Vulnerability data about open-source software should be open too!

Channel:
Eclipse Foundation
Subscribers:
24,000
Published on ● Video Link: https://www.youtube.com/watch?v=d4xBS9FMduE


Duration: 31:00
255 views
6

When running Eclipse Steady internally at SAP, serving thousands of distinct teams and conducting 250k+ scans per month, we spent a substantial amount of time mining source code repositories and curating a knowledge base of so called fix-commits (which are the commits that fix known vulnerabilities). Such information is the fuel of Eclipse Steady and it needs to be continuously harvested.

Given the increasing size of open-source ecosystems and the pace at which new vulnerabilities affecting open-source software are discovered, the current human-intensive approach is not adequate and cannot scale. We have observed, over the past few years, a growing interest in the industry that led to several commercial offerings to emerge, each of which has its own proprietary vulnerability knowledge base. Not only the proprietary nature of these knowledge bases hinders further development of open-source tools that could push the state of the art in vulnerability detection and mitigation, but they have the same scalability and coverage issues that we have experienced ourselves.

Ultimately, the fact that data about open-source software is not open appears somewhat paradoxical.

To overcome these issues, we propose a different way of collecting and publishing vulnerability data: a way that is based on a collaborative and distributed approach. In this talk we present a simple, machine- and human-readable format to represent vulnerabilities, capturing essential information such as which commits in which repository fixed a given vulnerability. This format is accompanied by a tool to create, publish and consume data from distinct independent sources, allowing clients to aggregate different sources defining customized policies to reconcile conflicting information.

By attending this presentation you will hear what we learned in the path from coming up with the idea of Eclipse Steady to rolling it out in a large enterprise; you will learn why the open availability of accurate, low-level vulnerability information is key and why achieving that is difficult. Hopefully, we will convince you that a collaborative, distributed approach is the way to go, explaining why it makes sense both for the open-source community and the software industry as a whole.

Finally, we hope that by the end of the talk you will want to try and adopt Eclipse Steady in your own projects!


Speaker(s):
Henrik Plate (SAP SE)
Serena Ponta (SAP SE)
Antonino Sabetta (SAP SE)



Other Videos By Eclipse Foundation


2020-10-25Deploy your Java applications to the Cloud using Eclipse JKube
2020-10-25Jakarta NoSQL: One API to many NoSQL databases into Cloud Native age
2020-10-25Using the Power of the LSP to Create Unconventional Language-Client/Server Integrations
2020-10-25Performance Anti-Patterns in OSGi/Eclipse
2020-10-25Connect your devices using an open source, low-power wireless protocol stack
2020-10-25HarmonyOS: Key technical features and architectural deep dive
2020-10-25Lifting 15 tons blocks with Eclipse
2020-10-25Wellness Break: Mindfulness for Developers (Part 1)
2020-10-25Sirius Web: 100% open source cloud modeling platform
2020-10-25What is Low Code Development
2020-10-24Vulnerability data about open-source software should be open too!
2020-10-23What does cloud-native mean anyway? (sponsored by IBM)
2020-10-23Agile Testing Basics for Non-Testers
2020-10-23Visible Code: Visualize Complex OSGi Projects
2020-10-23Automated Open Source Compliance in Action
2020-10-23Diagram editors in the web with Eclipse GLSP
2020-10-23Write Tests that Spark Flow
2020-10-23What’s New in the Eclipse Platform Project?
2020-10-23Developing IoT Edge
2020-10-23Boost your APIs with GraphQL
2020-10-23Using Openshift based Jenkins Infrastructure in Eclipse Platform Project


Tags:
vulnerabilities
security
eclipse steady
open source
oss
Eclipsecon 2020