VulnerableCode: Finding FOSS software vulnerabilities with FOSS tools

Comprehensive databases of known FOSS software vulnerabilities are mostly proprietary and privately maintained. But these should be open data – they are, after all, about FOSS code.

“Using Components with Known Vulnerabilities” is one of the OWASP Top 10 Most Critical Web Application Security Risks. Identifying such vulnerable components is hindered by data structure and tools that are (1) designed primarily for proprietary software components and (2) incomplete and too dependent on voluntary submissions to the National Vulnerability Database. With the explosion of FOSS usage over the last decade, we need a new approach to efficiently identify FOSS security vulnerabilities, based on open data and FOSS tools.

With VulnerableCode, we are building FOSS tools to aggregate, correlate, and curate software component vulnerability data from multiple sources and automate the search for FOSS component security vulnerabilities.

The benefit: improved security of software applications with open tools and data for everyone.

SPEAKER: Philippe Ombredanne,
nexB co-founder and CTO
Philippe Ombredanne is a passionate FOSS hacker, the lead maintainer of ScanCode toolkit, and the co-founder and CTO at nexB. He is on a mission to enable easier and safer reuse of FOSS code with best in class open source tools for open source discovery, software composition analysis and license and security compliance.