Are we really controlling OSS Risk across the organization or just ‘bailing water’?

Nov 7, 2022 | Portfolio Governance Are we really controlling OSS Risk across the organization or just ‘bailing water’?

Control open source legal, security, and operational risks across all your applications without disrupting developers

Expanding the focus of open source risk control

With the rapid growth of open source used in enterprise application development, the need for Software Composition Analysis (SCA) technology to control Open Source Software (OSS) risks has become quite apparent. Traditionally, OSS risk control has been primarily focused on security vulnerability management. However, we are now seeing organizations expand their governance of OSS risks to also include legal / compliance issues that could expose the organization to lawsuits and potential obsolete OSS components that could lead to operational failures.

The questions many organizations are now (or should be) asking themselves regarding OSS risk control include:

  • Are we too focused on only counting the number of vulnerabilities we have removed from our codebase or are we taking a more comprehensive approach?
  • Are we reducing our overall OSS risk including IP / compliance pitfalls and/or OSS component obsolescence?
  • How do we really know we are getting better at reducing the organization’s exposure to all OSS risks?

CAST Highlight has introduced a new capability in the latest product release to help easily answer these questions and more.

Are we simply ‘bailing water’ to manage OSS risk?

A simple analogy for this phenomenon is that of a ship that is taking on water due to a hole in the hull. The urgent need is for the crew to bail water to prevent the ship from sinking. However, the captain must not lose sight of the important goal of getting the ship to shore -- the ideal solution to the problem. If the captain focused solely on bailing water to address the urgent need, it can feel like progress is being made. But, in reality, the ship can be simply sailing in circles without any progress being made towards the ultimate goal of reaching shore.

This is similar to how many traditional SCA products operate and how most organizations are using them. They are focused primarily on reducing Common Vulnerabilities & Exposures (CVEs) which can be an urgent issue while not also keeping an eye on the overall goal of controlling OSS risks for the organization. In other words, it is easy for organizations to fall into a trap of believing they are making progress when all they are really doing is ‘sailing in circles.’ A couple of simple examples of this scenario include:

  • Reducing the number of critical CVEs in a codebase while the legal risk is increasing due to using new components with risky licensing requirements; or
  • Reducing the number of critical CVEs in a codebase while the operational risk is increasing due to using older components that have become obsolete.

How do we ‘peel back the onion’ to understand what is really going on and if we are actually controlling OSS risk for the organization or just ‘sailing in circles’?

Actionable Insights for OSS Risk Control

In the latest Fall 2022 product release of CAST Highlight, the new Analysis Snapshot Comparison capability addresses this issue by enabling users to easily compare the changes from one analysis of an application to another. Users can now select two different analysis snapshots (such as the current analysis and the previous one) to compare the changes in dozens of indicators across open source risk, cloud readiness, technical debt, and more. This fine grain analysis enables users to understand: 1.) if the organization is actually making progress towards a desired goal such as controlling OSS risks or becoming more cloud ready, and 2.) the underlying causes of the changes from scan to scan.

For example, in the case of OSS risk control (SCA), this capability can inform the user that:

  • Even though the number of CVEs has been reduced, the organization is still exposed to higher legal risk due to risky component licenses that have recently been introduced; or
  • Even though license risk has been reduced, the organization has higher operational risk due to out of date components that have become obsolete.

One of CAST Highlight’s guiding principles is to provide ‘actionable insights’ rapidly so that leaders can make more informed decisions and quantify that they are actually getting closer to the goal, not just ‘sailing in circles’. And, the Snapshot Comparison capability is a perfect example of this principle in action.

Read on below to learn about more of the new capabilities introduced in the Fall 2022 product release of CAST Highlight.

What’s new in CAST Highlight?

Analysis Snapshot Comparison

Analysis Snapshot Comparison

Make faster decisions about cloud readiness and OSS risk control by easily comparing application changes across multiple analysis snapshots.
See how the feature works

Shadow
Custom Report Builder

Custom Report Builder

Make faster decisions and grow adoption of CAST Highlight insights by building custom reports directly in the user interface. Define your ideal report with customizable data tables, columns, and charts that was previously only possible using the API and external reporting tools.

Shadow
Portfolio Management Optimization

Portfolio Management Optimization

Speed up application onboarding and portfolio administration with a new, streamlined portfolio management screen. User/domain/application management has been optimized to increase performance and productivity especially for large application portfolios.
See how the feature works

Shadow
Scala support for CloudReady

Scala support for CloudReady

Improve technology coverage with 20+ new Cloud Readiness patterns for Scala.
See technology coverage

Shadow
C# Analyzer Optimization


C# Analyzer Optimization

Improve accuracy of C# application insights with a modernized C# code analyzer that includes new code patterns.
See technology coverage

Shadow
New Technology Support for MariaDB, JCL, CICS and IMS


New Technology Support for MariaDB, JCL, CICS and IMS

Expand technology coverage with new support for MariaDB and three Mainframe technologies (JCL, CICS and IMS) initially including detection, sizing, and SCA.
See technology coverage

Shadow
Many other feature improvements


Many other feature improvements

The product team also took the opportunity with this new release to introduce many additional capabilities such as: SSO multi-company support, new package manager support for SCA, bulk snapshot management, and much more.

Shadow
Useful resources to get started


Useful Resources to Get Started

The CAST Highlight team has developed very useful resources to help you onboard applications, operate automation and API tools, and leverage our software analytics within your organization.
Visit the Product Tutorial page.