WhiteSource today announced it has extended to reach of its tool for scanning for vulnerabilities in open source application code to include support for the Python programming language.
Jeffrey Martin, director of product for WhiteSource, said the company also plans to support other programming languages such as C++ shortly to WhiteSource Prioritize, with support for Go and Ruby to follow later this year.
Martin said the vulnerability tools provided by WhiteSource are unique in that they not just identify vulnerabilities, but they also can determine whether a piece of code is making calls to the vulnerable portion of the open source component or even can access the vulnerability in question. That’s critical because it enables development teams and cybersecurity teams to better prioritize which vulnerabilities need to be addressed first, he said. In fact, recent research conducted by WhiteSource suggests only about 15% of Java open source vulnerabilities actually present enough of a risk to warrant urgent remediation.
Rather than presenting developers with a long list of vulnerabilities to remediate, cybersecurity teams can identify which vulnerabilities are of the most concern, said Martin, who noted that capability can reduce the number of alerts being generated by cybersecurity teams by as much as 85%. Just like cybersecurity professionals, developers can also suffer from fatigue when the number of alerts being generated becomes too many to effectively comprehend.
By providing that insight, the WhiteSource tools also serve to advance the adoption of best DevSecOps processes across the organization, he added.
As appreciation of the benefits of DevSecOps processes continues to rise, it’s apparent a chicken-and-egg relationship is emerging between the need for additional tools and defining best practices. Cybersecurity professionals have been regularly identifying vulnerabilities in need of remediation for years. However, in the absence of context, it’s difficult for developers to determine how much time to allocate to fixing vulnerabilities versus building new code. If cybersecurity teams can better prioritize vulnerabilities, the dialogue between developers and cybersecurity professionals will gain some much-needed context, said Martin.
Much like the transition to DevOps, the adoption of best DevSecOps practices will take time. However, rather than simply preaching about the benefits of DevSecOps, organizations clearly need to provide developers and cybersecurity teams with the tools required to put those principles into practice. After all, when it comes to driving cultural change within any organization, there’s no substitute for hands-on experience. In fact, cultural transitions that are driven from the bottom up by the rank and file of the IT organizations almost always take hold faster than any mandate from on high could ever hope to achieve.