Open source software (OSS) is perhaps as fundamental a technology today as the Internet or the telecommunication network. In most software projects, we do not consider the Internet as a requirement, we just assume it is there and available to us. Today, OSS is equally critical and forms the foundation of any modern software project. HBR estimates OSS to be worth $9T to the software development industry. Software development teams do not choose but depend on OSS such as libraries and container images to build and ship software faster. This is evident from Linux Foundation Open Source Census II which states that OSS constitute 70-90% of any modern software solution, including commercial enterprise solutions.
Yet most of our security priorities and investment is targeted only towards the code that we produce in-house within our team. While Software Composition Analysis (SCA) has been a commodity for over a decade now, the emerging risks inherited from OSS is larger than SCA. We explain “why” in this blog post
Why Open Source Risks are Larger than SCA Tools
Any software development organisation required to ship high quality & secure software to their customers implement an SDLC that enables their team to ship secure software. How do you guarantee that for OSS code that you are shipping with your application?
SafeDep exists to help software development teams to safely consume OSS without its associated risks, compliance problems. By doing so we help maintain organizational security standards across all code included in the product, including those inherited from the open sources.
We are an open source first company. Our primary risk identification and protection tool is free and open source, developed & maintained with community support.
https://github.com/safedep/vet
[https://docs.google.com/presentation/d/16r_9KlDifauhuI6tx-HmCbyL_Mvk6OVXJHu24aU_drY/edit#slide=id.p](https://docs.google.com/presentation/d/16r_9KlDifauhuI6tx-HmCbyL_Mvk6OVXJHu24aU_drY/preview#slide=id.p)