Whether it is J.P. Morgan Chase releasing blockchain code on GitHub, Goldman Sachs’ decision to contribute its Alloy data modelling software, or the shift of ISDA’s Common Domain Model (CMD) to an open model, financial services companies are fast becoming more “open” to Open Source Software (OSS). With every announcement, the availability of open source components increases, thereby creating more compelling reasons to leverage open source. With this comes the need for a more intelligent way to manage the risks.
A recent study found that 100% of the financial services companies surveyed contained OSS and that on average OSS made up 64% of their codebases (OSSRA, 2019).
As organizations use OSS in hundreds or even thousands of applications, there is a increasingly pressing need to gain better visibility into the composition of their software to identify and manage risks.
Such risks include:
- Common Vulnerabilities & Exposures (CVEs) that present security risks
- Obsolete components that represent technical risks
For financial services firms, the risks are magnified when they leverage tools like Alloy or Quorum because their systems are typically at a higher risk of attack than most other industries.
The task of assessing OSS risk is too challenging to take on manually. And while a variety of products offer to automatically scan OSS code components to detect risks, another challenge arises when these products flag too broad range of risks to tackle.
So, how do you decide where to focus first? Security? Legal? Technical? Code alone can’t prioritize the risks. That’s where Business Context comes in.
A better way to prioritize and manage Open Source Software risks
CAST Highlight presents information at the portfolio level, enabling technology and business leaders to gain instant visibility into open source risks across their enterprises.
In addition to the objective data that CAST Highlight gathers via an automated source code scan, it also captures the application’s context within the business via an integrated survey. This helps decision-makers make more informed decisions.
CAST Highlight’s Business Impact metric is calculated based on critical characteristics of the application that cannot be captured by simply scanning source code. Combining this with the Open Source Safety index helps organizations quickly identify where to focus their remediation efforts across large portfolios of applications.
Here are some examples of application characteristics that drive the Business Impact score:
- How many users does the application have?
- Does the application service external customers?
- If the application has an outage, will it impact the organization’s revenue or mission-critical operations?
When these considerations are integrated into the dashboard alongside standard SCA metrics, the result is true Software Intelligence – insights into your software that allows for faster, smarter decision making, and the ability to prioritize open source risk mitigation and remediation actions.
An Example: Why it Matters
Let’s take two different applications as an example. Common SCA tools would show you the following types of information:
- App #1 – 43 Medium Severity Vulnerabilities, 2 High Severity Vulnerabilities
- App #2 – 12 Medium Severity Vulnerabilities, 1 High Severity Vulnerability
An organization using most common SCA tools would see this data and likely choose to focus on fixing App #1 as a priority. It is a natural conclusion based on the number of identified vulnerabilities. Teams might even suggest that it is the “educated” decision.
However, let’s now look deeper at these apps using CAST Highlight which provides additional business impact metrics on top of the above vulnerabilities data:
- App #1 – Business Impact Score of 22 out of 100
- App #2 – Business Impact Score of 94 out of 100
It turns out that App #1 is a small internal system for managing workspaces and App #2 is a core-payments application that touches customers and drives revenues. Now which one seems like the obvious choice to work on first?
Obviously, this is an extreme example to make a point and it would be easy to make this decision if an IT team member were to look at just the two applications. However, what if the organization, like many banking and financial services companies, has hundreds or thousands of applications? How do they quickly decide where to focus efforts to reduce open source risk?
CAST Highlight provides Software Intelligence
across the enterprise application portfolio with a business context to help today's leaders make more informed decisions about their critical software assets rapidly.