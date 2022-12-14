



Open source security has been one of the hottest topics in enterprise security for the past two years. Since the attack on the SolarWinds supply chain, President Biden’s executive order on improving the nation’s cybersecurity, and the Log4j debacle, ensuring the security of his software supply chain has been paramount.

In an attempt to help organizations manage their open source software, Google today launched OSV-Scanner, a free vulnerability scanner designed to give developers access to vulnerability information about open source projects. announced the launch of Database of open source vulnerabilities.

OSV-Scanner allows developers to automatically check their code and dependencies against a list of known vulnerabilities and identify if patches or updates are available.

In fact, security teams have tools to automate vulnerability discovery and patching across the software supply chain, eliminating potential entry points before hackers have a chance to exploit them.

This release comes after Google launched the Open Source Vulnerability (OSV) schema and OSV.dev vulnerability database service last year. And as more organizations struggle to manage vulnerabilities, it takes companies an average of 60 days to patch high-risk vulnerabilities.

For Google, the move is not just about offering a run-of-the-mill vulnerability scanner, but a crucial move to dominate the vulnerability management market, which researchers expect to reach a value of $18.7 billion by 2026. It is also about providing solutions.

Our plans for OSV-Scanner go beyond building a simple vulnerability scanner. In his announcement blog post, Rex Pan, an engineer at Google Software, wants to build the best vulnerability management tools that minimize the burden of remediating known vulnerabilities.

As a result, vendors plan to extend the solution to include better integration with developer workflows via standalone CI actions, schedule and track new vulnerabilities, and a broader database of C/C++ vulnerabilities. build the

What is the difference between OSV-Scanner?

With OSV-Scanner, Google competes with various well-established proprietary providers in the space, such as Tenable, which generated $541 million in revenue last year from vulnerability solutions like Nessus. And Rapid7, which generated $535 million in revenue last year, offers InsightVM, an analytics-driven vulnerability automation platform.

These solutions provide continuous vulnerability scanning capabilities along with configurable reports so users can pinpoint potential exploits across the attack surface.

However, Pan suggests that unlike closed source advisory databases and vulnerability scanners, OSV-Scanner relies on advisories from open sources such as the RustSec advisory database.

This means that the broader user community can suggest improvements to the advisory, incrementally improving the quality and coverage of the database to offer the possibility of detecting a wider range of vulnerabilities.

