Software supply chain security firm Phylum has integrated the Open Policy Agent (OPA) into its risk analysis engine, giving security teams more flexibility in creating and enforcing custom policies on the use of open-source software.
The engine provides greater visibility into the development lifecycle and analyses every bit of information about open-source packages, including the code, authors, OSINT, metadata and software supply chain risk.
This results in a risk analysis, rather than a vulnerability scan of the open-source software code, with advice provided on how to consume and use open-source packages effectively and safely based on an organization’s specific threat model.
The advantage of automating risk analysis in open-source software is that it can delve deeper into dependencies with greater efficiency and speed than can be achieved manually. For example, the popular React package has thousands of dependencies, each of which defines further additional dependencies it needs.
Even the developer of React cannot control the complete dependency graph, so the risk could be introduced from any of these layers. While many developers are aware of the dependency issue, they cannot realistically examine the entire dependency graph, as it would take months, and by the time they finish, 25% of the dependencies will have changed.
Phylum’s engine provides complete risk analysis of open-source packages, including their dependencies, with the addition of OPA adding significant granularity to policies. The platform comes equipped with a default policy that detects risks across five domains, including software vulnerabilities, license misuse, OSS malware, author risk and reputation, and engineering risk, and blocks attacks.
The default policy also allows organizations to comply with software supply chain security regulations in NIST, ISO and more. Leveraging OPA, users with more specific requirements can easily write custom policies as needs evolve, and policy enforcement significantly limits risk and reduces remediation efforts, while continuous reporting allows organizations to document their security posture on an ongoing basis.
