A couple of weeks ago, we announced our emergence from stealth, highlighting a significant milestone in the field of open source vulnerability and patch management.
A couple of weeks ago, we announced our emergence from stealth, highlighting a significant milestone in the field of open source vulnerability and patch management.
Our story began in 2022. Having been on the receiving end of many current application security solutions in the market, my co-founders and I experienced firsthand the inefficiencies and gaps in open source security. Our understanding deepened when we spoke with over 50 organizations, most of which reported that, although many tools (both free and commercial) are available, they still faced problems properly managing their vulnerabilities. They struggled to scale their patching efforts, which pushed R&D into a cycle of continuous updates and manual processes. This not only required significant time but also diverted their focus from the company's primary goals.
Why is open source vulnerability remediation so challenging?
Security professionals highlighted several critical obstacles:
Vulnerability overload: Organizations face thousands of vulnerabilities across various business units, cumulating into millions of vulnerable instances.
Incentive Misalignment: The R&D teams responsible for remediation lack the necessary incentives to perform this work.
Process inefficiency: Considerable time is spent identifying the appropriate owner and providing them with remediation guidelines.
Limited remediation options: Typically, the sole strategy is to update vulnerable components, While this sounds simple, the open source community doesn’t have a process for providing standalone security patches. This coupling between security patching and other code changes forces developers to manually review each update (or risk breaking production).
Unpatched Transitive dependency: Organizations are powerless to fix transitive dependencies, relying instead on community efforts.
We also learned that other security vendors primarily concentrate on helping organizations sift through the multitude of vulnerabilities by offering smarter prioritization, shifting the responsibility for patching to the developers, and assisting the security team in identifying the correct individual to carry out the remediation. However, this approach proves insufficient. Even when organizations manage to de-prioritize 70% of the issues, developers are still overwhelmed by thousands of remaining vulnerabilities, leading to a bloated backlog.
Introducing Seal Security
Given the insights gained, we realized that a significant transformation was necessary for companies to approach the coveted goal of achieving zero vulnerabilities in production. This led us to develop a solution designed to eliminate the need for manual intervention by developers, provide centralized control over the patching process, and relieve security engineers from the task of prioritization.
Our secret sauce
With over 30 years of combined experience in exploiting and mitigating software vulnerabilities, our co-founding team possessed a unique advantage: we had the knowledge of how vulnerabilities typically manifest in code, and we suspected that the majority of patches for these vulnerabilities would not cause breaking changes.
We set out to validate and confirm that over 98% of critical and high vulnerabilities could be patched without introducing breaking changes.
This validation strengthened our confidence in our unique value proposition–enabling organizations to patch vulnerabilities without forcing them to update their software.
This simple concept bypasses many of the issues that exist with the current approach:
Since then, our engineers developed a sophisticated patching engine that automates many of the manual processes needed to create our standalone security patches, significantly reducing our average patch creation time from 5 hours to 30 minutes.
For most patches, the only human intervention necessary is to verify the automatic testing results and approve them for publishing.
How the remediation process looks like using our solution
Seal Security seamlessly integrates with SCM providers to continuously scan for vulnerable open source components. Our solution facilitates effortless patching through either a CLI addition to the CI/CD pipeline or integration with an organization’s internal artifact server. Upon identifying a vulnerability, developers are notified via an automatic PR, ensuring that the next build is patched seamlessly. This process not only saves resources but also significantly enhances organizational efficiency through enterprise-scale automation.
What’s next?
Our focus remains on providing a solution that integrates seamlessly into existing processes and tools. To that end, Here’s what you can expect moving forward:
Join us in this revolution
We invite you to be part of this journey. As we deploy our solution across dozens of organizations, including Fortune 100 companies, we remain committed to being SOC2 and ISO27001 compliant.
Join us in this journey. Book a live demo today!
Legacy applications remain a persistent reality in production environments, and cybersecurity teams must confront the challenges they pose. Seal Security offers a solution to help businesses easily and effectively mitigate vulnerabilities and protect critical assets.
Open source libraries often depend on specific versions of other libraries, and those dependencies might have changed over time. When a library was built years ago, the environment it depended on no longer exists in its original form. Package managers like npm are designed to handle these kinds of issues by allowing version ranges for dependencies. So, how do we ensure we have the exact versions of every dependency when trying to fix old libraries?
Traditional open source vulnerability remediation is a significant bottleneck in modern security. Organizations often grapple with hundreds or thousands of high and critical vulnerabilities, yet the process of upgrading dependencies is a manual, time-consuming, and error-prone task, heavily reliant on developers.
Organizations are increasingly relying on open source software (OSS) to accelerate development and innovation. However, with great power comes great responsibility – and in this case, significant security risks. Enter the curated OSS catalog, a solution that ensures secure-by-default OSS usage. Let’s explore what a curated OSS catalog are and who stands to benefit from them.
Seal Security is excited to announce it’ll join Snyk’s Technology Alliance Partner Program, to provide a seamless integration and product experience for Snyk customers who want to streamline their open source vulnerability patching efforts using Seal’s solution.
This blog post explores the complexities of dependency management, unveiling why the constant update treadmill might not be the most efficient approach. We'll delve into the challenges developers face and propose alternative strategies for a more balanced and secure open source ecosystem.
on November 1st, 2023 the DFS released the 2nd amendment to 23 NYCRR 500. Financial organizations operating in New York are required to update their vulnerability management programs in order to comply with the updated regulation.
Open source software has become an integral part of modern application development, enabling developers to accelerate their projects by leveraging pre-existing libraries and frameworks. Open source offers numerous benefits, yet it's not without its challenges.
As we approach the EOL, it's crucial to understand the current status of vulnerabilities in CentOS 7. The official docker container of CentOS 7 has 1 critical rated vulnerability, 13 high rated vulnerabilities, and 36 medium and low rated vulnerabilities. Even after installing all the available updates, we are still left with 2 highly rated and 17 medium and low vulnerabilities.
In today's interconnected world, software vulnerabilities pose a significant threat to organizations of all sizes. To address these risks, companies typically rely on timely updates and patches for third-party libraries. However, a new challenge has emerged in the form of protestware – software intentionally manipulated to convey messages, potentially causing unintended consequences or harm.