Phylum Adds Open Policy Agent to Open Source Analysis Engine

Software supply chain security firm Phylum has added the Open Policy Agent (OPA) to its risk analysis engine, increasing flexibility for the creation and enforcement of custom policies on the use of open source software.

Phylum’s policy engine provides security and risk teams greater visibility into the development lifecycle. “Our product analyzes every bit of information we can find about open source packages,” co-founder and CSO Pete Morgan told SecurityWeek. “That includes the code, the authors, OSINT and metadata, and we analyze it for software supply chain risk.”

The result is a risk analysis rather than vulnerability scan of the open source software code. “We can advise our users on how to consume and use open source packages effectively and safely based on the threat model that they have for their software and their company,” Morgan added.

The advantage in automating risk analysis in open source software is that it can go deeper into dependencies with greater efficiency and speed than could be achieved manually. Morgan uses React as an example. “If you browse 100 websites in a day, you’ll almost certainly see React 100 times. It is ubiquitous. When developers consider React, they just install it.”

But, Morgan said the package has somewhere between 2,000 and 7,000 additional dependencies. Each dependency defines the further additional dependencies it needs for itself. “Even the developer of React cannot control the complete dependency graph, because each dependency layer relies on something that another author, or another person or group of people, has defined.”

This, Morgan contends, is a huge problem. Risk could be introduced from any of these layers. “While many developers are aware of the dependency issue, they cannot realistically examine the entire dependency graph. And if they were to attempt it, that would take months. The worst part is by the moment they finish, probably 25% of the dependencies will have changed – and they’d have to start over again.”

Complete risk analysis of open source packages including their dependencies is the purpose of the Phylum engine. Now the firm has made its service more effective with the addition of OPA. 

Part of the difficulty in using OSS is the subjectivity that surrounds it. “If I find a vulnerability, I get to define its severity, and describe it as critical, medium, or low risk. But my subjective opinion might not be valid for all instances. It might not be critical in some environments, or it might be low because of some mitigating security control.”

OPA allows the developers to have purpose-built policies to define what is seen from the Phylum engine in a way that best suits their own purposes.

“The Phylum platform comes equipped with a default policy that detects risks across five domains: software vulnerabilities, license misuse, OSS malware, author risk and reputation, and engineering risk – and blocks attacks,” said Phylum in a statement. “The default policy also allows organizations to comply with software supply chain security regulations in NIST, ISO and more.” 

The addition of OPA adds significant granularity to these policies. “Leveraging OPA, users with more specific requirements can easily write custom policies as needs evolve,” continued the firm. “Policy enforcement significantly limits risk and reduces remediation efforts, while continuous reporting allows organizations to keep more thorough records and document security posture on an ongoing basis.”

Related: Top 10 Security, Operational Risks From Open Source Code

Related: Google’s GUAC Open Source Tool Centralizes Software Security Metadata

Related: U.S. Government, Tech Giants Discuss Open Source Software Security

Related: Malicious NPM, PyPI Packages Stealing User Information