- The WhiteSource Priority Scoring technology enables users to assign novel metrics to different products and projects
- As open source adoption increases, the number of known security vulnerabilities in it continues to grow every year
WhiteSource has announced the release of its Priority Score technology to help organisations determine which security vulnerabilities pose the greatest risk, and which ones demand their most immediate attention. The WhiteSource Priority Scoring technology enables users to assign novel metrics to different products and projects, such as business impact.Based on users’ preconfiguration, a priority score between 0 and 100 is then attributed to entities within their system per library or vulnerability. Security teams can then make informed decisions on the order and urgency of remediation required.
Shiri Arad Ivtsan, Director of Product Management at WhiteSource said, “Security risks to financial systems have grown in recent years. Vulnerabilities or malicious packages targeting financial institutions are becoming more frequent, sophisticated, and destructive. When a specific application provides access to financial data, or Personally Identifiable Information its security is considered a higher priority to handle. The WhiteSource Priority Scoring lets organizations put their DevSecOps on autopilot, and accelerate software product delivery at scale.”
As open source adoption increases, the number of known security vulnerabilities in it continues to grow every year. Software development and application security teams are increasingly relying on vulnerability detection tools throughout the development process. So, teams are often overwhelmed by the steady stream of security alerts that must be addressed. Indeed, in most cases it’s impractical to fix all vulnerabilities, and some require major development work. It said that WhiteSource research shows that only 15 per cent to 30 per cent of open-source vulnerabilities are effective; the majority of vulnerable methods are not called by the proprietary code.
Effective open source security vulnerabilities alerts
It said, “Once vulnerabilities are detected, teams need to find a way to prioritise them. How can development and security teams make sure they are not wasting valuable time fixing security issues that are not their biggest threat? WhiteSource research results showed that prioritizing open source vulnerabilities based on their analysed effectiveness, helped beta customers reduce the number of effective open source security vulnerabilities alerts by a substantial 85 per cent, saving organisations a monthly average of 10 hours per developer.”
Some of the parameters taken into consideration by the WhiteSource Priority Scoring algorithm include CVSS Score (vulnerability severity), Prioritization based on whether the proprietary code is making calls to the vulnerable method (effectiveness), availability of fix, ease of remediation, and Malicious package probability.
Business Impact is easily preconfigured by the user into each product and project, taking into account factors such as Personally Identifiable Information (PII) or finance data available through the application to those who may try to exploit it. Applications or products containing this type of information create a higher risk factor when they are exploited, hence a higher business impact.