I recently sat in a presentation where an engineer spoke about performing a security audit, comparing npm audit with the Whitesource software as a service solution.

My mind was humming "a hammer is a hammer" as I listened to my colleague and cross-referenced findings of a recent evaluation of three hammers (NPM audit, Whitesource Bolt, and Whitesource). The evaluation was triggered when our security engineers picked up a discrepancy between security audit scans in our continuous integration pipelines, which we wanted to understand and mitigate.

I'm not going to delve into the evaluation or all three tools, other than highlighting the "npm" in npm audit, that Whitesource Bolt is "free", and why we recommended another hammer. As implied, the one is intended to be used with npm packages, and the other is free (likely not as powerful as the paid solution).

Whitesource leads the way! The Forrester Wave™: SoftwareComposition Analysis, Q2 2019

Why?

Whitesource has a number of features that makes it shine:

  • Supports over 200 programming languages.
  • Supports a wide range of package managers - nuget, PyPi, npm, .Net Core, and more.
  • Alerts - An aggregated report of all security vulnerability, high severity bugs, outdated libraries and policy alerts.
  • Due Diligence - A comprehensive report of all open source components, including all dependencies, with a license reference.
  • Inventory - A comprehensive list of all your open source components, including all dependencies. For each component, you can see its language, description, licenses and occurrences in your products.
  • Risk - An aggregated report showing all your risks due to vulnerable components, copyleft licenses and outdated open source libraries.
  • Security Vulnerabilities - Detailed list of all vulnerable open source components based on severity. You can see the description of each vulnerable component, including a link to the CVE and a link to a fix, if applicable.

Encourage engineering teams to continue using a combination of npm audit (for teams using npm packages) and Whitesource scans in the continuous integration (CI) pipelines.

  1. Trigger Whitesource as part of all CI builds, including pull request validation builds.
  2. Run a command to download the latest Unified Agent from GitHub, ensuring we are always using the latest engine.
  3. Share the Unified Agent configuration file in a Universal Azure Artifact, ensuring consistent configuration across all pipelines, such as includes, dependency resolution, and ApiKey.
  4. Run a command to trigger the Unified Agent, passing only pipeline specific parameters, such as Product name and Project name.
  5. Assuming we have a clean organizational hierarchy of products and projects, as well as a predefined and prioritized list of policies, WhiteSource will process the scan results and trigger other events.
  6. Event 1 - Scan report with list of required approvals.
  7. Event 2 - Policies can trigger Azure DevOps (AzDO) integration and create bugs.

What's the impact?

5 minutes and 16 seconds to scan 31,006 files. Sounds like a lot of minutes in builds that are run as part of pull request pre-merge validation and continuous integration builds.

However,  anyone who has been pulled into one or two live site incident "2AM calls" to investigate a vulnerability, will appreciate the due diligence of vulnerability scanning tools. They enable us to detect vulnerabilities early (fail early, fail fast) and ensure that we can sleep peacefully at 2AM in future.

It also encourages the engineering teams to review their package configurations to determine why and if they really need all the packages that contain the 31,006 files.

What about other hammers?

If you review the Forrester Wave™ SCA Report, you will quickly realize that there are many other hammers. Review them as part of the DevSecOps strategy and use the hammer that suits your organization, rather than the coolest looking one.  You have a choice!