Innovative prioritization engine factors in advanced metrics such as business impact and library threat score.
TEL AVIV AND BOSTON – April 13, 2021 WhiteSource, the leader in open source security and management, today announced the release of its Priority Score technology to help organizations determine which security vulnerabilities pose the greatest risk, and which demand their most immediate attention.
The WhiteSource Priority Scoring technology enables users to assign business impact metrics to different products and projects, and create automated policies for remediation around them. Based on users’ automated policies, a priority score between 0 and 100 is then assigned to security issues in their system per library or vulnerability. Security teams can then make informed decisions and implement risk-based policies on the urgency of remediation required.
As open source adoption increases, the number of known security vulnerabilities continues to grow every year. Software development and application security teams are increasingly relying on vulnerability detection tools throughout the development process. As a result, teams are often overwhelmed by the steady stream of security alerts that must be addressed. In most cases it’s impossible to fix all vulnerabilities without slowing down the pace of development.
Once vulnerabilities are detected, teams need to find a way to prioritize them. How can development and security teams make sure they are not wasting valuable time fixing low-priority security issues? WhiteSource research shows that prioritizing open source vulnerabilities based on their analyzed security impact on software helps customers reduce the number of effective open source security vulnerabilities alerts by a substantial 85%, saving organizations a monthly average of 10 hours per developer.
Apart from business impact, some of the parameters taken into consideration by the WhiteSource Priority Scoring algorithm include CVSS Score (vulnerability severity), prioritization based on whether the proprietary code is making calls to the vulnerable method (effectiveness), availability of fix, ease of remediation, and malicious package probability.
Business impact is easily preconfigured by the user for each product and project, taking into account factors such as personally identifiable information (PII) or financial data available through the application to those who might try to exploit it. Applications or products containing this type of information present a higher risk factor when they are exploited, hence a higher business impact score.
“When an application provides access to financial data or personally identifiable information, its security is considered a higher priority to handle’ said Shiri Arad Ivtsan, Director of Product Management at WhiteSource. “WhiteSource Priority Scoring lets organizations automate remediation, and accelerate secure software product delivery at scale.”
