Having been at ActiveState for nearly eight years, I’ve seen many iterations of our product. However, one thing has stayed true over the years: Our commitment to the open source community and companies using open source in their code.
ActiveState has been helping enterprises manage open source for over a decade. In the early days, open source was in its infancy. We focused mainly on the developer case, helping to get open source on platforms like Windows.
Over time, our focus shifted from helping companies run open source to supporting enterprises managing open source when the community wasn’t producing it in the way they needed it. We began managing builds at scale, and supporting enterprises in understanding what open source they’re using and if it’s compliant and safe.
Managing open source at scale in a large organization can be complex. To help companies overcome this and bring structure to their open source DevSecOps practice, we’re unveiling our end-to-end platform to help manage open source complexity.
The current state of open source and supply chain security
It’s inevitable that with the soaring popularity of open source comes an influx of security issues. Open source adoption in modern software applications is significant. Over 90% of applications contain open source components. Open source is now at the core of how we produce software, and we’ve hit a point where it’s the primary vector for bad actors to get access to nearly any piece of software.
Attacks have been around forever, but there’s been an increasing number of incidents in recent years. The pandemic surfaced new opportunities for bad actors. When people were using their own home networks and VPNs with less stringent security measures, it started to allow for more risk. Despite return to office efforts, many IT workers are still at home, so these opportunities still exist.
Additionally, many enterprises don’t have processes in place for how they choose and procure open source software, so devs blindly find and incorporate it. The challenge is companies then don’t know where open source code is coming from, who built it, and with what intentions. This creates multiple opportunities for attacks to happen throughout the open source software supply chain process.
Open source is an open ecosystem, which makes it vulnerable ‘by design.’ It needs to be as open as possible to not hinder authors from contributing, but there’s a real challenge of keeping it secure throughout the entire development process.
Risks don’t just exist when you’re importing. If your build service isn’t secure when you start building, you can be at risk. Many of the most recent attacks we’ve seen are open source software supply chain attacks not vulnerabilities. This requires a whole new approach to open source security.
Reimagining the open source management process
At ActiveState, it’s our mission to bring rigor to the open source supply chain. Companies can get better visibility and control over their open source code across DevSecOps by focusing on a four-step management cycle.
Step 1: Discovery
Before you can even begin to remediate vulnerabilities, you need to know what you’re using in your code. It’s important to take inventory of all the open source that’s running within your organization. An artifact of this effort could look like a dashboard.
Step 2: Prioritization
Once you have the dashboard, you can start analyzing for vulnerabilities and dependencies and prioritize which to focus on first. Understanding where the risks are in your codebase and triaging them will help you make informed decisions about next steps.
Step 3: Upgrading and curating
Now comes the remediation and change management phase. You’ll want to establish governance and policies for managing open source across your org to keep everyone aligned across functions and teams.
You should also closely manage what dependencies are used in both production and development environments to minimize risk.
In our platform, we maintain a large immutable catalogue of open source software. We keep a consistent, reproducible record of around 50 million version components, and we are constantly adding to it. It helps our users make sure they can always get back to reproducible builds. It means you can curate the entire internet for open source while trusting it’s secure.
Step 4: Build and deploy
The build and deploy phase involves incorporating secure and safe open source components into your code – because you’re not really remedied and secure until the fixes are deployed. At ActiveState, we build and track everything. From when we ingest source code to when we build it into a secure cluster. We then give it to you in a variety of formats to be deployed depending on your needs. We’re the only solution (that we know of) that truly helps companies remediate and deploy, completing the full lifecycle of ensuring software supply chain security.
A new ActiveState: tackling open source security challenges head-on
Through our work in open source over the past decade, we’ve discovered there’s a gap between the passionate communities producing open source and the enterprises that want to use it in their software. We’re now helping to close that gap, empowering the open source ecosystem while bringing security to organizations.
The refreshed platform we’ve developed and focused on facilitating collaboration between various players across organizations, including developers, DevOps, and security. Our platform helps teams smoothly run a continuous cycle of managing open source.
There are six key use cases we’re focused on helping teams drive outcomes around.
- Discoverability and observability: Gain complete insight into everything from open source usage to deployment locations.
- Continuous open source integration: Keep your code up-to-date, avoid breaking changes, and eliminate risk.
- Secure environment management: Make sure your dev, test, and production environments are consistent and reproducible.
- Governance and policy management: Maintain a curated open source catalogue without slowing down development times.
- Regulatory compliance: Automatically comply with government regulations and accelerate security reviews.
- Beyond end-of-life support: Stay stable and secure even after systems reach end of life
If your team can use support for any of these use cases, our new platform can help. Explore the refreshed ActiveState platform with a Platform Enterprise Trial today.
Note: This insightful article is brought to you by Pete Garcin, Senior Director of Product at ActiveState, sharing his expertise and unique perspective on the evolving challenges and solutions in open source management.
