- WhiteSource is a company that identifies the vulnerabilities and issues in the company’s tech stack.
- Our research shows that 15 to 30% of vulnerabilities are effective.
Introduction:
WhiteSource identifies open source components in a company’s tech stack, identifies and prioritizes vulnerabilities, issues real-time alerts on genuine risks it detects. The company was founded in 2011 for this specific purpose.
“In order to mitigate open source risks, it’s essential to remediate open source vulnerabilities as soon as they are discovered,” WhiteSource CEO and co-founder Rami Sass said. “However, in most cases, it’s impractical to fix all vulnerabilities, and some require major development work. WhiteSource research shows that only 15% to 30% of vulnerabilities are effective — the majority of open source vulnerabilities are not called by the proprietary code.”
Open sourced:
A strong case supports the widely uttered mantra that open source has eaten the world. Major tech giants not only use open-source software but also contribute to the communities and even open-source their internal tools. Most modern software relies on open source components because it saves the companies that build it, time and resources to develop and maintain everything by themselves.
Recently, an IBM commissioned study called The Value of Open Source in the Cloud Era noted that most of the respondents use open-source software in some aspects of their operations. But in the recent state of enterprise open source report Red Hat found that 90% use enterprise open source in the organizations which grew from 89% last year.
“We certainly have noticed the trend as well,” Sass said. “Over the past three years, we have seen the numbers of our enterprise customers triple and seen our revenue grow by 800%, underscoring the enormous demand by organizations developing software to effectively manage their use of open source components. In our view, the current pace of enterprise software development, using modern application architecture like microservices and containers, is only sustainable through a high-level of reliance on open source.”
Integrated:
In the recent State of Software Security: Open Source Edition report app security company Veracode found that open source libraries are ubiquitous and risky. About 70% of applications contain a security flaw in an open-source library. WhiteSource rival Sonatype reported a 430% search in cyberattacks aimed at “infiltration of open source software supply chains”. A joint report produced by WhiteSource and Ponemon Institute found that “more than 70% of enterprise application portfolios have become more vulnerable to attack in the past year”.
“There are a number of reasons for the increase of vulnerability in enterprise applications,” Sass explained. “A misalignment between risk levels and the level of annual spending across different protection layers. The gap is most evident in the application layer, where the percentage of allocated budget is significantly lower compared with the perceived level of risk.”
Sass also cites a lack of a formal approach to secure the software development life cycle and limited collaboration within development and security teams. This forms the basic reason why enterprise applications are more vulnerable. Matters have been compounded by faster software release cycles with developers expected to ship more code and faster leading the companies to have a delicate balance within security and speed.
Developers can integrate WhiteSource with popular development environments that include IDE. This is why they can immediately see if an open-source component has security vulnerabilities before they make a pull request. The company offers four core plants to increment more features: free; Essentials, at $2400 per year; Teams at $10000 per year and Enterprise which starts at $28000 per year.
The platform includes a dashboard that gives an overview of an organization’s open source dependencies and license risk among other data points. The users can be down into specific vulnerabilities to check whether they exist and how they can address them. All the open-source is generally free for developers to use it has some restrictions as to how third parties are allowed to use it. WhiteSource also can help companies adhere to existing licensing policies.
Beyond SCA:
Other notable players in the space commonly referred to as software composition analysis (SCA) include Blackduck which Synopsis bought for $547M in 2027, Sonatype acquired by Vista Equity Partners in 2019, and Snyk which closed a $300M round at a $4.7 billion valuation.
Security teams can manually review and approve all the open-source components in their take step which is a lengthy and never-ending process of testing and checking. “Sometimes, information security teams may enforce open source security standards and block components from use, without consideration for the implication on development teams,” Sass said. “Other times, developers would use their own tools to detect and avoid open source vulnerabilities, and manage the findings using spreadsheets, with limited visibility to other teams or external auditors.”
Prior to this, WhiteSource raised $46 million which arrived through the series C round in 2018. With the latest dollar 75 million cash injection that attracted existing investors, WhiteSource gears up to broaden its right reach beyond the SCA fear and into other wider application security testing space. These investors include Microsoft M12, 83North, and Susquehanna Growth Equity, Pitango Growth led the round.
“This will go beyond detection to offer prioritization and auto-remediation of open source vulnerabilities to cover all threats and all application attack vectors,” Sass said. “Our vision is not limited to open-source code, and we will announce more exciting developments in the near future.”