Lineaje has added an Open Source Manager (OSM) that leverages artificial intelligence (AI) to help DevOps teams prioritize their remediation efforts better.
OSM uses an existing Lineaje AI with a BOMbots tool to analyze software bills of materials (SBOMs). It identifies dependencies and surfaces recommendations for remediation in open source software issues across the software supply chain. OSM adds a module to that tool to centralize workflow management, enabling DevOps teams to apply rules that restrict which open source components can be used based on their IT organization’s policies.
Nick Mistry, senior vice president and CISO for Lineaje, explained that, in many instances, an organization may not have any means of remediating a vulnerability because no patch exists. The best that can be done is to alert the open source project’s maintainers in the hope that they will provide a patch or pass along the guidance to a third party to address the issue.
However, DevSecOps teams still need to identify when patches are available, especially if an issue stems from a known vulnerability that has already been remediated. In many cases, organizations run older versions of software with known vulnerabilities that were subsequently fixed in a later update. In other instances, DevOps teams might just as easily discover that the vulnerability discovered is not manifesting itself in software exposed to the Internet, noted Mistry.
The goal is to reduce the mean time to protect (MTTP) when vulnerabilities in open source software across a spectrum of risk levels, Mistry added. That capability also serves to reduce the total cost of maintaining open source software by surfacing issues involving licenses, code quality, security posture, maintainability, age, supplier and provenance.
DevOps teams can model the potential impact of an upgrade using the Lineaje AI with the BOMbots tool. In addition, fingerprinting capabilities can be applied to make identifying components with suspicious and unknown origins easier. DevSecOps teams could identify open source software projects that are not being well maintained, noted Mistry.
While open source software security issues are a major concern, most organizations are not going to reduce their reliance on these components. Just about every packaged or custom application has at least one open source component. The pace at which modern applications are being built would not be sustainable if it were not for all the reusable open source components that have been made available.
The challenge now is securing the software supply chains that organizations rely on to build applications using those components at a time when governments around to world are starting to hold organizations more accountable for the security of the applications being deployed. OSM, in effect, is designed to enable organizations to achieve continuous compliance with those regulations, said Mistry.
Regardless of motivation, more organizations than ever are clearly focused on securing open source software. The only thing that remains to be determined is how quickly that goal can be achieved before one or more known vulnerabilities lead to a catastrophic breach.