Security rules beyond open source
To truly be best-in-class, we need to use rules Beyond open source. This topic came up with a customer this week. Their attitude was they could integrate their own open source rules just as easily and we weren't adding anything special aside from the workflow. If we want to be Best in Class in 2019 we will need to pick up some threat intelligence feeds and either OEM or invest in our own rules. Today we are basically OEM'ing open source rules like OWASP Zap for DAST. These are good, but we need to be much better if we are to compete head-to-head with Fortify and Veracode. OEM'ing rules is very common in the security industry. For instance, Fortify OEM's both Blackduck and Sonatype, Checkmarx and IBM OEM Whitesource. Blackduck and Whitesource in particular add value because their rules can detect if the open source code that is vulnerable is actually used by your application. This goes beyond just looking at whether the vulnerable library is used. Their method results in fewer false positives and less noise.