SEARCH FINANCIAL SERVICES INFRASTRUCTURE SECURITY SCIENCE INTERVIEWS

 

     

WhiteSource Priority Score Debuts

April 14, 2021

WhiteSource released its Priority Score technology to help organizations determine which security vulnerabilities pose the greatest risk, and which ones demand their most immediate attention.

The WhiteSource Priority Scoring technology enables users to assign novel metrics to different products and projects, such as business impact. Based on users' preconfiguration, a priority score between 0 and 100 is then attributed to entities within their system per library or vulnerability. Security teams can then make informed decisions on the order and urgency of remediation required.

As open source adoption increases, the number of known security vulnerabilities in it continues to grow every year. Software development and application security teams are increasingly relying on vulnerability detection tools throughout the development process. As a result, teams are often overwhelmed by the steady stream of security alerts that must be addressed. Indeed, in most cases it's impractical to fix all vulnerabilities, and some require major development work. WhiteSource research shows that only 15% to 30% of open-source vulnerabilities are effective; the majority of vulnerable methods are not called by the proprietary code.

Once vulnerabilities are detected, teams need to find a way to prioritize them. How can development and security teams make sure they are not wasting valuable time fixing security issues that are not their biggest threat? WhiteSource research results showed that prioritizing open source vulnerabilities based on their analyzed effectiveness, helped beta customers reduce the number of effective open source security vulnerabilities alerts by a substantial 85%, saving organizations a monthly average of 10 hours per developer.

Apart from business impact, some of the parameters taken into consideration by the WhiteSource Priority Scoring algorithm include CVSS Score (vulnerability severity), Prioritization based on whether the proprietary code is making calls to the vulnerable method (effectiveness), availability of fix, ease of remediation, and Malicious package probability.

Business Impact is easily preconfigured by the user into each product and project, taking into account factors such as Personally Identifiable Information (PII) or finance data available through the application to those who may try to exploit it. Applications or products containing this type of information create a higher risk factor when they are exploited, hence a higher business impact.

"Security risks to financial systems have grown in recent years. Vulnerabilities or malicious packages targeting financial institutions are becoming more frequent, sophisticated, and destructive," said Shiri Arad Ivtsan, Director of Product Management at WhiteSource. "When a specific application provides access to financial data, or Personally Identifiable Information its security is considered a higher priority to handle. The WhiteSource Priority Scoring lets organizations put their DevSecOps on autopilot, and accelerate software product delivery at scale."

Terms of Use | Copyright 2002 - 2021 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement