From Continuous Compliance to Continuous Risk Mitigation
The explosive adoption of open source has meant that companies are having to take open source risk assessment and mitigation seriously. As open source contributions and usage grow, the attack surface for vulnerabilities has increased considerably, leading to higher security risk. In fact, Forrester’s 2018 Global Business Technographics Security Survey revealed that 35% of global security decision makers who experienced an external breach said that it occurred due to software vulnerabilities.
And with recent studies showing a steady increase in the number of vulnerabilities in open source libraries, organizations are working overtime to strengthen software supply chain security and prevent vulnerabilities or incorrectly licensed software from entering their applications while also maintaining developer velocity.
Today, we are excited to announce the launch of FOSSA Security Management, empowering enterprises to proactively and continuously prevent vulnerabilities from shipping to production and mitigating risk throughout the entire software development lifecycle. Security Management makes it easy to identify, control, and remediate a huge variety of open source vulnerabilities without disturbing the speed and consistency of software releases.
With FOSSA, organizations can now actively monitor their open source software for vulnerability and license risks as a single, automated process in the existing development and deployment workflow and enforce the appropriate risk policies across their teams at any scale. In fact, FOSSA users benchmark 47% fewer false-positives by finding vulnerabilities in the dependencies they actually rely on earlier in the SDLC for a truly enterprise-scale approach to open source security.
Let's take a product tour to understand how FOSSA can help enterprises secure their open source software supply chain and help accelerate innovation.
Key Capabilities
Policy Engine. Our platform is powered by a sophisticated policy engine that gives teams the flexibility to create and enforce specific and appropriate policies for their projects. The policy engine has many options to build those policies including CVSS score or severity as well as whitelist- or blacklist-specific CWEs, giving security teams the ability to enforce the optimal risk posture at scale.
Vulnerability Details. Customers get detailed information about the vulnerability, including the description, affected version of the library, CVSS score and severity, and CVE and CWE identifications to help with speedy triage of issues.
Actionable intelligence like relationship paths that identify how the exploit was introduced into the code provides context to developers and stakeholders to accurately assess and prioritize the risk around an exploit.
Remediation Support. Multi-pronged remediation support, including one-click automated pull requests and recommended fixes, accelerates remediation, saving a couple hours of precious developer time for each issue. Cumulatively, that’s weeks of productivity saved for each software engineer per year, the equivalent of several full-time employees’ total work contribution.
Reporting. FOSSA provides clear and detailed reports with useful insights, including historical exposure windows and vulnerability trends, that give organizations an understanding of their risk profile. Leverage our vulnerability API to get real-time statistics on your security status.
Zero-Config Onboarding. Onboarding with our new CLI is fast and easy. To get started, users just download our CLI, and they are ready to scan. After setting up your API key, there is no setup or configuration needed.The new CLI automatically determines the best dependency resolution strategy to yield the most accurate results.
Curated Database. Our vulnerability database, sourced from multiple master vulnerability databases, is manually curated by security experts to ensure high levels of accuracy with few false-positives. In fact, FOSSA users benchmark 47% fewer false-positives by finding dependencies they actually rely on earlier in the SDLC.
Integrations. FOSSA’s platform has native integrations into JIRA, Slack, GitHub, and most CI/CD tools, giving developers the ability to work within their existing environments.
Comprehensive Open Source Management
With the addition of Open Source Security Management, FOSSA has evolved into a complete open source risk mitigation platform where enterprise teams can assess, manage, and mitigate open source vulnerability and license risk. With our Security Management solution, customers can be assured of:
Comprehensive Risk Visibility. FOSSA’s platform promises the most comprehensive and accurate inventory of security, license, and dependency risks in your open source software. Our broad language support, sophisticated scanning, and curated databases combine to give our customers precise and accurate visibility into their license and security risk.
Policy Governance and Collaboration. With FOSSA’s powerful policy engine, security and legal teams can create and enforce consistent and granular policies across teams and projects without slowing developer velocity.
Developer-Friendliness. With FOSSA’s platform, you can lower overhead and speed up engineering by automatically scanning for risk at every commit. We provide actionable intelligence and remediation support for faster triage and easy issue resolution so engineers can focus their time and energy on innovation.
