Fixing security vulnerabilities use case

This page provides a strategic introduction to one of our company use cases. Check that link to find the rest of the use cases and learn how we use them as part of our company strategy.

Sponsors

This use case has sponsors who help maintain it. If you have questions or suggestions, you can reach out to them.

Overall vision

Sourcegraph is THE security partner that CISOs and security teams use to assess, implement, and verify security patches across their code. They utilize Sourcegraph to derive insights around the vulnerability impact area and monitor dependencies. (Many other tools focus on alerting, but Sourcegraph is used to close the loop.)

Why this is important

Understanding how to mitigate vulnerabilities in information systems is an intimidating challenge for development teams — especially when dealing with less-known weaknesses, unknown vulnerabilities that have not yet been exploited, and vulnerabilities whose manifestation in the codebase has yet to be determined. High-severity vulnerabilities now take nearly 250 days to remediate (Source: Security Intelligence) and this statistic is startling since, for critical security updates, every hour that goes by increases risk dramatically.

Existing tooling doesn’t enable teams to be agile and effective in their response to security vulnerabilities:

  • Finding the vulnerabilities across scattered codebases takes expensive time and resources
  • Making changes to many repositories requires spreadsheets and manual labor to track and manage pull requests to completion
  • Internal library authors need to enable and sometimes force upgrades
  • The process is cumbersome, unclear, and painful to all involved

The recent Log4j vulnerability is still having a massive impact on developers worldwide. It is a prime example of how challenging it is to create a cohesive response across multiple teams in an org. While Log4j was a widely recorded vulnerability with a lot of available remediation tactics, teams all around the world, in multi-million dollar infrastructure organizations, were left feeling lost and scrambling to implement a fix. Most organizations struggled with searching all of their codebase to determine where the vulnerability existed, how it was being used, and what impact it had on the other code. Even after learning that, they were not empowered to patch it in an effective, timely manner.

How we solve this today

The following are real, anonymized quotes from customers today on how we’re already helping them with this use case:

  • “Sourcegraph has also become essential to how the security team can quickly address security risks and root-cause incidents”.
  • “When a potential security issue comes up, I often have to go into another engineer’s project to quickly understand how the code works to understand the critical functions, where the data is flowing, what sort of controls or checks are happening. With Sourcegraph, I can jump into another engineer’s project and quickly explore and better understand the code faster”
  • Using Sourcegraph, the team is fixing vulnerabilities in hours (vs. weeks)
  • Sourcegraph guided users through Log4j vulnerability remediation “I can’t imagine the pain of having to do this without Sourcegraph” more in this blog post

Who benefits

Developer:

  • Find, fix, and track affected / vulnerable code

Engineering Leader

  • Access Code Insights and set up Code Monitoring alerts to be notified when risky patterns, secrets, or other known vulnerabilities are introduced into the codebase

Dev Productivity Lead

  • Increased productivity, lower time to remediation

Features that enable this use case

Additional resources

Log4j search notebook

As part of our log4j mitigation efforts, we used a Search Notebook to demonstrate how to use Sourcegraph to solve this use case. You can see that here.