Last Updated: March 22, 2021

ActiveState Platform Demo: Track Code in your Open Source Applications

Watch a 3-minute demo that shows how you can track your teams’ software development best practices from initial coding through to production.

  • Identify at which step in your SDLC security & compliance issues are resolved
  • Gain insight into how security & compliance issues were resolved
  • Identify unrecognized open source packages, and understand how to identify the risk they may pose

Learn more about the ActiveState Platform for Open Source Languages.

The ActiveState Platform makes it easy to instrument your open-source languages, so you can track the security and compliance of your applications from initial development right through to production.

In this example, I’m tracking three instances of the same application – one that’s already been deployed in production, the next version of the application that the devs are working on, and a third version that’s currently going through QA. You can see that my dev build has three warnings against it. If I drill in, I can see that these three warnings are all associated with one package, Django version 1.11.8, and by the X beside the package name, I can see that this is actually an outdated package. Now if I look at the test build, I can see there are no warnings against it. Drilling in, I can see that rather than replacing or upgrading the Django package, what the devs have chosen to do is to replace it with some Flask components instead.

The other thing to note here is how the number of components change throughout the application’s lifecycle. In the dev build, we started out with 42 components. When I get to test, I only have 26 components, though. That tends to indicate that maybe the devs have been playing with a number of different packages, experimenting to see which ones might fulfill the requirements. When I get to production, however, I only have 25 components, and that seems to indicate probably that maybe a code Linter or test harness has been dropped to shrink the size of this application by the time I get into production, to ensure we have the smallest footprint possible and shrink the attack surface.

Now, one last thing to note is that the dev version of this application has 41 of 42 components recognized. If I drill into dev and scroll down, I can see that the unrecognized component is called Colorama. Further drilling in on Colorama, I can see the reason it’s unrecognized is that there’s no license information found. Now, this can mean one of two things. Either the devs have created some custom code and they’ve called it Colorama, or this actually is an open-source package that somehow had the license information removed. In either case, I want to investigate this further to ensure it’s not going to be an issue and put my organization at risk.

So to recap, the ActiveState platform lets you track exactly how an application involves across your software development lifecycle. As a result, you can verify that best practices are being followed with respect to security and compliance issues before those applications are deployed in production, and you can gain insights and knowledge into just how and when your teams are resolving any issues that crop up across your application lifecycle.