuous monitoring and updating of dependencies to address newly discovered vulnerabilities and ensure compatibility with the latest versions.
Effective change management also includes communication and collaboration across teams. Developers, security professionals, and DevOps engineers must work together to implement updates and manage changes without disrupting ongoing projects. Regular training and education on open source security best practices can help teams stay informed and proactive in addressing potential risks.
Construct and Implement
The build and deploy phase involves incorporating secure and safe open source components into your code – because you’re not really remedied and secure until the fixes are deployed. At ActiveState, we build and track everything. From when we ingest source code to when we build it into a secure cluster. We then give it to you in a variety of formats to be deployed depending on your needs. We’re the only solution (that we know of) that truly helps companies remediate and deploy, completing the full lifecycle of ensuring software supply chain security.
Constructing a secure build environment involves using automated tools and processes to consistently produce secure, reproducible builds. This includes integrating security checks and validations into the build pipeline to catch and address vulnerabilities early. By automating these processes, organizations can reduce manual errors and enhance the overall security of their software.
Implementing secure open source components into your deployment pipeline requires careful planning and coordination. Ensuring that updates and patches are deployed consistently across all environments helps maintain the security and stability of your applications. Additionally, continuous monitoring and validation of deployed components can help detect and respond to security incidents in real time, further strengthening your organization’s defenses against potential threats.
A New ActiveState: Tackling Open Source Security Challenges Head-On
Having been with ActiveState for almost eight years, I’ve witnessed numerous versions of our product. One constant throughout this time has been our dedication to the open source community and businesses that incorporate open source in their code. ActiveState has spent over a decade assisting enterprises in managing open source. Initially, open source was quite new, and we primarily assisted developers by making open source accessible on platforms like Windows.
As time went on, our focus evolved from merely helping companies use open source to aiding enterprises in managing it, especially when the community wasn’t meeting their specific needs. We began handling large-scale builds and helping organizations understand their open source usage, ensuring compliance and safety. Managing open source within large enterprises can be intricate, which is why we’re launching our comprehensive platform to simplify open source DevSecOps practices.
The current landscape of open source and supply chain security is highly contentious. With the rise in open source usage, security issues have surged. Today, over 90% of applications incorporate open source components, making it central to software production. Consequently, it has become a primary target for cyberattacks. While such attacks are not new, their frequency has surged in recent years.