Open source software and code snippets: the benefits, the pratfalls, and how to use FOSSID tools to manage compliance and mitigate risks.
Nowadays, software developers are as likely to write their own code as they are to re-use existing code. This re-use comes in two forms: entire open source components or code snippets (i.e. copying a varying number of lines from an open source component or other publicly available sources).
This results in quicker development cycles and better software, but it presents added risk. Identifying and mitigating these risks starts with detecting the open source code present in your applications. While open source components as a whole are easier to detect, code snippets pose a considerable challenge that requires advanced tooling and expertise.
Code snippet detection is even more critical when it comes to security vulnerability management. Traditional Software Composition Analysis (SCA) tools help you identify open source components/versions in the scanned code and correlate them to known vulnerability lists from public repositories (most commonly the National Vulnerability Database, NVD). However, security vulnerabilities and exposures (CVEs) often relate to only a few lines of code (or snippets) within a whole open source project. For that reason, searching for known vulnerable code snippets is a much more accurate way to detect security vulnerabilities.
Come join us in this webinar where we’ll talk about the inherent risks in open source software and the best practices and tools you can use to properly identify open source software (including snippets) and to mitigate those risks.