WhiteSource

New York, NY, USA
2011
Jan 13, 2022   |  By Alfrick Opidi
Following the devastating vulnerabilities recently found in Log4j, the Cybersecurity & Infrastructure Security Agency (CISA) in the United States has pointed to the SBOM – called for in President Biden’s cybersecurity Executive Order (EO) – as a way to make remediation of similar vulnerabilities easier in the future. In light of this, we thought it would be useful to provide an easy overview of SBOMs – what they are, and how to obtain them.
Jan 4, 2022   |  By Aharon Abadi (PhD)
​​Since December 10, in a span of just 20 days, there have been four different vulnerabilities published against Log4j. Engineers who worked long hours to update their Log4j versions to 2.15.0 on December 11th, were told three days later that they needed to do it all over again and upgrade to version 2.16.0. This is not sustainable. And yet the risks are high. Looking backward, we see that Log4j has been vulnerable since 2013 to the kinds of attacks described in CVE-2021-44228.
Dec 29, 2021   |  By Hagai Wechsler
Another — though unlikely — vulnerability was discovered in Log4j’s latest versions: CVE-2021-44832. This is an Arbitrary Code Execution exploit using, yet again, the now infamous JNDI functionality. The vulnerability lets an attacker with control over the Log4j configuration set a malicious datasource for the JDBC (Java DataBase Connectivity API) appender. The datasource refers to an attacker-controlled JNDI URI that will execute arbitrary code on the application using Log4j.
Dec 27, 2021   |  By Rhys Arkins
The announcement of Log4j vulnerability cve-2021-44228 sent security and development teams into a tailspin and highlights the one of biggest challenges of open source security: dependency management. The open source libraries that make up up to 80% of our applications are often a tangled web of dependencies.
Dec 23, 2021   |  By Hagai Wechsler
The notorious Log4Shell vulnerability CVE-2021-45046, has put Log4j in the spotlight, and grabbed the entire Java community’s attention over the last couple of weeks. Maintainers of Java projects that use Log4j have most probably addressed the issue. Meanwhile, non-java developers are enjoying relative peace of mind, knowing that they are unaffected by one of the major vulnerabilities found in recent years. Unfortunately, this is an incorrect assumption.
Dec 19, 2021   |  By Hagai Wechsler
A third Log4j2 vulnerability was disclosed the night between Dec 17 and 18 by the Apache security team, and was given the ID of CVE-2021-45105. According to the security advisory, 2.16.0, which fixed the two previous vulnerabilities, is susceptible to a DoS attack caused by a Stack-Overflow in Context Lookups in the configuration file’s layout patterns. What is this CVE about? What can you do to fix it? How does it differ from the previous CVEs?
Dec 16, 2021   |  By Hagai Wechsler
As security and development teams rushed to assess the now-notorious Log4Shell vulnerability published December 10 (CVE-2021-44228), another, more minor vulnerability was discovered in Log4j — CVE-2021-45046. To understand the newly-discovered vulnerability, it is important to get the full picture and background on the original Log4j issue.
Dec 12, 2021   |  By Daniel Elkabes
A newly published critical vulnerability in Apache’s widely popular Log4j Java library, CVE-2021-44228 (CVSS score 10) was published over the weekend, causing a lot of concern.
Dec 9, 2021   |  By Patricia Johnson
Software development organizations are investing more and more resources in their vulnerability management programs. According to Gartner’s forecast, in 2021 enterprise security spending was expected to break records and grow 12.4% to reach 150.4 billion. But how do organizations know if they’re spending their security resources wisely? The answer can only be found by crunching the numbers.
Dec 2, 2021   |  By Ayala Goldstein
Vulnerability management is becoming increasingly important to companies due to the rising threat of cyber security attacks and regulations like PCI DSS, HIPAA, NIST 800-731 and more. Vulnerability management is a comprehensive process implemented to continuously identify, evaluate, classify, remediate, and report on security vulnerabilities.
Jan 5, 2022   |  By WhiteSource
This is the first video in a series describing how WhiteSource can integrate with GitHub to detect open source artifacts and their known vulnerabilities and licensing risks. This video will focus on setting up a repository to be scanned automatically on a valid push.
Dec 14, 2021   |  By WhiteSource
In this short video, we will demonstrate how to create an NTIA compliant Software Bill of Materials for applications that have been scanned using WhiteSource.
Dec 11, 2021   |  By WhiteSource
Are you using Azure DevOps Repositories? WhiteSource can integrate with your source control and quickly detect open source artifacts and their known vulnerabilities and licensing risks. WhiteSource also provides all the information you need to fix these artifacts automatically.
Dec 4, 2021   |  By WhiteSource
This is the first video in a series describing how the WhiteSource Unified agent can be used to detect open source artifacts and their known vulnerabilities and licensing risks. This video will focus on performing a scan on a user's local desktop.
Dec 4, 2021   |  By WhiteSource
This is the second video in a series describing how the WhiteSource Unified agent can be used to detect open source artifacts and their known vulnerabilities and licensing risks. This video will focus on performing a scan within a CI-CD pipeline such as Azure DevOps.
Dec 4, 2021   |  By WhiteSource
This is the third video in a series describing how the WhiteSource Unified agent can be used to detect open source artifacts and their known vulnerabilities and licensing risks. This video will focus on performing a scan with a prebuilt docker image that contains the unified agent and specific versions of each package manager.
Dec 4, 2021   |  By WhiteSource
This is the fourth video in a series describing how the WhiteSource Unified agent can be used to detect open source artifacts and their known vulnerabilities and licensing risks. This video will focus on performing a scan with the WhiteSource CLI which is a lightweight version of the unified agent that is designed for immediate feedback on a user's desktop.
Dec 2, 2021   |  By WhiteSource
This is the first video in a series describing how WhiteSource can integrate with Artifactory to detect open source artifacts and their known vulnerabilities and licensing risks. This video will focus on how to install the plugin and view results within Artifactory
Aug 11, 2021   |  By WhiteSource
WhiteSource helps organizations accelerate‌ the development of secure software ‌at‌ ‌scale‌. We provide automated tools that help bridge the security knowledge gap, integrating easily into the software development life cycle and going beyond detection with a remediation-first approach. WhiteSource is built on the most comprehensive vulnerability database in the industry, providing the widest coverage for threats and attack vectors. Our solution helps enterprises like Microsoft, IBM, Comcast, Philips, and many more reduce security risk and increase the productivity of their security and development teams.
Apr 28, 2021   |  By WhiteSource
Vonage automates open source security using developer-focused tools within their native development environment.
Jul 1, 2020   |  By WhiteSource
Behind every developer is a beloved programming language. In heated debates over which language is the best, the security card will come into play in support of one language or discredit another. We decided to address this debate and put it to the test by researching WhiteSource's comprehensive database. We focused on open source security vulnerabilities in C, Java, JavaScript, Python, Ruby, PHP, and C++, to find out which programming languages are most secure, which vulnerability types (CWEs) are most common in each language, and why.
Jul 1, 2020   |  By WhiteSource
We surveyed over 650 developers, and collected data from the NVD, security advisories, peer-reviewed vulnerability databases, issue trackers and more, to gather the latest industry insights in open source vulnerability management.
Jun 1, 2020   |  By WhiteSource
Developers across the industry are stepping up to take more responsibility for their code's vulnerability management. In this report we discuss trends in how security is shifting left to the earliest stages of development, putting the power developers in the front seat. We explore the growth of automated tools aimed at helping developers do more with fewer resources and look for answers on what is needed to help close the gap from detection to remediation.
Jun 1, 2020   |  By WhiteSource
Software development teams are constantly bombarded with an increasingly high number of security alerts. Unfortunately, there is currently no agreed-upon strategy or a straightforward process for vulnerabilities' prioritization. This results in a lot of valuable development time wated on assessing vulnerabilities, while the critical security issues remain unattended.

No component overlooked. WhiteSource identifies every open source component in your software, including dependencies. It then secures you from vulnerabilities and enforces license policies throughout the software development lifecycle. The result? Faster, smoother development without compromising on security.

Not all vulnerabilities are created equal. WhiteSource prioritizes vulnerabilities based on whether your code utilizes them or not, so you know exactly what needs your attention the most. This reduces security alerts by up to 85%, allowing you to remediate more critical issues faster.

Complete Platform:

  • WhiteSource Core: We help you keep things in order.WhiteSource is built to streamline your open source governance. With a full layer of alerting, reporting and policy management, you are effortlessly secure and always in control.
  • WhiteSource for Developers: WhiteSource for Developers is uniquely designed to simplify developers’ work, while keeping the code secure. Its suite of tools helps speed up integration, find problematic components, and remediate them quickly and easily.
  • WhiteSource for Containers: WhiteSource integrates into all stages of the container development lifecycle, including container registries and Kubernetes with automated policy enforcement for maximum visibility and control.

The simplest way to secure and manage open source components in your software.