Finding a Safer Path Through Open Source Risks
Open source software (OSS) has clearly become ubiquitous with over 70% of applications utilizing open source components according to Gartner. Although this is helping organizations dramatically reduce the time to market of delivering software, Common Vulnerabilities and Exposures (CVEs) within OSS components continue to be a significant risk. For example, the Heartbleed vulnerability affected over 66% of all active websites in the world with an estimated cost of almost $500 million to fix it.
Software Composition Analysis (SCA) products such as CAST Highlight automate the analysis and detection of OSS risks in enterprise software applications to help provide insight on how to reduce the security and legal risks associated with using open source components. Recent innovations in CAST Highlight such as the Portfolio Advisor for Open Source will even automatically recommend where to focus attention on the most serious risks across hundreds or even thousands of applications. But, the best path to take when remediating unsafe OSS components is not always clear – until now. The latest product release of CAST Highlight has introduced the innovative OSS Safe Component Version Recommender that automatically recommends the best remediation path to take for unsafe OSS components…it’s like having an open source “Sherpa” giving you expert guidance on how best to navigate OSS risks.
Guidance from a Sherpa
The term “Sherpa” originates from the Tibetan ethnic groups native to the many mountainous areas of Nepal. This group became regarded as expert mountaineers and were often called on as guides for travelers attempting to climb the mountains of the Himalayan region, especially Mount Everest, the highest mountain on earth. Today, the term Sherpa has become synonymous with someone acting as an elite guide or mentor in other situations including international negotiations such the G20 Summit.
This metaphor also works well when considering the treacherous task of navigating unsecure open source software components. When discovering an OSS component has critical CVEs, organizations often struggle with the enormous number of options to pursue to remediate the unsafe component. It’s akin to deciding on the best path to take when climbing the largest mountains on the planet. There could be dozens of newer versions of an unsafe component to utilize. Can you imagine having to make these decisions across hundreds or thousands of applications in a typical enterprise application portfolio? The new CAST Highlight OSS Safe Component Version Recommender acts as a Sherpa and automatically recommends safe upgrade paths for unsecure OSS components.
Automated Recommendations for Safer Open Source
When CAST Highlight detects a critical CVE in your application portfolio, the new OSS Safe Component Version Recommender now acts like a Sherpa and automatically recommends a couple of different paths to take:
- Safer and Closest: A recommendation on a safer version to upgrade to that is closer to the current component version in use since it is not always easy to upgrade to a much newer version immediately (it’s like a Sherpa breaking up a long mountain climb into shorter more manageable segments to reach the peak).
- Safest: A recommendation on the safest component version that you should ultimately try to adopt (it’s the Sherpa’s ultimate path to the peak).
CAST Highlight continues to innovate by delivering automated software intelligence insights and guidance, taking the guesswork out of making better decisions across your application portfolio. See below for some of the other innovations included in the Summer 2022 product release of CAST Highlight.
What’s new in CAST Highlight?
Erik Oltmans, an Associate Partner from EY, Netherlands, spoke at the Software Intelligence Forum on how the consulting behemoth uses Software Intelligence in its Transaction Advisory services.
Erik describes the changing landscape of M & A. Besides the financial and commercial aspects, PE firms now equally value technical assessments, especially for targets with significant software assets. He goes on to detail how CAST Highlight makes these assessments possible with limited access to the targetâ€™s systems, customized quality metrics, and liability implications of open source components - all three that are critical for an M&A due diligence.