Insights (SCA)

// Available for all platforms

Use open source securely

Almost all developers use open-source software to some extent. It is hard to beat the flexibility of open-source use and licensing. At the same time, it is imperative that developers understand how to control open-source components. Open-source solutions are associated with numerous dependencies, safety and licensing compatibility questions that require consideration prior to starting application development.

Advantages

Inventory of components with a quick overview


Early identification of threats before they turn into production problems

Avoid obsolescence and always use the most up-to-date version

Automate time-consuming tasks and research


Uncover security risks to enable targeted action plans

Isolate dependencies, identify duplicates and exclude unused components

Cost savings from early identification prior to delivery (shift left)

SCA integration into the development cycle


Creating an inventory of all open-source codes and third party components used in builds or applications is highly important.

Open-source components are just as much part of your applications as the code that you develop. When you use open-source components, you need a comprehensive understanding of their role, functions, characteristics, behaviour and licensing to enable proper maintenance and adherence to software licensing requirements.

With Kiuwan you can: avoid time-intensive and error-prone manual inventorying, including of dependencies; quickly and easily identify whether your code is affected by new software security warnings; and review your application for licensing problems while setting official guidelines for all your developers.

Kiuwan Insights continuously searches the National Vulnerability Database (NIST) for new vulnerabilities and makes use of our own knowledge and research by security experts.

The importance of SCA

Between 2018 and 2019, the number of vulnerabilities increased by 130%, from 421 to 968, which was also 127% higher than 2017. The number of new vulnerabilities remained at a historic high into 2020 indicating that this is likely to be a sustained trend. At the same time, many think of open-source components as safer than rival commercial software because open-source software can be checked and tested by more people. Clearly, the numbers indicate otherwise and it is likely that businesses often make wrong assumptions about the safety of open-source software because they do not know better. Open-source software’s widespread use means there is huge potential for hackers who know about existing vulnerabilities to exploit them on a large scale – not least because open-source components’ source code is publicly viewable. This represents the ideal environment for anyone with malicious intent to carefully plan and refine attacks before rolling them out.

    • 80% of commercial applications use open-source components
    • Every day, three new vulnerabilities emerge
    • Applications that use open-source components suffer from 20% more attacks than other applications

No application is secure if vulnerabilities in the open-source components they use are ignored and the application development cycle does not employ SCA (Software Component Analysis) solutions.

Examples of known vulnerabilities

    • Uninitialized variables
    • Application misconfiguration
    • Predictable access- or session data
    • Directory indexing
    • Insufficient authorisation / authentication
    • Authentication
    • Automatic reference counting
    • Faked cross site requests
    • Information leaks
    • Insufficient transport layer protection
    • Insufficient binary protection
    • Scripting independent of location
    • Injection attacks
    • Inter-process communication
    • OS command
    • Insecure cryptography
    • Cryptography related attacks
    • Buffer overflow
    • Free non-dynamic variables
    • Use after free
    • Double-free / double-close problems
    • Format string weaknesses
    • Pointer variable access to local variables
    • SQL injection
    • … and more

Integration into the development cycle

Kiuwan also allows you to integrate automatable audits of your open-source components into every phase of the development cycle. The growing threat of cyber attacks focussed on open-source components makes SCA as part of development cycles even more important for secure applications. Automated security checkpoints mean that you are able to audit the delivery of any open-source components at any time. The checkpoint facilitates the integration of security standards and ensures that these standards are continuously met. As a result you can avoid any delivery that does not meet standards at the earliest opportunity in the cycle. In turn, you can reduce costs through a shift to the left. Audits can also be used at any point as a maintenance tool to react to new vulnerabilities in a timely manner before attackers can exploit them.

Preventing dependency issues

Open-source projects often come with version specific dependencies. Updates to deployment environments can lead to new dependencies on older versions for open-source components. Many developers rely on an extensive stack of open-source components and may struggle to manage the resulting dependencies. Kiuwan Insights helps you to examine the architecture of your applications and the quality of their code, and identifies any dependencies within the code base. While Insights does not automatically remove those dependencies, it gives you in-depth understanding of the code. You can then use this understanding for a highly effective approach to dependency removal.

License compatibility

Most open-source products give users the right to full replication, modification and onward sales. For some open-source projects, however, this is not the case which can sometimes lead to problems in using open-source components. Specific licencing formulations for derivative software distribution is a must for the majority of products so that the use of open-source libraries can be properly referenced.

Why Kiuwan?

Kiuwan Insights is a cutting edge SCA solution. A comprehensive inventory of open-source components used by your applications is just one aspect of Insights – it also provides detailed information about security, ageing and licencing risks associated with those components. With SCA, Kiuwan aimed to achieve fast and accurate results. SCA is easy to install, has an intuitive user interface and comes complete with an extensive start configuration. With Insights, Kiuwan reduced the implementation time substantially to just a few days. Scan results are available in seconds rather than days, and offer a complete overview of all the necessary information. The solution is highly configurable to suit your specific needs.