Harden Open Source Security with Meterian and ArmorCode
Open-source software is a pervasive and integral component of modern software development. Organizations leverage open source to accelerate delivery, reduce costs, and provide access to well-tested, community-maintained code. However, the proliferation of vulnerabilities through open-source libraries makes an attractive target for attackers. With attacks on open-source vulnerabilities increasing, companies must continuously monitor the significant portion of their codebase that originates from open-source projects.
This need for continuous security measures, such as daily scans, creates challenges of scale and complexity. Security teams and developers must rapidly identify, prioritize, and respond to open-source vulnerabilities across diverse application portfolios. And while open source components comprise much of the codebase, that is only one category of vulnerability affecting security posture. Integrating Meterian’s comprehensive software composition analysis (SCA) solution into ArmorCode’s AI-powered application security posture management (ASPM) platform unifies visibility into vulnerabilities across the software ecosystem to correlate findings and enable a risk-based approach.
Understand Open-Source Risks and The Importance of Addressing Them
Secure and responsible use of open-source software requires a proactive approach. With the increasing adoption of open source and the frequency of attacks, companies cannot just rely on periodic pen testing or even periodic scanning. The nature of open-source vulnerabilities means applications that seem secure today may contain latent vulnerabilities that could make them readily exploitable tomorrow.
Checking open-source components in software development is crucial to address the following risks:
Security risks
The code of open-source components is publicly available and a natural target for hackers. Over 50 new vulnerabilities are discovered in open-source components every day, and if not identified and managed, these vulnerabilities can be exploited in dependent applications leading to security breaches.
There are countless examples of this including these well-known ones:
- The Sony Pictures hack (2014), due to the OpenSSL Heartbleed bug (CVE-2014-0160)
- The Equifax Data Breach (2017), due to the Apache Struts library (CVE-2017-5638)
- The iCloud and Minecraft hack (2021), due to the Log4j vulnerability (CVE-2021-44228)
All these hacks were performed by exploiting a vulnerability in an open-source component, not the proprietary code written by the respective developers at Sony, Equifax, or Minecraft. These open-source vulnerabilities are pervasive. Across all ecosystems, more than 100,000 vulnerabilities affecting open-source components are recorded.
License and compliance risk
Open-source components come with various licenses, each with specific requirements and restrictions. Failing to comply with these licenses can lead to legal issues, including copyright infringement claims. For example, TruthSocial was found to be in breach of an OSS license and had to disclose its source code publicly. Tesla and BMW ran into similar fates, while Westinghouse Digital Electronics preferred bankruptcy.
Quality and reliability risk
The quality of open-source software varies widely. While open-source software can be of high quality, often components are abandoned or poorly maintained. When components are not maintained, that means if a problem is found (security or otherwise) it is unlikely to be fixed. Relying on such components poses risks to an application’s stability, performance, and reliability.
Ensure the Integrity of Open Source with Meterian
Meterian offers a comprehensive solution with in-depth analysis and automation to effectively manage open-source and third-party libraries throughout the software development lifecycle. Meterian enables organizations to identify and mitigate vulnerabilities, ensure compliance with relevant regulations and standards, and maintain a high level of software quality with the following features:
Broad ecosystem support
Meterian supports a wide range of languages and ecosystems to secure application portfolios with diverse languages and frameworks from legacy technologies like Perl, data science applications using Jupyter Notebooks, ultra-fast microservices with Rust, and more.
On-premises or dedicated cloud deployment
In the SaaS industry, the requirement for a dedicated single-tenant instance or an on-premises installation may be driven by specific business needs, such as tight security, data sovereignty, and geo-location considerations. Meterian accommodates these requirements and can provide a single-tenant environment, either on-cloud or on-prem, and offers a range of air-gapped solutions for highly secure environments.
Comprehensive vulnerability database
Meterian delivers a broad vulnerability database updated daily through a fully automated system that integrates numerous OSINT sources and Meterian's specially curated databases, including AI-generated advisories directly from the analysis of open-source repositories. This automated process outpaces manual entry methods, ensuring faster and more efficient updates.
Reduce Open Source Risk as Part of a Complete ASPM Solution with ArmorCode
Integrating Meterian into ArmorCode’s AI-powered ASPM platform addresses the multifaceted risks associated with open-source software by offering a holistic and streamlined approach. This integration not only unifies visibility but also optimizes and streamlines prioritization and remediation efforts to reduce risk across the entire application ecosystem and lifecycle. Here’s how this powerful combination mitigates open-source risks:
Unify Visibility
ArmorCode’s ASPM platform provides a unified view across the entire application ecosystem and lifecycle from threat modeling, source code, and software composition analysis during development to dynamic analysis and testing of cloud configurations and on-premise infrastructure for deployed applications. This provides a full picture of application security posture and risk.
Manage the Scale and Complexity of Continuous Testing and DevSecOps
One of the challenges in continuous testing and DevSecOps is distilling scan data into new and confirmed findings. The ASPM platform deduplicates scan results from Meterian, eliminating unnecessary repetitions and ensuring that each vulnerability is reported only once. This reduces noise and helps focus on genuine issues. ArmorCode also leverages machine learning models to correlate data from multiple sources providing a contextual understanding of vulnerabilities and root causes.
Prioritize Risk from Open Source Vulnerabilities
Not all vulnerabilities pose the same level of risk, and security teams often struggle to triage vulnerabilities from different sources - for example prioritizing an open-source vulnerability from a Meterian scan against a manual pen test finding of an API with broken authentication. ArmorCode’s risk scoring delivers a normalized and numerical risk assessment for each finding based on relevant variables like exploit probability, technical severity, and business impact. This enables organizations to systematically triage issues from diverse security tools.
Automate and Accelerate Remediation of Open Source Vulnerabilities
Integrating Meterian in ArmorCode enables organizations to automate and streamline the remediation process shortening the lifecycle of high-risk open source vulnerabilities. For example, ArmorCode Runbooks can automatically notify owners and create tickets with a defined SLA when new issues above a defined risk threshold are found. Correlated and related issues can also be grouped into single tickets to reduce remediation tasks and AI remediation guidance helps resolve issues faster.
Manage open-source exceptions and leverage dashboards for reporting and governance
Effective management of open source risks involves not only identifying and mitigating vulnerabilities but also handling exceptions and maintaining robust reporting and governance practices. ArmorCode allows security teams to document and manage exceptions when immediate remediation is not possible ensuring these vulnerabilities are tracked and managed. Customizable and dynamic dashboards and widgets also enable in-depth and real-time analysis of security data to measure and enforce compliance with policies and communicate risk to stakeholders.
By integrating Meterian’s comprehensive open-source security capabilities with ArmorCode’s robust ASPM platform, organizations can reduce risks from open-source vulnerabilities with a proactive approach that reduces security team and developer workloads rather than disrupting development velocity.
Getting Started
The integration of Meterian into ArmorCode’s ASPM platform provides a seamless solution to ingest SCA scan findings from Meterian into the ASPM platform for unified visibility, risk-based prioritization, and optimization of remediation efforts. To get started:
- Generate an API Token from Meterian
- Navigate to Security Tools in the ArmorCode Platform
- Select Meterian
- Add a configuration with the API token generated from your Meterian account
- Map Meterian projects to ArmroCode
Open source software is essential in modern development, providing speed, cost savings, and community-driven code. However, its use comes with inherent risks. The integration of Meterian SCA with ArmorCode’s AI-powered application security posture management (ASPM) platform streamlines a proactive approach making it possible to confidently leverage open-source software while maintaining robust security.