An Open Source Risk Sherpa

by

Finding a Safer Path Through Open Source Risks

Open source software (OSS) has clearly become ubiquitous with over 70% of applications utilizing open source components according to Gartner. Although this is helping organizations dramatically reduce the time to market of delivering software, Common Vulnerabilities and Exposures (CVEs) within OSS components continue to be a significant risk. For example, the Heartbleed vulnerability affected over 66% of all active websites in the world with an estimated cost of almost $500 million to fix it.

Software Composition Analysis (SCA) products such as CAST Highlight automate the analysis and detection of OSS risks in enterprise software applications to help provide insight on how to reduce the security and legal risks associated with using open source components. Recent innovations in CAST Highlight such as the Portfolio Advisor for Open Source will even automatically recommend where to focus attention on the most serious risks across hundreds or even thousands of applications. But, the best path to take when remediating unsafe OSS components is not always clear – until now. The latest product release of CAST Highlight has introduced the innovative OSS Safe Component Version Recommender that automatically recommends the best remediation path to take for unsafe OSS components…it’s like having an open source “Sherpa” giving you expert guidance on how best to navigate OSS risks.

Guidance from a Sherpa

The term “Sherpa” originates from the Tibetan ethnic groups native to the many mountainous areas of Nepal. This group became regarded as expert mountaineers and were often called on as guides for travelers attempting to climb the mountains of the Himalayan region, especially Mount Everest, the highest mountain on earth. Today, the term Sherpa has become synonymous with someone acting as an elite guide or mentor in other situations including international negotiations such the G20 Summit.

This metaphor also works well when considering the treacherous task of navigating unsecure open source software components. When discovering an OSS component has critical CVEs, organizations often struggle with the enormous number of options to pursue to remediate the unsafe component. It’s akin to deciding on the best path to take when climbing the largest mountains on the planet. There could be dozens of newer versions of an unsafe component to utilize. Can you imagine having to make these decisions across hundreds or thousands of applications in a typical enterprise application portfolio? The new CAST Highlight OSS Safe Component Version Recommender acts as a Sherpa and automatically recommends safe upgrade paths for unsecure OSS components.

Automated Recommendations for Safer Open Source

When CAST Highlight detects a critical CVE in your application portfolio, the new OSS Safe Component Version Recommender now acts like a Sherpa and automatically recommends a couple of different paths to take:

  • Safer and Closest: A recommendation on a safer version to upgrade to that is closer to the current component version in use since it is not always easy to upgrade to a much newer version immediately (it’s like a Sherpa breaking up a long mountain climb into shorter more manageable segments to reach the peak).
  • Safest: A recommendation on the safest component version that you should ultimately try to adopt (it’s the Sherpa’s ultimate path to the peak).

safer-oss-component

CAST Highlight continues to innovate by delivering automated software intelligence insights and guidance, taking the guesswork out of making better decisions across your application portfolio. See below for some of the other innovations included in the Summer 2022 product release of CAST Highlight.

What’s new in CAST Highlight?

OSS Safe Component Version Recommender

OSS Safe Component Version Recommender

Speed up the process of remediating vulnerable open source components across your application portfolio with automatic recommendations on safer versions of components to adopt.

Shadow
OSS License Compatibility Reporting

OSS License Compatibility Reporting

Reduce license compliance risk by defining a license compatibility model at the portfolio level that automatically checks and reports possible license conflicts between components and dependencies within an application.

Shadow
Discussion Threads on Application Results

Discussion Threads on Application Results

Collaborate and track team member notes on applications across your portfolio directly in the CAST Highlight user interface with automatic email notifications when users are mentioned in a discussion thread.
Read more about this feature

Shadow
Enhanced Default OSS License Risk Profile

Enhanced Default OSS License Risk Profile

Improve accuracy and flexibility of default license risk levels that are now based on the recently released license rulebook capability. Additionally, generate custom license risk profiles automatically across application portfolios or for specific applications.
Read the default license risk profile change notice
See how to automatically generate license risk profiles based on license rulebooks

Shadow
Scala support for Software Health


Scala support for Software Health

Improve technology coverage with 30+ new code insights for Software Health (resiliency, agility, elegance) for Scala.
See technology coverage

Shadow
Many other feature improvements


Many other feature improvements

The product team also took the opportunity with this new release to introduce many additional feature improvements such as: expanded Google Cloud service recommendations, an improved portfolio-level OSS License dashboard, easier/lighter SAML implementation, improved CloudReady pattern documentation, Custom Segmentations can now include Custom Indicators, and much more.

Filed in: Risk & Security
Greg Rivera
Greg Rivera Vice President
As Vice President of CAST Highlight, Greg leads product strategy for the CAST SaaS platform helping customers and partners accelerate app modernization / cloud migration, rationalize their app portfolios, and reduce open source risk. He has worked with Fortune 1000 companies such as Microsoft, IDG Communications, and Arrow Electronics for over 20 years in technology and media, helping them make successful digital transformations. Greg has a B.S. in Electrical Engineering and an M.S. in Management of Technology and is passionate about applying technology to improve business and our everyday lives.
Load more reviews
Thank you for the review! Your review must be approved first
You've already submitted a review for this item
|
()