Picture this: a new zero-day vulnerability has just been announced, sending ripples through the tech community. Your team is on the front line, tasked with a mission — find and fix this vulnerability across your organization. The first step? Pinpoint where this vulnerable package lurks. Traditional methods turn this into an odyssey — a fragmented, painstaking journey from one development team to another, inquiring, investigating, checking. The process is fragmented, slow, and inaccurate.
For instance, in the wake of the Log4j vulnerability, many companies found themselves scrambling to figure out where Log4j was being used in their organization. They created war rooms and spent weeks collaborating with engineering leaders to find and fix the vulnerability.
But it doesn’t have to be this way. Imagine a centralized, comprehensive inventory — a single source cataloging every package used in every project across your organization. With such a tool, the search for a specific package name or vulnerability becomes swift and simple.
This vision is now a reality with FOSSA’s recently released Package Index. Designed for these critical moments, Package Index offers unparalleled visibility into your software supply chain, making it quick and easy to find any package or vulnerability across all projects in your organization.
How Package Index Enables Global Visibility
The discovery and management of packages and vulnerabilities across the entire organization has traditionally been difficult and time-consuming. FOSSA’s Package Index simplifies this, enabling several key benefits:
- Comprehensive Overview of All Packages: Package Index creates a complete, detailed inventory of every package used across your organization’s projects. This is more than just a list; it's a dynamic, searchable database. Security teams can now instantly access a full record of packages, along with their versions, dependencies, and associated vulnerabilities. This level of detail is crucial for understanding the security and compliance status of your software assets.
- Rapid Response to New Vulnerabilities: When new vulnerabilities are disclosed, Package Index allows for immediate, organization-wide searches using either package name or CVE (Common Vulnerabilities and Exposures) number. Security teams can quickly identify which projects are using the vulnerable package and assess the potential impact. For example, Package Index can be used to find which projects in your organization may be using Apache Log4j. This capability dramatically shortens the time from vulnerability disclosure to mitigation, a critical factor in managing security risks effectively.
- Block Packages Globally: With Package Index, it’s now possible to enforce package policies on a global scale within your organization. Security teams can block specific versions of a package, and this decision can be automatically applied across all projects. This ensures uniform compliance and security standards, streamlining policy enforcement and reducing the risk of inconsistencies or oversights.
“Package Index is super useful when customers are inquiring about a specific package or CVE. It’s really easy for our security team to use FOSSA to search for a specific CVE or package and get a very quick answer before going into the technical nitty-gritty of the CVE”
-Valentina Ditoiu, Senior Security Program Manager at UIPath
Get Started with Package Index
Current FOSSA customers can leverage Package Index in their workflow today.
If you aren’t yet a FOSSA customer and are interested in Package Index, getting started is straightforward. You can sign up for a FOSSA premium account (recommended for smaller organizations) for immediate access to this feature, or request a demo (recommended for larger organizations) to get an in-depth look at how Package Index can help make your license compliance and security efforts more effective and efficient.
With the addition of Package Index, we are excited to continue enabling organizations in their use of secure and compliant open-source software.
