Connect with us

Hi, what are you looking for?


Risk Management

Phylum Adds Open Policy Agent to Open Source Analysis Engine

The software supply chain security firm adds the Open Policy Agent to its risk analysis engine, increasing flexibility for the creation and enforcement of custom policies on the use of open source software.

Software supply chain security firm Phylum has added the Open Policy Agent (OPA) to its risk analysis engine, increasing flexibility for the creation and enforcement of custom policies on the use of open source software.

Phylum’s policy engine provides security and risk teams greater visibility into the development lifecycle. “Our product analyzes every bit of information we can find about open source packages,” co-founder and CSO Pete Morgan told SecurityWeek. “That includes the code, the authors, OSINT and metadata, and we analyze it for software supply chain risk.”

The result is a risk analysis rather than vulnerability scan of the open source software code. “We can advise our users on how to consume and use open source packages effectively and safely based on the threat model that they have for their software and their company,” Morgan added.

The advantage in automating risk analysis in open source software is that it can go deeper into dependencies with greater efficiency and speed than could be achieved manually. Morgan uses React as an example. “If you browse 100 websites in a day, you’ll almost certainly see React 100 times. It is ubiquitous. When developers consider React, they just install it.”

But, Morgan said the package has somewhere between 2,000 and 7,000 additional dependencies. Each dependency defines the further additional dependencies it needs for itself. “Even the developer of React cannot control the complete dependency graph, because each dependency layer relies on something that another author, or another person or group of people, has defined.”

This, Morgan contends, is a huge problem. Risk could be introduced from any of these layers. “While many developers are aware of the dependency issue, they cannot realistically examine the entire dependency graph. And if they were to attempt it, that would take months. The worst part is by the moment they finish, probably 25% of the dependencies will have changed – and they’d have to start over again.”

Complete risk analysis of open source packages including their dependencies is the purpose of the Phylum engine. Now the firm has made its service more effective with the addition of OPA. 

Advertisement. Scroll to continue reading.

Part of the difficulty in using OSS is the subjectivity that surrounds it. “If I find a vulnerability, I get to define its severity, and describe it as critical, medium, or low risk. But my subjective opinion might not be valid for all instances. It might not be critical in some environments, or it might be low because of some mitigating security control.”

OPA allows the developers to have purpose-built policies to define what is seen from the Phylum engine in a way that best suits their own purposes.

“The Phylum platform comes equipped with a default policy that detects risks across five domains: software vulnerabilities, license misuse, OSS malware, author risk and reputation, and engineering risk – and blocks attacks,” said Phylum in a statement. “The default policy also allows organizations to comply with software supply chain security regulations in NIST, ISO and more.” 

The addition of OPA adds significant granularity to these policies. “Leveraging OPA, users with more specific requirements can easily write custom policies as needs evolve,” continued the firm. “Policy enforcement significantly limits risk and reduces remediation efforts, while continuous reporting allows organizations to keep more thorough records and document security posture on an ongoing basis.”

Related: Top 10 Security, Operational Risks From Open Source Code

Related: Google’s GUAC Open Source Tool Centralizes Software Security Metadata

Related: U.S. Government, Tech Giants Discuss Open Source Software Security

Related: Malicious NPM, PyPI Packages Stealing User Information

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Risk Management

In this virtual summit, SecurityWeek brings together expert defenders to share best practices around reducing attack surfaces in modern computing.