IT Briefcase Exclusive Interview: Getting the Most Out of Open Source While Managing License Compliance, Risk, and SecurityMarch 4, 2020 No Comments
In this interview, Kendra Morton, product marketing manager at Flexera, discusses Software Composition Analysis (SCA) trends including leading Flexera’s annual State of Open Source License Compliance report.
- Q. Open source software (OSS) is widely used. What are some top concerns about how an enterprise deploys it?
A. Open source software provides very real benefits and conveniences. It helps increase productivity, improves time to market, and can provide lower cost solutions. It is no more or less secure than proprietary code; each has weaknesses. Open source management is really about creating a well-defined open source strategy and empowering organizations to continue to successfully leverage open source now and in the future. While it is cost-free, it comes with licensing and copyright responsibilities.
Organizations must understand the structural quality of all third-party software used in applications and their dependencies—likely thousands of them. This requires understanding your supply chain, how partners use OSS, entry points (such as containers), graphic libraries, and more. Each carry intellectual property (IP) and need to be accounted for in a complete, accurate, and current inventory: a software bill of materials (BOM). As open source becomes more pervasive, the possibility for risk increases.
- Q. How aware are organizations about their open source use?
Of the scanned codebase files, 45% were attributed to open source components. Only 1% of the issues uncovered were disclosed prior to audit start. Among the security vulnerabilities that the research uncovered, 45% contained a “high” Common Vulnerability Scoring System (CVSS) risk score. Highest severity issues include strong Copyleft compliances involving the APGL and GPL or other important vulnerabilities; these should be remediated immediately, as they represent critical IP security threats. In an age when security breaches make headline after headline, companies can’t leave vulnerabilities unchecked.
These concerns apply across the board and in a wide range of verticals. Enterprises that embed software into a device or financials, that develop apps, ship products to customers or that host applications that expose private or financial information must take precautions around OSS.
- Q. What’s needed to ensure compliance with open source software licenses?
A. In short, vigilance. As enterprises move to be more agile, legal, risk, and development teams must ensure that they’re using safe versions of open source software. Continuous scanning and monitoring throughout the software development lifecycle (SDLC) is crucial. Software Composition Analysis (SCA)—an automated process for discovering and managing risk, security, and compliance—helps organizations leverage OSS safely.
The goals are to manage license compliance, IP, and security risks; maintain code quality and data integrity; and provide transparency and complete visibility into use of open source for stakeholders, executives, partners, and customers. With processes in place for these, it becomes possible to remediate issues quickly and expertly, while minimizing future occurrences.
- Q. What are the elements of software composition analysis (SCA)?
A. Software Composition Analysis is the process of automating the visibility into open source software (OSS) use for the purpose of license compliance, risk management, and security. SCA enables secure risk management of OSS through the supply chain in a number of ways. It scans for license compliance and security vulnerabilities in existing BOM items; provides an accurate, complete BOM for all applications; discovers and tracks all open source; enables a clear, effective path for issue remediation; and provides proactive, continuous open source monitoring. These elements support an organization’s strategy for setting and enforcing policies, while seamlessly integrating code scanning into the build environment.
SCA scans can take different forms. Standard audit analyses identify the top priority (P1) licenses and significantly large third-party components; evidence types included here are explicit P1 licenses, copyrights, exact matches, and binary files. Forensic audit analyses go deeper and find more issues per project; these in-depth, deep level scans examine all evidence types, including emails/URLs, expanded search terms, and source code snippet matches. Targeted audit analyses are customized to meet aggressive timelines, budgetary needs, or target specific areas of the codebase. All scans help prioritize issues, with the goal of creating plans for resolution of those concerns.
- Q. How can companies move forward with their efforts to understand their OSS use and minimize the associated risk?
A. First, have clear company license and security policies. Establishing an Open Source Review Board (OSRB)—with members from your legal, engineering, and product management team—can help put policies in place and create a reporting structure. Establish stakeholder training to ensure that all parties understand expectations and have a shared knowledge of the organizational risk spectrum. Implement an automated software monitoring and scanning solution, which streamlines and improves the process. Also create vendor programs to better manage third-party and supply chain requirements.
When issues are found, begin remediation. Start with the highest priority, then work through remaining issues. The process is worth it—for you and for the customers who rely on your product.
Kendra Morton, product marketing manager at Flexera, conducts research on Software Composition Analysis (SCA) trends including leading Flexera’s annual State of Open Source License Compliance report. Before joining Flexera, Morton spent more than 15 years at Teradata in a variety of marketing and demand generation roles.
APPLICATION INTEGRATION, CLOUD COMPUTING, DATA and ANALYTICS , Fresh Ink, Inside the Briefcase, OPEN SOURCE, SECURITY, SOCIAL BUSINESS