Take a look at all of the on-demand classes from the Clever Safety Summit here.
Open-source safety has been one of many hottest matters in enterprise safety for the previous two years. Ever for the reason that SolarWinds provide chain assault, President Biden’s Executive Order on Improving the Nation’s Cybersecurity, and the Log4j debacle, securing the software program provide chain has been on the high of the agenda.
In an try to assist organizations handle open-source software program, Google in the present day introduced the launch of OSV-Scanner, a free vulnerability scanner designed to supply builders with entry to vulnerability details about open-source tasks, which it claims is the most important community-editable database for open-source vulnerabilities.
OSV-Scanner allows builders to mechanically match code and dependencies in opposition to lists of recognized vulnerabilities and establish if patches or updates can be found.
In impact, it provides safety groups a instrument for automating the invention and patching of vulnerabilities all through the software program provide chain, to allow them to remove potential entry factors earlier than hackers have a chance to take advantage of them.
Clever Safety Summit On-Demand
Be taught the crucial function of AI & ML in cybersecurity and business particular case research. Watch on-demand classes in the present day.
Google’s strikes into the vulnerability administration market
The discharge comes after Google’s launch of the Open Supply Vulnerability (OSV) schema and OSV.dev vulnerability database service final yr. And at a time when extra organizations are struggling to handle vulnerabilities, with enterprises taking a mean of 60 days to patch crucial danger vulnerabilities.
For Google, the transfer isn’t nearly offering a run-of-the-mill vulnerability scanner, however offering a definitive answer to dominate the vulnerability administration market, which researchers anticipate will attain a worth of $18.7 billion by 2026.
“Our plan for OSV-Scanner is not only to construct a easy vulnerability scanner; we wish to construct the very best vulnerability administration instrument — one thing that may even reduce the burden of remediating recognized vulnerabilities,” mentioned Rex Pan, Google software program engineer, within the announcement weblog put up.
In consequence, the seller is planning to increase the answer, providing higher integration with developer workflows through standalone CI actions to schedule and maintain observe of recent vulnerabilities, and constructing a wider database of C/C++ vulnerabilities.
What differentiates OSV-Scanner?
With OSV-Scanner, Google is competing in opposition to a spread of established proprietary suppliers within the house, like Tenable, which raised $541 million in revenue final yr with vulnerability options like Nessus; and Rapid7, which raised $535 million in revenue final yr and presents InsightVM, an analytics-driven vulnerability automation platform.
These options supply steady vulnerability scanning capabilities alongside configurable reviews in order that customers can get an correct view of potential exploits throughout the assault floor.
Nevertheless, Pan means that, not like closed-source advisory databases or vulnerability scanners, OSV-Scanner depends on advisories that come from open sources such because the RustSec Advisory Database.
Which means that a wider group of customers can counsel enhancements to the advisory, and enhance the standard and protection of the database over time, providing the potential to detect a wider vary of vulnerabilities.