Open Source Software is a big crowdsourcing win – the developer community shares code and provides usage guidance and continued enhancements to this shared code. All new apps and modern build systems automatically pull in thousands of this open source software (OSS) or libraries into your product as well as other third-party components and files.
The problem? Some members of the developer community can also be very casual about copying files, code snippets, binaries, or entire modules without reliably reporting them. Even if your developers are strict about reporting licenses, chances are they are using code that was casually copied and enhanced.
Scanning code is the only way to reliably discover what third party content in is your code. This means a Software Composition Analysis platform has to scan every line of code across dependencies for license and security vulnerability information.
San Francisco considers open sourcing their voter software
Scanning is especially important in high risk software –like a government voting system. It’s a concept that’s gaining wider attention nationwide given the allegations of vote tampering that arose during the last presidential election. San Francisco is exploring and could soon be the first state to institute an Open Source voting system and make source code available to everyone. Why? Because of the tremendous benefits provided by the open source community – faster release times, better quality of code, and no tie to a commercial vendor.
If they decide to move forward, how secure would you want this system to be? The answer is easy – as secure as possible. And the only way to get there is to scan for ALL evidence of vulnerabilities in both open and closed source software.
Comprehensive scan and analysis
If an open source voting platform is approved, developers will be working to make it as secure as possible. Third party components should be investigated for quality and code design issues. The final application will pull in monolithic OSS libraries. But developers may also use the parts of the source code of common projects like OpenSSL and algorithms of other publicly available components without the proper attribution or recording.
“Scanning for copied source code is necessary for all high-risk software,” says Jeff Luszcz, VP of Product Management at Flexera. “The risk of undetected code is too great – both from a licensing and vulnerability detection standpoint.”
You cannot determine OSS vulnerabilities and licenses for undetected software. Comprehensive scans detect any evidence of binaries, software packages, multimedia and code snippets in your products, providing the complete open source license and vulnerability data to your team. Knowledge and visibility into your code is your best defense.