Most developers choose an open source project based on a combination of how well the software suits the task at hand, whether the developers of the project are active, and whether the project has a good reputation. Yet, with vulnerabilities in open source components a key security problem for software teams, finding better metrics to inform choices is necessary, according to software tool makers.
On July 27, two companies — open source project management firm Snyk and development services firm xs:code — announced they have teamed up to provide a browser plug-in that will give developers important metrics by which to gauge the security of open source projects. The tool, Insights, displays metrics — such as a health score and the number of vulnerabilities known to be in the component — to developers, as well as a measure of the development activity for the project.
The goal is to give developers information before they commit to using a project, says Chen Ravid, co-founder and head of product for xs:code.
"Security being such a big issue right now, and companies are more and more aware that open source can be problematic because of security issues," he says. "And there is no clear responsibility for security issues in open source products — the maintainers are not always very focused on security."
The release of the tool comes as developers are increasingly being warned about the potential for vulnerabilities that undermine the security of their software.
Modern software relies on open source components. The average program has 445 open source components and more than ..
Support the originator by clicking the read the rest link below.
