How To Secure Your Open Source Applications From Third Party Risks- Interview with WhiteSource VP Marketing

Open source components, a significant and important part of commercial software today, are often substantially under-managed. In this interview, WhiteSource VP Marketing Maya Rotenberg describes the scope of this problem and explains how WhiteSource can guarantee the continuity and integrity of open source management.

Please describe the story behind the company: Who founded it, what sparked the idea, and how has it evolved so far?

WhiteSource started in 2011. The co-founders were actually the founders of a previous company that was sold to CA technologies. They understood that they have no visibility to the open-source components in their application. During those fatal moments of that position process, they decided to create the first tool that will offer engineering and software development teams a way to have complete visibility of open source components.

This is actually how WhiteSource started. One of the founders, Ramy, took the CEO role. He was also the first developer, salesperson and marketing guy.

We started by building a technology that didn’t exist before. We were the first company to raise awareness among software development teams that were using open source significantly.

Back in 2011, about 40 to 60% of the base code of any application was open source. Today we’re at about 80%. So 80% of the lines written in any application is actually open-source because the mentality is why reinvent the wheel? If you need something, and it’s not a technology that differentiates you from your competitors, and it doesn’t define who you are, you can just go to GitHub and download whatever you need.

When you have that many Open Source components in your application, you need to have a way to properly manage it. Because right now, developers are using open source all the time, but they don’t feel responsible for those components. They feel like it’s someone else’s work, they’re just using someone else’s code. They don’t understand that the minute they integrate it, it is theirs. Our tool makes it very simple for developers and managers to have complete visibility and control over open source components in their applications. We cover the security side, the legal side, and the management side. PCR serves as a one-stop-shop for everything related to open source.

We’ve grown significantly since then. We currently have 250 people working at the company. We have our main offices in Tel Aviv, where the focus is on R&D and product, as well as 2 US offices in Boston and New York, which are more focused on sales and customer success.

What would you say are the main problems with open source, third party scripts?

The main issue is the question of who owns the code and who’s taking responsibility for it. Like I said earlier, developers often refer to open code as someone else’s problem. They don’t understand that the minute they integrate open source, they are actually responsible for it.

The second challenge is that the open-source community is sharing a lot of information, and they’re doing a great job sharing that information, but there’s a concept with open source that says there’s not one hierarchy; there is no uniform process that everyone needs to follow. So when you’re sharing information, you can do it anywhere you want. Whether that be in security forums or personal blogs, information is spreading over millions of data sources. It’s really hard for a developer currently using, for example, Apache Commons, to know all of the security and quality issues in that open-source project, because there’s not one place that aggravates all of the information.

What we want to do is actually connect between the user and the open-source community. We do this by aggregating the information from millions of data sources across the open-source community; index it into one database; connect it to the users and understand what the user is using; and then provide only the relevant information, trying to connect between the wealth of information and activity going on the community and the users on the other side.

How has COVID-19 affected your business and industry?

We’re not going to go back to 100% office work as we used to. We did see a big increase in productivity once we moved to work from home. But we also see it as a temporary increase. I think there are three main challenges that we’re coping with in the work-from-home process.

The first challenge is the connection to the team. In R&D we have zoom rooms that are open all day long for every team. So what we’re asking developers to do is leave their zoom room open when they’re working, so they can have interactions with other team members whenever they need to. We do it in other teams as well because it’s really important for us to maintain the daily interactions between team members, despite the social distancing.

A lot of people are talking about the savings that they will get from working from home because they need less office space, but it is crystal clear to us that if we are going to move towards work from home, we need to invest more in team building and fun things that will help them connect with each other, because we still need to have that face to face interaction, if not in day to day work then we’ll need to find other places for it.

Another challenge, which is related to productivity, is that people are struggling to draw the line between work and home. We found out, even in my team, that people are working non-stop. It might be great for the management at the beginning, but it’s going to be a very bad thing for everyone, employees and management alike, because it will impact the work quality. No one can go on like a robot and work 18 hours a day, nor should we actually want our employees to do that. We’ve been talking to our employees about taking time off and defining times when they are not going to work or take meetings because their motivation is so high they don’t know when to stop. So this is something that managers need to be very alert about.

Another big challenge is onboarding. We are still hiring people. We have open positions in Marketing, Product, R&D, and Strategy. Thankfully, COVID-19 did not impact security as it impacted other verticals, but onboarding a new employee from home is almost impossible. We work very hard on finding the right balance between safe office time with social distancing, and working from home. We’re still working on it and it’s definitely a serious challenge.

What does it take for teams and organizations to implement your tools, given the current situation where people are working from home and relying on third-party tools to do their work?

It is a big thing because up until now, people were thinking about security in one way, and they were thinking about remote work as well, but no one imagined they’d be working on the same network where their kids are playing Minecraft or their spouse does their shopping. That creates a whole other problem.

Since we are in the business of application security, the whole network and endpoint security doesn’t impact us. WhiteSource is an automated security tool that you need to integrate into your DevOps pipeline, and it runs continuously. The added value that it brings when working from home is that it runs continuously, and provides visibility.

I know that visibility is much more appreciated now by managers, especially seniors, because they don’t need to actually scroll through endless discussions in order to find out what solved the problem, they can just look at the dashboard and understand exactly where they stand. I think this is also the reason why we see GitOps tools getting a lot more recognition these days

Which trends or technologies do you find to be particularly interesting these days?

As I just mentioned, one very interesting space is GitOps, because it provides software development managers a different level of visibility into their team, so they can really push on productivity. After all, the number one challenge in software development is meeting those very strict deployment times to market. Productivity is a big issue, and I think GitOps tools are providing a new set of capabilities for managers to improve productivity because it’s much easier to fix something when you know where the bottlenecks are.

The next interesting trend is integrating automated security tools. More and more people are understanding the power of automation, which is all about doing something very frequently and continuously. You can understand your trend, your performance, and your current status, and you don’t need to have someone to do periodical tests to know where you stand. I think automated testing is finally getting the credit it deserves.

How do you envision the future of the cybersecurity industry?

I definitely see us growing and expanding into new verticals. After all, open-source adoption has reached its tipping point. Although it’s still growing, it’s already the main component in software application. I definitely see us expanding our reach beyond Open source security and open source licensing, with one goal: helping software development teams better secure their applications without compromising on agility.