Introducing MergeBase Founding Principles
In this video, MergeBase CTO Julius Musseau shares the reasons and goals for founding MergeBase.
Many companies and software developers don’t realize how much of their system is made from open source software these days. In one of our recent academic contributions, we created a methodology for counting the proportion of open sources in industrial and commercial systems. And as a result, over 95% of the lines of code in the software system came from open-source libraries.
Known vulnerabilities in open source libraries are mechanically reproducible. A bad actor is going to take this vulnerability and try it against your system, then the next system, and then in the next one. It’s a repeatable mechanical process, making it low effort/high reward for the bad actor. That equation makes it more likely that you get attacked when your system has these known vulnerabilities. As we have got a ton of open source in our applications, way more than we realized, what can you do about it? A Software Composition Analysis tool (SCA) is critical to any company’s application security plan and will help you with that.
The purpose of software composition analysis is to find vulnerabilities within the components of your software and help you mitigate the risk. An SCA tool prevents you from inheriting vulnerabilities from the open source libraries on which your product is built.
Many customers doubt that we will not be able to be more accurate than other companies in the market. Even so, we invite them to scan their systems with MergeBase and the other companies and compare the results. Sometimes we see that other companies sometimes find more vulnerabilities than MergeBase. When we do a more accurate analysis of these vulnerabilities it is because they’re reporting false positives. MergeBase provides real-time visibility into the risk of your enterprise applications from vulnerable open source components at every stage of the development process, so you don’t waste time on false positives.
It’s possible to use MergeBase in situations where it isn’t possible to upgrade just one library without a significant amount of effort. We also offer runtime mitigations so that you can surgically address the vulnerability in some cases, directly inside the library.
In the SCA space and in application security, there’s kind of an interesting paradox that happens; where there’s this whole movement and momentum towards shifting left, which is towards fixing the problems as early as possible in the development lifecycle. And yet, what we’re trying to protect is production. Production is where the data is and where the software is running.
MergeBase can address either side. It helps us to address the problems as early in the development lifecycle as possible because that’s where it’s cheapest to fix them and where they need to be fixed anyway. And analyze production systems accurately, showing the actual vulnerabilities in the running system, if it was configured differently, perhaps some additional plugins or libraries were installed later during the process, and more.
For applications for running diploid production applications, you want to make sure the known vulnerabilities aren’t there in the running production system. And in order to analyze them accurately, you need to look at their binaries. It’s the binary that’s actually executing. Therefore, it’s the binary, that’s going to have the known vulnerability in it if it does, indeed have one. MergeBases ability to scan binaries directly is a critical.
MergeBase provides a technical debt report. In this report, we focus on the technical debt, i.e. out-of-date libraries. This is one of the most important forms for application developers to address. Make sure your libraries are up-to-date and replace libraries that are obsolete. Obsolete software is software that is not being maintained anymore. The longer it is not being maintained, the higher the risk something goes wrong, not just from a security perspective, but in general.
MergeBase looks at all the libraries in your system and two aspects of each library. First, it looks at when you last upgraded it. Second, it looks at when the library was last upgraded, like when the development team for that library last published a release of that library.
In this way, we quickly provide a report to you and your developers to help you prioritize your patching and upgrading efforts and avoid accumulating technical debt over time, which often makes it very difficult and costly to run and maintain an application.
Software is built from parts. But there’s a real gap in the software industry because there’s no recall system. There’s no coordinated recall system between the companies building the software and the companies making the parts.
MergeBase implements a part recall system for the software industry. The goal is to get accurate known vulnerability data into the hands of developers as quickly and effectively as possible. Providing them with the information they need enables them to implement that patch and upgrade their safe library without wasting their time.