Facilitating adoption: open-source security assessment


(Mitch Gitman) #1

My team is looking to use Akka Streams, and the Alpakka Kafka connector in particular, for the first time within our organization. And my PM is asking now if this open-source software has gone through any sort of security assessment. He mentioned AppScan. I’m not sure how applicable that is. For me, the tooling that comes to mind is Black Duck’s offerings.

I responded to my PM that another org within our company is already using Akka Streams and Alpakka in production (and on a much larger scale than we plan to), so our manager asking him this question should check with them.

How else might I respond to him? Considering that these libraries are commercially supported by Lightbend, surely there are Lightbend customers who have asked a similar question.


(Johan Andrén) #2

We use WhiteSource to track licenses and potential security vulnerabilities in dependencies of our projects. Is that enough of an answer?


(Mitch Gitman) #3

That’s the better part of what I was looking for. Thanks.

What about the source of the projects themselves?


(Johan Andrén) #4

I’m not sure static analysis tools would help us much, those are most often targetting end user applications and rather validate not using for example web frameworks in dangerous ways (passing strings all the way from user input back to some RDBMS leading to SQL injection vulnerabilities for example), while we provide those APIs rather than use them. Looking back at the few vulnerabilities we have had I don’t think a static tool would have caught any of those. I might be wrong though.

Currently careful peer reviewing (we never merge unless two team members ok a PR) combined with the eyes of the community is our current protection against this.

We are keeping our eyes open in this area though.


(Mitch Gitman) #5

OK, I can see how the vulnerability of the source itself is a nebulous question.

Anyway, it looks like my higher-ups are satisfied with your collective answer. Big thanks!