The separation between developers and security professionals has become an important barrier to the accelerated release of secure software products, especially during the increase in cybersecurity threats brought about by the COVID-19 pandemic.

While some organizations expect developers to become security experts, Israeli startup White Source Ltd., a platform that companies such as Microsoft and Comcast Corp. use to secure their open-source software components, believe they don’t have to. WhiteSource’s approach is to protect the development environment by involving the developer only when absolutely necessary.

“We focus on automating as much of the security practice as possible, so basically our main premise is that we want to be the security expert for the engineering team so that they don’t have to,” said Rami Sass (pictured), co-founder and chief executive officer of WhiteSource. “They [developers] can keep doing what they do best. which is develop software and provide more business value to their employer, and we will take care of anything that has to do with security in their software for them.”

Sass spoke with Lisa Martin, host of theCUBE, SiliconANGLE Media’s livestreaming studio, in advance of the AWS Startup Showcase: New Breakthroughs in DevOps, Analytics, and Cloud Management Tools event. They discussed the growing security challenges for the development environment, how WhiteSource differentiates itself from competitors in addressing these issues and the need for application security solutions to go beyond detection. (* Disclosure below.)

Building trust gradually

Founded in 2011, WhiteSource’s solution automatically identifies every open-source component in an enterprise ’s technology stack and looks for vulnerabilities, issuing real-time alerts on risks it detects.

“Then [we] take our users through the journey of finding them, prioritizing them, and fixing the vulnerabilities, such that their software — when it gets released — is not at risk,” Sass said.

While WhiteSource intends to work with and for developers, it knows that breaking down the traditional silos that separate development and security teams requires a major cultural shift that takes time. So, not expecting 100% confidence in its solutions right away the first day, the company takes a step-by-step approach, gradually proving its effectiveness to users.

“[We do this] by first starting with providing advice and allowing them to control the pace at which they automate more of the process,” Sass explained. “So, initially, we will just tell them what they need to do and let them do it themselves until they’ve gained enough experience with our tool to just allow us to take the full cycle for them.”

Perhaps an even more important factor in building trust is that WhiteSource relies heavily on crowdsourcing. Based on its wide range of customers and its continuous monitoring of everything that is happening in the world of open-source projects, the company has compiled a very extensive crowdsourced database, which provides information on what other people are doing with vulnerable open-source dependencies.

“And we can give you a lot of confidence when we see that the broader community of both commercial and free open-source users have upgraded a vulnerable dependency to a safe version and are sticking to the new version,” Sass stated. “Also, when things go bad, [and] we see that many people roll back some change and are avoiding some dependency version, then we will warn you away from upgrading that version.”

Beyond vulnerability alerts

WhiteSource believes it differentiates itself from competitors by going far beyond the vulnerability alert. In addition to detecting problems, it promises to fix it to close the vulnerability loop.

“By investing a lot in automating the remediation, in enabling our tools to close that cycle to finish the job and fix the vulnerability, we enable you to actually gain the value from the various tools that you’re using and make sure that your software is not exposed and not vulnerable,” Sass said.

To get the job done, WhiteSource has developed a deeper analysis that identifies which dependencies are vulnerable and then investigates how developers are using those dependencies. What it has found in the last three years of running this technology with customers on a large number of development projects is that the vast majority of vulnerabilities in open-source dependencies are not accessible from the developer’s code.

In this way, WhiteSource can reduce up to 85% of security alerts by prioritizing vulnerabilities based on whether the client’s proprietary code is using them. This means customers can solve the most critical issues first.

From the beginning, WhiteSource chose Amazon Web Services Inc. to be the infrastructure on which it runs its solution, and that partnership has grown over time. Not only is the company increasingly consuming AWS services, but it is now also integrated with many AWS services, products and technologies. In addition, it’s working closely with AWS as a market partner so that Amazon vendors can co-sell WhiteSource to their customers.

“The synergy is very apparent, very obvious, because both AWS and us sell to the engineering departments and to the DevOps people, so we are catering to the same users, the same customers, the same, even, decision-makers,” Sass stated. “And, so, it’s very easy to understand, and it’s also very easy to tell the better-together story.”

Watch the complete video interview below, and be sure to check out SiliconANGLE’s and theCUBE’s coverage of the AWS Startup Showcase: New Breakthroughs in DevOps, Analytics, and Cloud Management Tools event on September 22. (* Disclosure: White Source Ltd. sponsored this segment of theCUBE. Neither WhiteSource nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE