ActiveState Platform Demo: Monitor Risk in your Open Source Code

Watch a 2-minute demo that shows how you can identify the risk level of a Python application, as well as understand the length of time the application has been at risk of being compromised.

  • View a “Bill of Materials” showing all components for each application
  • Understand how high, medium and low severity warnings are generated
  • Identify when an application was first run, and when it first became vulnerable

Learn more about the ActiveState Platform for Open Source Languages.


In this demo, I’m going to show you how the ActiveState platform lets you identify not only which of your applications are running which outdated or vulnerable open-source components, but also how long those applications have been at risk of being compromised. The length of time, of course, is an important factor in assessing risk level.

Now ActiveState’s platform helps you identify the risk level for any application built with open-source languages. Our unique way of instrumenting interpreted languages allows us to create a Bill of Materials for that application. For example, this Python app is currently running 34 different packages. One of the packages has a couple of medium severity warnings against it. The other 33 packages – well, some of them are out of date, as indicated by the X beside the name.

The most concerning thing here, though, is Mistune. If I drill in, hopefully I’ll get some information that there’s a newer version available. In this case, 0.8.3 is actually the latest version available. That information is being pulled directly from the Python package index, so I know I’m always getting an up-to-date view. The medium warnings listed here are being pulled directly from the National Vulnerability Database, but we also pull information from social media sites and developer resources like message boards as well. Now if I scroll down a bit, I can see that Mistune is also being used by JupyterPrint, besides just Jupyter. So it gives me an idea of how widespread this package is in my organization.

Clicking on warnings, I can understand just how long these applications have been vulnerable. In this case, I can see that one of the CVEs was identified late last year, another one early this year. Now if I correlate that date against the first date when my Jupyter application was first run, in this case May 31st, I get a very good idea of just how long this application has been vulnerable and not fixed.

So to recap, the ActiveState platform lets you identify not only which applications are running which components and highlights which ones are updated or vulnerable, but it also gives you insight into just how long those applications have been at risk of being compromised.

Jason