Why Great Code is Secure Code

Today, open source software is the fuel powering modern application development, allowing developers to innovative fast. 

With ready-made components, open source enables developers to cost-effectively meet commercial goals and tackle backlogs. It saves them time and money developing and maintaining their infrastructure, eliminating the need to start from scratch. In fact, in today’s modern digital environment, open source code can be found throughout the codebases of almost every organization. To this point, research by analyst firm ESG found that 80% of survey respondents reported significant use of open source software, with 43% saying more than half of their codebase is composed of open source. Likewise, according to Statista Intelligence in 2020, JavaScript developers downloaded over one trillion open source packages from the Maven Central Repository, globally. By the end of 2021, the volume reached 1.5 trillion, which is a 50 percent year-over-year increase.

Why the benefits outweigh the risks

However, open source is not without its problems. Like any software, it is prone to human error and is also heavily targeted by malicious attacks conducted via exploitable vulnerabilities. Risks also arise from licensing requirements that can jeopardize intellectual property, or the use of outdated libraries that place unnecessary demands on developer teams.

But the benefits are highly attractive and clearly outweigh some of the downsides. Therefore, what should organizations do to find a secure and robust way to leverage all the benefits that open source delivers?

This is where our partnership with JetBrains – one of the strongest and most effective developer tools in the market – really comes into its own. Users of JetBrains IntelliJ IDEA Ultimate can now access built-in Checkmarx security thanks to a new bundled plugin that identifies open source risks and helps developers fix them quickly and easily.

Here are our five best practice tips that enables developers using open source software in projects built in IntelliJ IDEA to do so with confidence:

1 – Utilize IntelliJ IDEA’s range of Dependency Analyzer tools

Dependency Analyzer allows developers to get full visibility over dependencies between modules, packages, and classes in their application and highlights information flow. This shows them how changes will propagate through the project and what they will affect. Making full use of all these tools throughout the build process allows developers to build and change projects faster, with fewer bugs and stronger integrity.

2 – Understand licensing requirements

Developers should make sure that they are aware of their organization’s policy on licenses and know which they are permitted to use. These will vary dependent on the type of project being created, so developers should check before they use each open source software (OSS) component because it can be extremely hard to go back and change something once it has been built into a project.

3 – Do your due diligence and choose OSS components with care

There is no silver bullet that says an OSS library will always be safe and secure. Remember, it is code someone else has written so do your due diligence around it. If the library is popular, and actively maintained, it is less likely to introduce problems, whereas libraries that are not actively maintained are more likely to have issues.

4 – Avoid copying and pasting code

If you copy and paste code you must understand exactly how it works and be prepared to support it yourself. If you don’t understand how it works, you will not be able to support it and you won’t know if a vulnerability is associated with it. This makes your project vulnerable too. It is far better to use a library well maintained by someone else.

5 – Get familiar with JetBrains Dependency Checker plugin powered by Checkmarx

It’s a really cool feature added to IntelliJ IDEA and helps you gain confidence in the OSS components used directly or indirectly in your code. 

Putting SCA where developers want it

What developers need is visibility over OSS vulnerabilities at the point in which they are pulling them into their code, and that is where the Checkmarx-JetBrains Package Checker Software Composition Analysis (SCA) plug-in comes in.  That’s because a good SCA tool scans the code and flags any areas that indicate a security vulnerability. An SCA tool, like Checkmarx, is capable of accurately detecting and identifying the open source components incorporated into a codebase and is built on top of a constantly updated database of vulnerabilities in order to stay current in today’s fast-moving threat environment. Our SCA also provides insights into the vulnerabilities and offers remediation guidance. Additionally, our intelligence database is industry leading in coverage and depth and our research team is constantly uncovering new threats and vulnerabilities. This means we offer the most comprehensive visibility of open source risk in the market today.

This frictionless approach means security becomes an integral part of the development process rather than being tacked onto the end of it, enabling developers to innovate fast – but in a secure way.  If you are interested in finding out more, why not download our e-Book: Great Code is Secure code: Best Practices for Using and Securing Open Source Code.

Eylon Saadon, Product Manager & Architect at Checkmarx, and Ilya Pleskunin, Security Support Engineer, JetBrains contributed to this blog and e-Book.

About the Author

About the Author

Never miss an update. Subscribe today!

By submitting my information to Checkmarx, I hereby consent to the terms and conditions found in the Checkmarx Privacy Policy and to
the processing of my personal data as described therein. By clicking submit below, you consent to allow Checkmarx
to store and process the personal information submitted above to provide you the content requested.
Skip to content