ActiveState today announced it is rebranding and relaunching its product as an open source management platform to help enterprises manage open source complexities, ensure supply chain security, and streamline DevSecOps. The platform, which integrates with existing tools, aims to proactively manage open-source risks by providing tools for discovery, analysis, remediation, and governance.
It offers a centralized dashboard to track open-source usage, policy enforcement, and vulnerability management. The platform also ensures reproducible builds and streamlines upgrades, reducing the burden on developers.
Scott Robertson, ActiveState’s CTO, explained that most people know of ActiveState for its management of open source dynamic programming languages. “That usually became the way they got introduced to ActiveState’s real core vision, which is helping enterprises manage open source, the complexities of open source at scale that included managing licenses, vulnerabilities and doing very complex builds,” he said. “This announcement … is about us taking all of the tooling that we’ve created over the last 20 years and turning that into sets of platforms and tools that they can run themselves in their own environments.”
The driver behind the changes at ActiveState is the fact that software applications today are less secure than they ever have been. Stephen Baker, CEO at ActiveState, said the reason for that is that 96% of all applications contain open source, and malware last year was discovered in 245,000 open source packages, more than three times the amount discovered in the previous three years combined.
Meanwhile, of the organizations that are building and consuming these applications, about 59% have claimed to have taken steps to secure their software supply chains. In spite of that, the cost of targeted software supply chain attacks are expected to double by 2030, to about $140 billion, Baker said. “The root cause of all of this is that organizations are not proactively managing the open source they consume,” he explained. “It is very much a ‘set it and forget it’ mentality. Very rarely [are developers] going to go back in and opening up that application to upgrade the open source that’s been embedded in there. So they’re sort of happy to let this old open source fester and rot and become less secure over time.”
Further, Baker noted that in a recent survey, 81% of developers admitted they have shipped code with known open source vulnerabilities because it’s the fastest path to meeting deadlines and shipping the product.
The stance ActiveState has taken is that organizations need to become much more proactive in how they manage open source, using tools to enforce policies that cause the least amount of disruption to the development process and foster greater collaboration, he said.
The tool chain ActiveState has built to help its customers manage open source consumption is what has been productized and made available today. “We’re now giving the tools to every DevSecOps team to manage their own open source that they’re consuming in a much more scalable format and a much more secure format, in a manner that is going to improve the application security posture, while at the same time, not destroying developer productivity,” Baker said.
The platform is built on automation to provide timely insights into how vulnerable your open source is, and what you need to do to make it less vulnerable, hence eliminating 90% of the undifferentiated heavy lifting that every developer needs to do to research the dependencies, understand how they need to be upgraded and how risky they are, Baker pointed out. “One way to think about it is, it is open source supply chain security in a box. It is a turnkey platform that integrates with existing developer tools in order to help keep the open source current and more secure.”
Among the capabilities of new ActiveState Open Source Management Platform, according to director of product Pete Garcin, are:
- The ability to discover open source as you’re running it, from various sources, and monitor it through a single pane of glass. “Whether that’s scanning your Kubernetes cluster or importing from your GitHub repo or letting you ingest an SBOM (software bill of materials) or a requirements file – however it’s spread across your organization – allows you to aggregate that and collect it so you have that centralized dashboard that shows all the open source that’s running inside my organization and everywhere that it’s running,” he said.
- Tools to help analyze and prioritize the state of the risks in your organization, which show “what vulnerabilities do I have, what licenses do I have, what breakdown by language ecosystems do I have, with a total across your organization of the composition of all your software,” Garcin said.
- Tools for policy and governance, as well as an immutable catalog of open source packages indexed from across the internet. ” With our platform, it’s always reproducible, and you can go back at any point, and that’s combined with policies that allow you to curate that catalog so that you can ensure that anything that people are pulling is always going to be in compliance with whatever sort of governance you put in place.”
Robertson said this capability is the key differentiator between ActiveState and everyone else in the market. “Everybody else is in this kind of reactive model, where developers assemble something, get it all the way through CI/CD, and then they bring in their scanning tools to figure out what they have consumed. We come into play before that. We come in at assembly time. We’re applying all the rules and policies even before it gets into your organization, so that you’re consuming things cleanly at the point where you’re building the application.”
Baker offered a saying to summarize the issue and the solution: “You can’t deny the fact that every organization on the planet is now dependent on open source, and threat actors and cyber attackers are now depending on the lack of organizational controls on open source to plan their next attack.”