In my nearly eight years at ActiveState, I’ve seen many iterations of our product. However, one thing has remained true over the years: our commitment to the open source community and companies that use open source in their code.
ActiveState has been helping enterprises manage open source for more than a decade. In the early days, open source was in its infancy. We focused mainly on the developer case, helping to get open source on platforms like Windows.
Over time, our focus has shifted from helping open source companies to supporting businesses running open source when the community wasn’t building it the way they needed it. We’ve started managing builds at scale and helping enterprises understand what open source code they’re using, whether it’s compatible and secure.
Managing open source at scale can be challenging. To help companies overcome this and bring structure to their open source DevSecOps practices, we’re opening up our end-to-end platform to help manage open source complexity.
The Current State of Open Source and Supply Chain Security
Inevitably, with the rise in popularity of open source comes an influx of security concerns. The adoption of open source code is of great importance in today’s software. Finished 90% of applications contain open source components. Open source is now at the heart of how we make software, and we’ve reached the point where it’s a primary vector for bad actors to gain access to almost any piece of software.
Attacks have always existed, but in recent years the number of incidents has increased. The pandemic has opened up new opportunities for bad actors. As people used their own home networks and VPNs with less stringent security measures, this allowed for more risk. Despite efforts to get back into the office, many IT workers are still at home, so these opportunities still exist.
In addition, many enterprises do not have processes for selecting and acquiring open source software, so developers blindly find and incorporate it. The problem is that companies don’t know where open source code comes from, who created it, and with what intentions. This creates many opportunities for attacks throughout the open source software delivery process.
Open source is an open ecosystem, which makes it vulnerable “by design”. It should be as open as possible so as not to discourage authors from contributing, but there is a real challenge to keeping it secure throughout the development process.
Risks exist not only with imports. If your build service isn’t secure when you start building, you could be at risk. Many of the recent attacks we’ve seen are attacks on open source software supply chains, not vulnerabilities. This requires a whole new approach to open source security.
Rethinking the Open Source Management Process
At ActiveState, our mission is to bring rigor to the open source supply chain. Companies can gain better visibility and control over their open source in DevSecOps by focusing on a four-step governance cycle.
Step 1: Discovery
Before you can even begin to fix vulnerabilities, you need to know what you’re using in your code. It’s important to take an inventory of all the open source software running in your organization. An artifact of this effort might look like a dashboard.
Step 2: Prioritize
Once you have a dashboard, you can start analyzing vulnerabilities and dependencies and prioritize what to focus on first. Understanding the risks in your codebase and triaging them will help you make informed decisions about next steps.
Step 3: Update and Curate
Now comes the fix and change management phase. You’ll want to establish governance and policies for managing open source within your organization so that everyone is aligned across functions and teams.
You should also carefully control which dependencies are used in your production and development environments to minimize risk.
We maintain a large, unchanging catalog of open source software on our platform. We maintain a consistent, reproducible record of about 50 million component versions, and we’re constantly adding to them. This helps our users make sure they can always go back to playable builds. This means you can configure the entire open source web with confidence in its security.
Step 4: Build and deploy
The build and deploy phase involves incorporating safe and secure open source components into your code – because you’re not really patched and protected until the patches are deployed. At ActiveState, we create and track everything. From the moment we receive the source code to the moment we embed it into a secure cluster. We then provide it to you in a variety of formats for deployment based on your needs. We are the only solution (that we know of) that truly helps companies recover and deploy, completing the full software supply chain security lifecycle.
The new ActiveState: Addressing security challenges head-on with open source
Through our work with open source over the past decade, we’ve found that there is a gap between passionate open source communities and businesses that want to use it in their software. Now we’re helping to close that gap by empowering the open source ecosystem while providing security for organizations.
The updated platform we designed is focused on facilitating collaboration between different stakeholders across organizations, including developers, DevOps, and security. Our platform helps teams seamlessly execute the continuous open source management cycle.
There are six key use cases we focus on to help teams achieve results.
- Visibility and Observability: Get a complete view of everything from open source usage to deployment locations.
- Continuous integration with open source: Keep your code up-to-date, avoid harmful changes, and eliminate risk.
- Secure environment management: Make sure your development, test, and production environments are consistent and reproducible.
- Policy management and administration: Maintain a curated open source catalog without slowing down development time.
- Regulatory Compliance: Automatically comply with government regulations and speed up security checks.
- In addition to end-of-life support: Stay stable and secure even after systems end of life
If your team could use support for any of these use cases, our new platform can help. Explore the updated ActiveState platform with a Trial version of the Enterprise platform today.
Note: This insightful article is brought to you Pete GarcinSr. Product Director at ActiveState, sharing his experience and unique perspective on emerging challenges and solutions in open source management.
