Join today’s leading executives online at the Data Summit on March 9th. Register here.
Let the OSS Enterprise newsletter guide your open source journey! Sign up here.
With modern enterprises relying on software to function, having a process in place to mitigate vulnerabilities in open source code is becoming more important.
Yet, research shows that while almost 99% of audited codebases contain some amount of open source, 50% of enterprises took a week or longer to remediate known OSS vulnerabilities in their code.
Many organizations are trying to manage these vulnerabilities by having researchers notify developers to fix them manually, which is a time-consuming process.
However, open source software remediation solution provider Moderne, and Human Security, a company that protects enterprises from bot attacks, are aiming to simplify the development process by enabling open-source developers and security professionals to automate software security assessment and remediation.
Moderne’s platform grants enterprises and technical decision makers the ability to more reliably, consistently, and cost-effectively mitigate vulnerabilities in the software supply chain, while taking the pressure off developers.
Recipes to repair code vulnerabilities
“Modern software is composed, not written from scratch,” Moderne’s cofounder Jonathan Schneider said. “As components change to improve their APIs or fix vulnerabilities, developers need to restitch new versions into their business applications. It is soul-sucking work that leads to many principal engineer burnouts.”
“Up to 30% of engineering time is spent on this upkeep and the businesses still have static analysis tool reports full of CVEs that they forgo fixing in favor of developing some new functionality,” he added.
“The repeatability of these tasks across organizations and repositories within organizations point to automation. Effectively managing your software supply chain means wrangling the code, not just libraries,” Schneider said.
Moderne addresses these challenges by automating the process by enabling users to apply OpenRewrite code automation across a large codebase, while offering common framework upgrades, CVE patching and code cleanup. In short, it gives developers the ability to distribute fixes or upgrades in a matter of minutes, so they can focus on more rewarding tasks.
So far, the organization is working with a number of vendors behind popular OSS projects to help them automate upgrades, with the Micronaut team at Oracle providing recipes to migrate from version 2 to version 3 of their framework.
The race to automate code development
Moderne sits loosely in the global DevSecOps market, which researchers expect to reach $11.3 billion by 2027, growing at a compound annual growth rate of 22.3% between 2021 to 2027, as more organizations look to automation to develop secure applications.
While the organization states there’s no direct competition to its product, there is a crossover with other solutions like Snyk, which offers a platform that can find and automatically fix vulnerabilities in code, which recently expanded to the realm of cloud security with its acquisition of Fugue and has raised a total of $775 million to date, following a series F funding round that closed in September last year.
It’s also competing with existing security and developer productivity tools like Coverity and ReSharper, which offer features like issue identification, static code analysis and runtime security, and provide developers with instructions on how developers can remediate an issue.
However, Schneider argues that Moderne goes a step beyond many of these solutions through its use of “automated code refactoring” and automatically fixing vulnerabilities rather than leaving them for developers to resolve manually.