1. 1© 2019 Forrester. Reproduction Prohibited.
Amy DeMartine
Vice President, Research Director, Forrester
Jeff Crum
Senior Director of Product Marketing, WhiteSource

2. SCA Is Critical To
Secure Modern
Application
Development

3. 3
33% of firms
suffered a breach
as a result of an
external attack.
This is how.

4. 4
Agile And DevOps
Practices Increase
Release Speeds

5. 5© 2019 Forrester. Reproduction Prohibited.
Put Testing As Early In The SDLC As Possible
Source: “Use DevOps And Supply Chain Principles To Automate Application Delivery Governance” Forrester report.
SCA &
SAST
DAST or
IAST

6. 6
Push Remediation
Advice As Early In
The SDLC As
Possible
Source: “The State Of Application Security, 2019” Forrester report

7. Early testing + automation = results overload

8. 8
8© 2019 FORRESTER. REPRODUCTION PROHIBITED.
We Investigated
The Undergrad
Programs Of The 40
Best US Computer
Science Programs…

9. …none of the top 40 computer science
programs in the US require a class about
secure coding or secure application design.

10. None of the top five international schools for
computer science require a class on secure
coding.

11. You need prioritization and
autoremediation to fix
vulnerabilities.

12. 12
Prioritization
Limit what developers must act on before
they become overwhelmed
• Highest severity
• Proof of exploit
• Age
• Most used
• Estimated time to fix
• Most number of different versions

13. 13© 2019 Forrester. Reproduction Prohibited.
Autoremediation
Enable developers to easily create patches
themselves
• Automatically creates pull request with updated
manifest file
• Includes remediation for transient dependencies

14. 14
Top 5 features to
consider when
choosing an SCA
tool
1. Language coverage
2. Both license and
vulnerability identification
3. Integrations into CI/CD
pipeline
4. Prioritization
5. Autoremediation

15. The future of SCA….

16. 16
Key
Takeaways
Vulnerabilities are plaguing applications
Developers aren’t trained to understand
the risks of using vulnerable open source
components
Look for SCA tools that will not only cover
basic functionality but help developers
remediate the most important
vulnerabilities quickly
1
2
3

17. 17
Thank You.
Amy DeMartine
VP, Research Director
+1 617.613.8906
ademartine@forrester.com

18. The Agenda
18
▪ WhiteSource and the Forrester
Software Composition
Analysis (SCA) Wave Report
▪ Developers tools vs.
Governance tools
▪ The WhiteSource Solution

19. THE LEADER
OF SOFTWARE
COMPOSITION ANALYSIS
Founded in 2011.
Offices in NY, Boston,
London & Tel-Aviv
800+
Customers
Empowering over
1.2 M
developers
Supporting 23%
of Fortune 100
companies
Over 3x
YOY growth

20. Some of Our Customers

21. WhiteSource and the
Forrester SCA Wave Report

22. Prioritization CoverageRemediation
1 2 3

23. 1
Prioritization

24. Open Source Vulnerabilities Are On The RiseOpen Source Vulnerabilities Are On The Rise

25. DEVELOPERS ARE NOT EFFICIENTLY MANAGING
OPEN SOURCE VULNERABILITIES
How much time is spent?
hours/month
None
1 - 10 hours
11 - 20 hours
21 - 35 hours
36 - 60 hours
Over 60 hours
15
spent on average by every developer on
security vulnerabilities
Developers Are Investing Too Much Time On Vulnerabilities
Assessment and Remediation
3.8 hours/month
spent on security vulnerabilities remediation

26. EFFECTIVE
VULNERABILITY
INEFFECTIVE
VULNERABILITY
Vulnerability Effectiveness: a novel approach to prioritization
Prioritization Is Key To Saving Wasted Time On
Vulnerabilities Management

27. Vulnerability Effectiveness: a metaphor
Floor F2
Floor F1
Floor L
Floor F3
Vulnerable floor
The vulnerability is manifested in
Floor F3.
Entrance from the Floor L left door
Can potentially access that floor –
and the vulnerability.
The vulnerability is nonetheless
inaccessible from the right door
entrance.
Private func F1()
Private func L1()
Private func F2()
Private func F3_vuln()
Let’s look at a pseudocode example:
Proprietary1()
CAN reach the vulnerable code -
func_F3_vuln()
(via direct or transitive calls)
Private func F1_A()
Private func L1_A()
Let’s examine again from a
pseudocode perspective:
Proprietary2()
CANNOT reach the vulnerable code
func_F3_vuln()
If a person uses an
entrance that even
potentially can lead to a
reported vulnerability in
the building, that person
is at risk.
If a person only uses an
entrance that even
potentially does not lead
to a reported vulnerability
in the building, that
person is not at risk.
Public func os1()
func Proprietary1()
Public func os2()
func Proprietary2()
Prioritization Is Key To Saving Wasted Time On
Vulnerabilities Management

28. 2
Remediation

29. 98% of all reported vulnerabilities have at least one fix offered by the
community. So why not use it?
We provide links to all suggested patches, new source files, version etc.
Top Fixes Offered by the Community
Initiate workflows automatically once a vulnerability is detected to close
the loop with your development team.
Integrate your SCA with your bug trackers to assign remediation task to
the developers in real-time and track time to fix.
Initiating Remediation Workflow Automatically

30. Automate Open Source Vulnerability Remediation

31. 3
Coverage

32. Supporting All
Languages
Detecting All
Reported
Vulnerabilities
Covering All
Relevant
Environments
Cater All Groups
In Your Org

33. Developers tools vs. Governance tools

34. Governance solutions Developers tools
▪ Used by Management, Security teams,
DevOps, Legal teams
▪ Used by Developers
Both Teams Need Security Tools

35. Governance solutions Developers tools
But They Have Different Requirements…
▪ Visibility and control
▪ Reports, prioritization and
policy enforcement
▪ Information on issues and
remediation support
▪ Integration with dev tools,
real-time alerts and
remediation insights

36. The WhiteSource Solution

37. Detection
Real Time Alerts
Automated Policies
Advanced Reporting
Prioritization
CONTAINERPRIORITIZE

38. IDE Integration
RemediateBrowser Integration
Repo Integration

39. WhiteSource Product Portfolio
PLAN CODE BUILD MAINT.DEPLOY

40. IDE
Selection
Post Deployment
Repository
BuildDeployment
WITH YOU EVERY
STEP OF THE
WAY

41. Supporting over 200
programming languages.
All environments. All groups,
complete solution.
COVERAGEPRIORITIZATION
We help you focus on what
matters with vulnerabilities
prioritization and no false
positives.
REMEDIATION
We not only alert, but also
provide actionable, validated
remediation tools to enable quick
resolution.
41
What Sets Us Apart?

42. Thank You!