Managing Open Source Risk Like Air Traffic Control
Recently, we delivered a webinar on open source risk management in which we discuss the importance of having a centralized, up to date view of open source risks across an entire application portfolio. We used an analogy likening CAST Highlight to an “open source control tower.” This got me thinking, does this analogy actually make sense?
I did some quick internet research on the concept of Air Traffic Control (ATC) which is the service that uses air traffic control towers. According to Wikipedia, “The primary purpose of ATC worldwide is to prevent collisions, organize and expedite the flow of air traffic, and provide information and other support for pilots.” This analogy is starting to make even more sense when we consider how CAST Highlight is used to perform Software Composition Analysis (SCA) as a smarter, simpler approach to managing open source risks.
A Flood of Alerts in the Air and on Developer Workstations
Prior to the adoption of ATC services, it was the primary responsibility of pilots to be vigilant in avoiding collisions, staying on schedule, and making routing decisions for the aircraft. Can you imagine this approach to air traffic control still being used in modern times? Pilots having to make decisions in crowded airports and congested airspace without any external guidance or broader context? I envision pilots being bombarded with hundreds of red flashing lights and warnings on the console of the flight deck…yikes!
Yet, this is analogous to how traditional SCA tools operate today. They are integrated directly into developer workstations and deliver alerts about open source risks such as security vulnerabilities, licensing risks, and out of date components. However, there is no context to these alerts that considers the broader application portfolio. Developers continue to suffer from the “alert fatigue”, plauged by other notifications for quality, security, and compliance. How do they make decisions? Where do they focus their limited time on the most critical open source threats?
Erecting an Open Source Control Tower
Similar to how air traffic control towers help ATC prevent serious air traffic catastrophes, keep flights on schedule, and provide guidance to pilots on optimal flight paths, CAST proposes a similar approach to open source risk management: an “open source control tower” with CAST Highlight. Deploying CAST Highlight as the control tower across an organization can be done in a few weeks. It does not require every developer to be trained to properly use a tool on their workstations, something which can take years to rollout and may still be bypassed. CAST Highlight plugs directly into source code repositories and aggregates the results of the analysis across all applications into intuitive dashboards - the “control tower”, allowing legal, security, and operations experts to make informed decisions engaging developers only when needed.
In the latest release of CAST Highlight, the innovative Portfolio Advisor for Open Source makes automated recommendations considering the entire portfolio in context. These recommendations identify where to focus attention and what specific actions to take based on qualitative criteria, such as the business impact of each application. For example, it will automatically identify applications that are important to the organization and have critical security vulnerabilities or risky licensing requirements that could pose legal implications. Typically, a centralized team analyzes results and provides guidance to developer teams that they can choose to take or ignore depending on their specific scenario, just like ATC providing guidance to pilots. Some of the guidance provided by ATC to pilots are required by law for safety purposes. Others are recommendations for pilots to decide how to use since they are ultimately responsible for the safety of the aircraft. This is very similar to how the open source control tower operates – some guidelines are required by the company (such as component Allow / Deny lists). Others are recommendations for development teams to decide how to address based on their specific scenario.
CAST has several clients using CAST Highlight who see significant value in having these automated recommendations in context without slowing down developer productivity. Listen to this recent webinar to hear a real world example of how Broadridge has used CAST Highlight to deploy their own open source control tower.
Read on below to learn more about latest product release.
What’s new in CAST Highlight?
Erik Oltmans, an Associate Partner from EY, Netherlands, spoke at the Software Intelligence Forum on how the consulting behemoth uses Software Intelligence in its Transaction Advisory services.
Erik describes the changing landscape of M & A. Besides the financial and commercial aspects, PE firms now equally value technical assessments, especially for targets with significant software assets. He goes on to detail how CAST Highlight makes these assessments possible with limited access to the targetâ€™s systems, customized quality metrics, and liability implications of open source components - all three that are critical for an M&A due diligence.