Nov 2, 2021 | Digital Transformation Building an Open Source Control Tower for Your Application Portfolio

Managing Open Source Risk Like Air Traffic Control

Recently, we delivered a webinar on open source risk management in which we discuss the importance of having a centralized, up to date view of open source risks across an entire application portfolio. We used an analogy likening CAST Highlight to an “open source control tower.” This got me thinking, does this analogy actually make sense?

I did some quick internet research on the concept of Air Traffic Control (ATC) which is the service that uses air traffic control towers. According to Wikipedia, “The primary purpose of ATC worldwide is to prevent collisions, organize and expedite the flow of air traffic, and provide information and other support for pilots.” This analogy is starting to make even more sense when we consider how CAST Highlight is used to perform Software Composition Analysis (SCA) as a smarter, simpler approach to managing open source risks.

A Flood of Alerts in the Air and on Developer Workstations

Prior to the adoption of ATC services, it was the primary responsibility of pilots to be vigilant in avoiding collisions, staying on schedule, and making routing decisions for the aircraft. Can you imagine this approach to air traffic control still being used in modern times? Pilots having to make decisions in crowded airports and congested airspace without any external guidance or broader context? I envision pilots being bombarded with hundreds of red flashing lights and warnings on the console of the flight deck…yikes!

Yet, this is analogous to how traditional SCA tools operate today. They are integrated directly into developer workstations and deliver alerts about open source risks such as security vulnerabilities, licensing risks, and out of date components. However, there is no context to these alerts that considers the broader application portfolio. Developers continue to suffer from the “alert fatigue”, plauged by other notifications for quality, security, and compliance. How do they make decisions? Where do they focus their limited time on the most critical open source threats?

Erecting an Open Source Control Tower

Similar to how air traffic control towers help ATC prevent serious air traffic catastrophes, keep flights on schedule, and provide guidance to pilots on optimal flight paths, CAST proposes a similar approach to open source risk management: an “open source control tower” with CAST Highlight. Deploying CAST Highlight as the control tower across an organization can be done in a few weeks. It does not require every developer to be trained to properly use a tool on their workstations, something which can take years to rollout and may still be bypassed. CAST Highlight plugs directly into source code repositories and aggregates the results of the analysis across all applications into intuitive dashboards - the “control tower”, allowing legal, security, and operations experts to make informed decisions engaging developers only when needed.

In the latest release of CAST Highlight, the innovative Portfolio Advisor for Open Source makes automated recommendations considering the entire portfolio in context. These recommendations identify where to focus attention and what specific actions to take based on qualitative criteria, such as the business impact of each application. For example, it will automatically identify applications that are important to the organization and have critical security vulnerabilities or risky licensing requirements that could pose legal implications. Typically, a centralized team analyzes results and provides guidance to developer teams that they can choose to take or ignore depending on their specific scenario, just like ATC providing guidance to pilots. Some of the guidance provided by ATC to pilots are required by law for safety purposes. Others are recommendations for pilots to decide how to use since they are ultimately responsible for the safety of the aircraft. This is very similar to how the open source control tower operates – some guidelines are required by the company (such as component Allow / Deny lists). Others are recommendations for development teams to decide how to address based on their specific scenario.

CAST has several clients using CAST Highlight who see significant value in having these automated recommendations in context without slowing down developer productivity. Listen to this recent webinar to hear a real world example of how Broadridge has used CAST Highlight to deploy their own open source control tower.

Read on below to learn more about latest product release.

What’s new in CAST Highlight?

Portfolio Advisor for Open Source Rapidly prioritize applications with Open Source and third-party component risks across your application portfolio and get automated recommendations on actions to take to reduce vulnerability, license and operational risks. See how it works Github Actions for automated CAST Highlight scans Automate periodic source code scans and uploads for your GitHub repositories with our new GitHub Action that you can download from the marketplace. See how it works Customizable Portfolio Segmentation Build your own application portfolio segmentation models and Portfolio Advisor reports by combining CAST Highlight insights to better prioritize challenges your organization is facing. See how it works Software Health support for Clojure This new release adds Software Health support for Clojure with around 30 code insights addressing Software Resiliency, Agility and Elegance of your applications. See CAST Highlight’s technology coverage Support of Gitlab Advisories Community Vulnerabilities Identify more vulnerabilities at earlier stages and with more accuracy. In addition to the 150K+ vulnerabilities referenced in NVD, CAST Highlight now detects CVEs from the Gitlab Advisories Community. Many other feature improvements The product team also took the opportunity with this new version to introduce many additional feature improvements to increase ease of use such as: extended Gradle support for SCA, additional exports (components, Keyword Scan results), custom survey sequencing, result pagination for large portfolios, and much more. Useful Resources to Get Started The CAST Highlight team has developed very useful resources to help you onboard the platform, operate automation and API tools and leverage our software analytics within your organization. Visit the Product Tutorial page.