©2021 Reporters Post24. All Rights Reserved.
Open-source security has been one of the hottest topics in enterprise security for the past two years. Ever since the SolarWinds supply chain attack, President Biden’s Executive Order on Improving the Nation’s Cybersecurity, and the Log4j debacle, securing the software supply chain has been at the top of the agenda.
In an attempt to help organizations manage open-source software, Google today announced the launch of OSV-Scanner, a free vulnerability scanner designed to provide developers with access to vulnerability information about open-source projects, which it claims is the largest community-editable database for open-source vulnerabilities.
OSV-Scanner enables developers to automatically match code and dependencies against lists of known vulnerabilities and identify if patches or updates are available.
In effect, it gives security teams a tool for automating the discovery and patching of vulnerabilities throughout the software supply chain, so they can eliminate potential entry points before hackers have an opportunity to exploit them.
Google’s moves into the vulnerability management market
The release comes after Google’s launch of the Open Source Vulnerability (OSV) schema and OSV.dev vulnerability database service last year. And at a time when more organizations are struggling to manage vulnerabilities, with enterprises taking an average of 60 days to patch critical risk vulnerabilities.
For Google, the move isn’t just about providing a run-of-the-mill vulnerability scanner, but providing a definitive solution to dominate the vulnerability management market, which researchers anticipate will reach a value of $18.7 billion by 2026.
“Our plan for OSV-Scanner is not just to build a simple vulnerability scanner; we want to build the best vulnerability management tool — something that will also minimize the burden of remediating known vulnerabilities,” said Rex Pan, Google software engineer, in the announcement blog post.
As a result, the vendor is planning to expand the solution, offering greater integration with developer workflows via standalone CI actions to schedule and keep track of new vulnerabilities, and building a wider database of C/C++ vulnerabilities.
What differentiates OSV-Scanner?
With OSV-Scanner, Google is competing against a range of established proprietary providers in the space, like Tenable, which raised $541 million in revenue last year with vulnerability solutions like Nessus; and Rapid7, which raised $535 million in revenue last year and offers InsightVM, an analytics-driven vulnerability automation platform.
These solutions offer continuous vulnerability scanning capabilities alongside configurable reports so that users can get an accurate view of potential exploits across the attack surface.
However, Pan suggests that, unlike closed-source advisory databases or vulnerability scanners, OSV-Scanner relies on advisories that come from open sources such as the RustSec Advisory Database.
This means that a wider community of users can suggest improvements to the advisory, and improve the quality and coverage of the database over time, offering the potential to detect a wider range of vulnerabilities.