What is our primary use case?
We needed a tool to ensure that we are not using vulnerable libraries or open-source libraries with a copyleft license. We integrated WhiteSource with our repositories and CI server and set up automated policies to reject copyleft licensed libraries because our legal department doesn't allow them. We also have it open Jira issues automatically when a vulnerable library is detected and assign it to an engineer so we can shorten our response time to vulnerabilities detected in our applications. It integrates nicely with our existing workflow.
How has it helped my organization?
The best thing is that it changed the mindset of our developers. They are now more aware and proactive when it comes to the security risks in open source vulnerabilities and the need to update packages from time to time.
It gives us full visibility into what we're using, what needs to be updated, and what's vulnerable, which helps us make better decisions.
The WhiteSource prioritization feature provides us with the greatest value as it has cut down the number of security alerts by about 90%. It is only relevant for Java and JS for now, but we understand more is yet to come. This has saved us a lot of time.
What is most valuable?
WhiteSource is very accurate and covers all of our languages (including C++).
WhiteSource Prioritize is amazing. If we are using a vulnerable library, it shows us if we are actually using the vulnerable method or not. This saves us a lot of time that we can instead invest in other projects.
It also does a great job of automating many activities we used to do manually. Now the system does it for us and it generates a great security dashboard that shows us whether our remediation velocity is improving or not.
What needs improvement?
We are currently using WhiteSource Prioritize for Java and it cuts our vulnerability alerts by almost 90%. However, Prioritize doesn't cover python or other languages at this point and our developers are required to deal with many open source security alerts. The problem is that now our developers are aware that most open source security alerts are not impacting the security of their applications and it's harder to get their cooperation. We are waiting for WhiteSource to announce support ifor Python and other languages.
For how long have I used the solution?
We have been using WhiteSource for almost a year.
What do I think about the stability of the solution?
From my experience, WhiteSource is pretty solid.
How are customer service and technical support?
We had a problem with a new library that their engine didn't process. I wrote them an email and got a response within an hour. Two days later they added it to their system.
They provide accurate results and our customer success manager is great.
No complaints so far.
Which other solutions did I evaluate?
We tested Black Duck as well but detected quite a lot of false positives.
What other advice do I have?
The good thing is that their product just keeps getting better. They are very attentive to their customers.
All in all, if you care about security, this product is a must. We all love open source, but I was always afraid of the headache in handling all the licensing/updates/vulnerabilities. The peace of mind we have now is a total game-changer.