18. 80% of the Code Base is Open Source Components
5%-10%
1998
30%-50%
2008
60%-80%
2016
Proprietary Code
Open Source Code
Source: North Bridge Future Of Open Source Survey
19. Number of Reported Open Source
Vulnerabilities Grew by 51.2% in 2017
Source: WhiteSource Annual Report
20. Risk is Pronounced with Popular Projects
Source: WhiteSource Annual Report
Top 10 Vulnerable Open Source Projects Based on
Number of Vulnerabilities
21. Open Source Security Cost is Rising
Developers spend almost 15 hours per month on open source
security vulnerabilities, on average
1.3%
25.4%
29.8%
26.1%
13.3%
4.1%
None
1 -1 0 hours
11- 20 hours
20-35 hours
36 - 60 hours
Over 60 hours
0.0% 10.0% 20.0% 30.0% 40.0%
Source: WhiteSource Annual Report
Consider this:
Over 40% spend >20 hours per month
22. Open Source Security Cost is Rising
Developers spend almost 15 hours per month on open
source security vulnerabilities, on average
Why is that so?
Lacking tools and practices for practical prioritization
1.3%
25.4%
29.8%
26.1%
13.3%
4.1%
None
1 -1 0 hours
11- 20 hours
20-35 hours
36 - 60 hours
Over 60 hours
0.0% 10.0% 20.0% 30.0% 40.0%
Source: WhiteSource Annual Report
Over 40% spend
>20 hours
23. The Common Way of Handling Security Vulnerabilities
Security teams
analyze and prioritize
vulnerabilities
Sending emails or
opening issues/tickets
Closing the loop on
resolution is hard
27. WhiteSource Software Confidential
? ?
?
?
?
?
?
?
?
?
?
?
?
?
?
?
? ?
?
?
?
?
?
Reported Vulnerabilities
Can you really handle all of them?
Which ones constitute a real risk?
Which ones should be addressed first?
Effective Vulnerabilities
Less to deal with. Much less.vs.
Focusing on Effective Vulnerabilities Could Enable:
Better development efficiency
Better development effectiveness
Better security
The Secret to Prioritization:
Reported Vulnerabilities Are Not Necessarily EFFECTIVE
28. Only some of the reported
security vulnerabilities in open
source libraries are effectively
referenced by developer code.
Ineffective vs. Effective Vulnerabilities
Ineffective
Effective
70%
30%
29. Ineffective vs. Effective Vulnerabilities
Ineffective
Effective
70%
30%
A modern approach to prioritize
security vulnerabilities should be
based on effective impact