Having been at ActiveState for practically eight years, I’ve seen many iterations of our product. Nevertheless, one factor has stayed true over time: Our dedication to the open supply group and firms utilizing open supply of their code.
ActiveState has been serving to enterprises handle open supply for over a decade. Within the early days, open supply was in its infancy. We centered primarily on the developer case, serving to to get open supply on platforms like Home windows.
Over time, our focus shifted from serving to firms run open supply to supporting enterprises managing open supply when the group wasn’t producing it in the way in which they wanted it. We started managing builds at scale, and supporting enterprises in understanding what open supply they’re utilizing and if it is compliant and secure.
Managing open supply at scale in a big group could be complicated. To assist firms overcome this and convey construction to their open supply DevSecOps apply, we’re unveiling our end-to-end platform to assist handle open supply complexity.
The present state of open supply and provide chain security
It is inevitable that with the hovering recognition of open supply comes an inflow of security points. Open supply adoption in trendy software program functions is important. Over 90% of functions include open supply elements. Open supply is now on the core of how we produce software program, and we have hit some extent the place it is the first vector for unhealthy actors to get entry to just about any piece of software program.
Attacks have been round endlessly, however there’s been an growing variety of incidents in recent times. The pandemic surfaced new alternatives for unhealthy actors. When folks have been utilizing their very own residence networks and VPNs with much less stringent security measures, it began to permit for extra danger. Regardless of return to workplace efforts, many IT employees are nonetheless at residence, so these alternatives nonetheless exist.
Moreover, many enterprises haven’t got processes in place for a way they select and procure open supply software program, so devs blindly discover and incorporate it. The problem is firms then do not know the place open supply code is coming from, who constructed it, and with what intentions. This creates a number of alternatives for assaults to occur all through the open supply software program provide chain course of.
Open supply is an open ecosystem, which makes it weak ‘by design.’ It must be as open as potential to not hinder authors from contributing, however there’s an actual problem of protecting it safe all through your complete growth course of.
Dangers do not simply exist whenever you’re importing. In case your construct service is not safe whenever you begin constructing, you could be in danger. Most of the most up-to-date assaults we have seen are open supply software program provide chain assaults not vulnerabilities. This requires an entire new method to open supply security.
Reimagining the open supply administration course of
At ActiveState, it is our mission to deliver rigor to the open supply provide chain. Corporations can get higher visibility and management over their open supply code throughout DevSecOps by specializing in a four-step administration cycle.
Step 1: Discovery
Earlier than you’ll be able to even start to remediate vulnerabilities, you should know what you are utilizing in your code. It is vital to take stock of all of the open supply that is working inside your group. An artifact of this effort might seem like a dashboard.
Step 2: Prioritization
After you have the dashboard, you can begin analyzing for vulnerabilities and dependencies and prioritize which to concentrate on first. Understanding the place the dangers are in your codebase and triaging them will show you how to make knowledgeable selections about subsequent steps.
Step 3: Upgrading and curating
Now comes the remediation and alter administration part. You will wish to set up governance and insurance policies for managing open supply throughout your org to maintain everybody aligned throughout capabilities and groups.
You also needs to carefully handle what dependencies are utilized in each manufacturing and growth environments to reduce danger.
In our platform, we preserve a big immutable catalogue of open supply software program. We hold a constant, reproducible report of round 50 million model elements, and we’re always including to it. It helps our customers ensure that they’ll at all times get again to reproducible builds. It means you’ll be able to curate your complete web for open supply whereas trusting it is safe.
Step 4: Construct and deploy
The construct and deploy part includes incorporating safe and secure open supply elements into your code – since you’re probably not remedied and safe till the fixes are deployed. At ActiveState, we construct and observe every thing. From once we ingest supply code to once we construct it right into a safe cluster. We then give it to you in a wide range of codecs to be deployed relying in your wants. We’re the one answer (that we all know of) that actually helps firms remediate and deploy, finishing the total lifecycle of guaranteeing software program provide chain security.
A brand new ActiveState: tackling open supply security challenges head-on
By our work in open supply over the previous decade, we have found there is a hole between the passionate communities producing open supply and the enterprises that wish to use it of their software program. We’re now serving to to shut that hole, empowering the open supply ecosystem whereas bringing security to organizations.
The refreshed platform we have developed and centered on facilitating collaboration between numerous gamers throughout organizations, together with builders, DevOps, and security. Our platform helps groups easily run a steady cycle of managing open supply.
There are six key use circumstances we’re centered on serving to groups drive outcomes round.
- Discoverability and observability: Acquire full perception into every thing from open supply utilization to deployment areas.
- Steady open supply integration: Preserve your code up-to-date, keep away from breaking modifications, and eradicate danger.
- Safe surroundings administration: Be sure your dev, check, and manufacturing environments are constant and reproducible.
- Governance and coverage administration: Keep a curated open supply catalogue with out slowing down growth instances.
- Regulatory compliance: Robotically adjust to authorities rules and speed up security critiques.
- Past end-of-life help: Keep steady and safe even after methods attain finish of life
In case your group can use help for any of those use circumstances, our new platform can assist. Discover the refreshed ActiveState platform with a Platform Enterprise Trial in the present day.
Word: This insightful article is dropped at you by Pete Garcin, Senior Director of Product at ActiveState, sharing his experience and distinctive perspective on the evolving challenges and options in open supply administration.
