Control open source legal, security, and operational risks across all your applications without disrupting developers
Expanding the focus of open source risk control
With the rapid growth of open source used in enterprise application development, the need for Software Composition Analysis (SCA) technology to control Open Source Software (OSS) risks has become quite apparent. Traditionally, OSS risk control has been primarily focused on security vulnerability management. However, we are now seeing organizations expand their governance of OSS risks to also include legal / compliance issues that could expose the organization to lawsuits and potential obsolete OSS components that could lead to operational failures.
The questions many organizations are now (or should be) asking themselves regarding OSS risk control include:
- Are we too focused on only counting the number of vulnerabilities we have removed from our codebase or are we taking a more comprehensive approach?
- Are we reducing our overall OSS risk including IP / compliance pitfalls and/or OSS component obsolescence?
- How do we really know we are getting better at reducing the organization’s exposure to all OSS risks?
CAST Highlight has introduced a new capability in the latest product release to help easily answer these questions and more.
Are we simply ‘bailing water’ to manage OSS risk?
A simple analogy for this phenomenon is that of a ship that is taking on water due to a hole in the hull. The urgent need is for the crew to bail water to prevent the ship from sinking. However, the captain must not lose sight of the important goal of getting the ship to shore -- the ideal solution to the problem. If the captain focused solely on bailing water to address the urgent need, it can feel like progress is being made. But, in reality, the ship can be simply sailing in circles without any progress being made towards the ultimate goal of reaching shore.
This is similar to how many traditional SCA products operate and how most organizations are using them. They are focused primarily on reducing Common Vulnerabilities & Exposures (CVEs) which can be an urgent issue while not also keeping an eye on the overall goal of controlling OSS risks for the organization. In other words, it is easy for organizations to fall into a trap of believing they are making progress when all they are really doing is ‘sailing in circles.’ A couple of simple examples of this scenario include:
- Reducing the number of critical CVEs in a codebase while the legal risk is increasing due to using new components with risky licensing requirements; or
- Reducing the number of critical CVEs in a codebase while the operational risk is increasing due to using older components that have become obsolete.
How do we ‘peel back the onion’ to understand what is really going on and if we are actually controlling OSS risk for the organization or just ‘sailing in circles’?
Actionable Insights for OSS Risk Control
In the latest Fall 2022 product release of CAST Highlight, the new Analysis Snapshot Comparison capability addresses this issue by enabling users to easily compare the changes from one analysis of an application to another. Users can now select two different analysis snapshots (such as the current analysis and the previous one) to compare the changes in dozens of indicators across open source risk, cloud readiness, technical debt, and more. This fine grain analysis enables users to understand: 1.) if the organization is actually making progress towards a desired goal such as controlling OSS risks or becoming more cloud ready, and 2.) the underlying causes of the changes from scan to scan.
For example, in the case of OSS risk control (SCA), this capability can inform the user that:
- Even though the number of CVEs has been reduced, the organization is still exposed to higher legal risk due to risky component licenses that have recently been introduced; or
- Even though license risk has been reduced, the organization has higher operational risk due to out of date components that have become obsolete.
One of CAST Highlight’s guiding principles is to provide ‘actionable insights’ rapidly so that leaders can make more informed decisions and quantify that they are actually getting closer to the goal, not just ‘sailing in circles’. And, the Snapshot Comparison capability is a perfect example of this principle in action.
Read on below to learn about more of the new capabilities introduced in the Fall 2022 product release of CAST Highlight.
What’s new in CAST Highlight?
Erik Oltmans, an Associate Partner from EY, Netherlands, spoke at the Software Intelligence Forum on how the consulting behemoth uses Software Intelligence in its Transaction Advisory services.
Erik describes the changing landscape of M & A. Besides the financial and commercial aspects, PE firms now equally value technical assessments, especially for targets with significant software assets. He goes on to detail how CAST Highlight makes these assessments possible with limited access to the targetâ€™s systems, customized quality metrics, and liability implications of open source components - all three that are critical for an M&A due diligence.