This post was co-authored by Ryan O'Meara.
How can security become a fundamental priority for open source developers?
Application security is certainly a large and important problem in the software world, but many open source projects still contain dangerous security flaws. We think a key reason for this has been the lack of free, easy-to-use tools that allow open source developers to make application security checks part of their day-to-day routine. We created Black Duck CoPilot to help solve that problem, with the idea that basic security practices can be made accessible to any developer.
My co-author, Ryan, and I are not just Black Duck engineers, but open source developers as well. When developing our own personal projects, we’ve often wished we could use something to monitor the security of our project dependencies (the other open source components used within our projects) as we developed. Until now, doing so has been difficult, involving a lot of digging through various organizations’ websites and vulnerability databases. So, we set out to create a better way via CoPilot.
We first conceived of CoPilot for a Black Duck engineering “hackathon.” Every few months, Black Duck turns developers loose to work on projects that we find interesting. Ryan and I imagined a build integration that would let developers track open source dependencies and their associated vulnerabilities, and over the course of three days we built the first working prototype.
Integrating Security into the Open Source Developer Workflow
New vulnerabilities with flashy names seem to spring up every month, and countless other unnamed but insidious exploits threaten application stability and user privacy everywhere. Application security is clearly a critical aspect of development. However, in the world of open source development where projects can be worked on by small teams or even individuals, often just in their spare time, security can seem like a “nice-to-have” and not a “must-have.” Any aspect of application security testing that can be made seamless and silent will encourage even developers with very limited resources to start tracking this metric.
Build integrations are a great way to plug into a developer’s existing workflow without being time-consuming or intrusive. Many developers already use continuous integration (CI) systems to build their project as they make changes, so we decided to hook into the CI process for CoPilot. With just a few lines of configuration, a developer can start getting component dependency and vulnerability information continuously as part of their automated builds. We present this in a GitHub badge image that summarizes the overall security risk status, as well as a results page that lists the vulnerabilities (CVEs) that were detected during the last CI run.
To put it simply, we think that CoPilot can reduce the friction for developers to almost zero while providing them immediate benefits. We’ve already seen the advantage of having security information on our own personal projects, as well as Black Duck’s open source projects.
The 35,000 Foot View
What makes open source so important for developers is that it stops them from having to reinvent the wheel. Most open source projects are themselves built on other open source components. As projects mitigate vulnerabilities from their dependencies, there is a cascading effect; projects that depend on those projects become more secure as well. In this way, small changes upstream can reduce the risk of large swaths of the open source landscape downstream.
In addition to the improvements in security for projects, the Black Duck security badges help software teams to make good choices of the components they integrate into their own projects. In the same way that a developer might pick a component with good test coverage over one with poor test coverage, a developer should pick a component with low security risk over one with a higher risk.
This benefit isn’t limited to open source software alone. If the open source components are more secure, “closed source” software (which often contains 50% or more open source) will be too. And since most cyber attacks target application vulnerabilities, these improvements will ultimately help companies, administrators, and end-users defend against attacks. Our goal with CoPilot is to help open source developers tip-over the first domino in that application security chain.
CoPilot is available today so you can start scanning your GitHub projects right away. Just go to https://copilot.blackducksoftware.com/ to get started, and make sure to use the Send Feedback button to give us your comments and ideas.