Today, open source software is the fuel powering modern application development, allowing developers to innovative fast.
Why the benefits outweigh the risks
However, open source is not without its problems. Like any software, it is prone to human error and is also heavily targeted by malicious attacks conducted via exploitable vulnerabilities. Risks also arise from licensing requirements that can jeopardize intellectual property, or the use of outdated libraries that place unnecessary demands on developer teams.
But the benefits are highly attractive and clearly outweigh some of the downsides. Therefore, what should organizations do to find a secure and robust way to leverage all the benefits that open source delivers?
This is where our partnership with JetBrains – one of the strongest and most effective developer tools in the market – really comes into its own. Users of JetBrains IntelliJ IDEA Ultimate can now access built-in Checkmarx security thanks to a new bundled plugin that identifies open source risks and helps developers fix them quickly and easily.
Here are our five best practice tips that enables developers using open source software in projects built in IntelliJ IDEA to do so with confidence:
1 - Utilize IntelliJ IDEA’s range of Dependency Analyzer tools
Dependency Analyzer allows developers to get full visibility over dependencies between modules, packages, and classes in their application and highlights information flow. This shows them how changes will propagate through the project and what they will affect. Making full use of all these tools throughout the build process allows developers to build and change projects faster, with fewer bugs and stronger integrity.
2 - Understand licensing requirements
Developers should make sure that they are aware of their organization’s policy on licenses and know which they are permitted to use. These will vary dependent on the type of project being created, so developers should check before they use each open source software (OSS) component because it can be extremely hard to go back and change something once it has been built into a project.
3 - Do your due diligence and choose OSS components with care
There is no silver bullet that says an OSS library will always be safe and secure. Remember, it is code someone else has written so do your due diligence around it. If the library is popular, and actively maintained, it is less likely to introduce problems, whereas libraries that are not actively maintained are more likely to have issues.
4 - Avoid copying and pasting code
If you copy and paste code you must understand exactly how it works and be prepared to support it yourself. If you don’t understand how it works, you will not be able to support it and you won’t know if a vulnerability is associated with it. This makes your project vulnerable too. It is far better to use a library well maintained by someone else.
5 - Get familiar with JetBrains Dependency Checker plugin powered by Checkmarx
It’s a really cool feature added to IntelliJ IDEA and helps you gain confidence in the OSS components used directly or indirectly in your code.
Putting SCA where developers want it
What developers need is visibility over OSS vulnerabilities at the point in which they are pulling them into their code, and that is where the Checkmarx-JetBrains Package Checker Software Composition Analysis (SCA) plug-in comes in. That’s because a good SCA tool scans the code and flags any areas that indicate a security vulnerability. An SCA tool, like Checkmarx, is capable of accurately detecting and identifying the open source components incorporated into a codebase and is built on top of a constantly updated database of vulnerabilities in order to stay current in today’s fast-moving threat environment. Our SCA also provides insights into the vulnerabilities and offers remediation guidance. Additionally, our intelligence database is industry leading in coverage and depth and our research team is constantly uncovering new threats and vulnerabilities. This means we offer the most comprehensive visibility of open source risk in the market today.
This frictionless approach means security becomes an integral part of the development process rather than being tacked onto the end of it, enabling developers to innovate fast – but in a secure way. If you are interested in finding out more, why not download our e-Book: Great Code is Secure code: Best Practices for Using and Securing Open Source Code.
Eylon Saadon, Product Manager & Architect at Checkmarx, and Ilya Pleskunin, Security Support Engineer, JetBrains contributed to this blog and e-Book.