Gartner: You Must Assess Overall Software Health and Welfare

Gartner’s recent report Technology Insight for Software Composition Analysis, makes four open-source security recommendations that companies should think about when determining what type of software composition analysis program they want to have. From the need for a software bill of materials, to the importance of a hardened software supply chain to the crucial role OSS licensing plays, the report provides guidance on how to address the inherent risk of open source components – something we’ve been focused on at Sonatype since our founding.

Gartner’s fourth, and final recommendation, emphasizes understanding the overall “health” of software packages, by provenance and support. Gartner reports that mature organizations are expanding open-source management to include health assessment by default. They write:

Go beyond questions of security vulnerabilities and licensing when evaluating tools to determine a product’s ability to report on the overall health and welfare of a given software package.

Open Source Repositories Are an Appealing Target

“Attackers are targeting open-source repositories with malware to infect organizations earlier in the software supply chain,” Gartner writes, summarizing a growing risk we’ve been following for over two years.

As we wrote earlier this year:

This new form of attack on our software supply chains, where OSS project credentials are compromised and malicious code is intentionally injected into open source libraries, allows hackers to poison the well. The vulnerable code is then downloaded repeatedly by millions of software developers who unwittingly pollute their applications to the direct benefit of bad actors.

Software analysis composition (SCA) tools are crucial in defense of open source repository attacks. SCA tools establish a baseline of security and compliance within the code. Ideally, the SCA tools work in conjunction with static application security testing (SAST) or an interactive application security testing (IAST) tools, enabling visibility into control and (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Katie McCaskey. Read the original post at: