We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Secure Your Open Source Components with WhiteSource

Ditsa Keren Technology Researcher

Recently acknowledged by Forrester as the strongest solution for Open Source Security, WhiteSource is an all-­in-one licensing, security, quality and reporting solution for managing open source components. In this interview CEO Rami Sass reveals the security challenges faced by open source developers, and explains how WhiteSource makes it all better.

How did WhiteSource come together?

WhiteSource was founded by three co-founders who’ve known each other from a previous company which was acquired by a large corporation in 2009. Back then, we were required to provide accounts for all the open-source components we were using in our software. We didn’t have this account, so we were forced to go out and find all these components, their dependencies and sub-dependencies, licensing and pedigree. Thus, we created a deep review of everything we used to complete the transaction.

Through sheer luck, we were fortunate enough to discover that our software contained no hazardous elements. Nevertheless, we realized that the process we went through was both risky and unnecessarily time-consuming, despite the fact that we were merely following common practices.

Every commercial software being developed has open-source in it which is not being carefully monitored. This is a big gap in the market, and to bridge that gap, we started WhiteSource in 2011.

Around that notion of providing better control over what open-source goes into the proprietary software, the company started with all the normal startup issues. We started in an incubator, moved to product market pitch sales, and continued growing gradually from bootstrap to being self-sustained.

During 2016, market dynamics had shifted, and the rise of awareness to security and vulnerability took off. We started getting a lot of demand, more than we could handle. At that point in 2017, we identified that the opportunity, and started a funding round. It was led by 83North, which is a very prominent Israeli venture capital with a strong presence in the Silicon Valley, and Microsoft also joined as a strategic investor. Since then, we have continued to grow and today, with over 100 employees and 500 customers, we have a large presence in the US; we have offices in New York City and Boston, mostly doing sales in North America, and an engineering and product development team which is located here in Israel.

What's unique about WhiteSource?

Our product was the first ever to provide continuous, automated control and monitoring of all open-source components consumed by software engineers and embedded as part of their commercial software. It's very easy to deploy and is a lightweight agent. You can integrate it within minutes into your existing pipeline. We support all development environments and servers, so it’s virtually minutes before you can start seeing reports and results about the open-source components that you are using, and which are vulnerable.

We have extensive coverage of over 200 programming languages, frameworks and environments, which is the broadest available in the market today. We divide the world into programming languages that distribute open-source in binary format and sort format, and we cover both types extensively and accurately.

We have a very accurate system. We can identify all open-source files that go into your commercial software and match the vulnerable files. Both are not trivial tasks, and we have developed an automated system to do the matching and improve that process to make our system very accurate. When we say you have a vulnerability, you definitely do have a vulnerability because:

  1. We don't miss components and vulnerabilities.
  2. We don't flood you with false positives.

We are in the process of launching our third generation software composition analysis, a market of open-source monitoring and management. It has the ability to identify in your proprietary code where and how you make calls to open-source components, and then identify the calls in your proprietary code that end up causing vulnerable open-source. That enables you to prioritize the vulnerabilities that you want to handle first based on whether or not the vulnerable components have a real, direct impact on your product. We tell you exactly which vulnerable open-source components have relevant impact on your software. We call this Effective Usage Analysis. We analyze the parts of the open-source that are affecting your code, and then help to trace them down to the line of code, making it easier to work around the open-source vulnerability. It will be released in September and has been running in beta for two months and getting fantastic feedback; it’s the next big step in this area.

What is the problem with open source security as opposed to proprietary code?

Open source is not more vulnerable, it's vulnerable in a different way. When you write mistakes your own code that lead to a vulnerability, you are the only one who knows about it. They normally don't make it public. You have control over your code, and you can fix it directly and be in charge of it. On the open-source side, almost always the vulnerability will be publicly known before you know about it, and you certainly won't be able to solve it yourself. You have to rely on the open-source community to rollout the fixes and patches, and implement them in the way they instruct you.

These are two different types of vulnerabilities that require different toolsets. Open source vulnerabilities are much more prominent and get more attention from hackers because they can learn about them from publically available external sources and try to exploit them.

How do you see the future of Open source?

Today, open-source is already the majority of calls in commercial applications, and only a minority share is proprietary code. In the next few years software engineering teams will use tools to control the use of open-source before writing a line of code, the same way that they do now for proprietary code. They will have various servers and systems in place. In five years, the same level of control and attention given to proprietary code will be given to open-source code.

We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

About the Author

Ditsa Keren is a cybersecurity expert with a keen interest in technology and digital privacy.

Did you like this article? Rate it!
I hated it! I don't really like it It was ok Pretty good! Loved it!
out of 10 - Voted by users
Thank you for your feedback

Please, comment on how to improve this article. Your feedback matters!

Leave a comment

Sorry, links are not allowed in this field!

Name should contain at least 3 letters

The field content should not exceed 80 letters

Sorry, links are not allowed in this field!

Please enter a valid email address