With the fast-paced development timelines in today’s business world, it is rare for organizations to develop completely original software code. Instead, they choose to brave open source software risks and use open source frameworks and third-party components. The result is a dramatically faster development process and reduced time to market. Open-source software (OSS) has become so prevalent that some 80% - 90% of code in a typical enterprise application is made up of third party components.
Common Open Source Software Risks
Open-source software components are a significant part of practically every software development team’s best practices. Even more significant, they are part of most organizations’ offerings to their customers throughout all industries and verticals. There is inherent risk in all applications, in just using OSS in development, but that risk increases when these components come into contact with the end-user.
Identifying Open Source Risks
As organizations use OSS in hundreds or even thousands of applications, they need to gain better visibility into the composition of their software to identify and manage these risks. This is achieved through Software Composition Analysis (SCA). However, many organizations today have hundreds or even thousands of applications. How do you decide where to focus first? That’s where Software Intelligence comes in using CAST Highlight for SCA.
Prioritizing and Managing Open Source Software Risks with CAST Highlight
CAST Highlight presents information at a portfolio level, enabling technology and business leaders to gain instant visibility that identifies open source risks across their enterprises.
Furthermore, in addition to the objective data that Highlight gathers via an automated source code scan similar to other SCA solutions, it also captures business context metrics via an integrated survey. This helps decision-makers make much more informed decisions.
Highlight’s Business Impact metric is calculated based on critical characteristics of the application that cannot be captured by simply scanning source code.
Here are some examples of application characteristics :
- How many users does the app have?
- Does the app service both internal employees and external customers?
- If the app has an outage, will it impact the organization’s revenue or mission-critical operations?
Insights like these that are used to calculate the business impact metrics when integrated into the dashboard along with the standard SCA metrics deliver true software intelligence -- software intelligence which will allow for faster, smarter decision making for prioritizing open source risk mitigation and remediation actions.
Prioritizing OSS Risks - Why Business Impact Metrics Matter
Let’s take two different apps as an example. Common SCA tools would show you the following types of information:
App #1 – 43 Medium Severity Vulnerabilities, 2 High Severity Vulnerabilities
App #2 – 12 Medium Severity Vulnerabilities, 1 High Severity Vulnerability
An organization using most common SCA tools would see this data and likely choose to focus on fixing App #1 as a priority. It is a natural conclusion based on the numbers - teams might even suggest that it is the “educated” decision.
However, let’s now look deeper at these apps using Highlight’s SCA tool that provides additional business impact metrics on top of the above vulnerabilities data:
App #1 – Business Impact Score of 22 out of 100
App #2 – Business Impact Score of 94 out of 100
In turns out that App #1 is a small internal system for ordering office supplies and App #2 is an e-commerce system used by customers and salespeople. Now which one seems like the obvious choice to work on first?
Obviously, this is an extreme example to make a point and it would be easy to make this decision if an IT team member were to look at just the two applications. However, what if the organization has hundreds or thousands of applications? How do they quickly decide where to focus efforts to reduce open source risk?
CAST Highlight provides Software Intelligence across the enterprise application portfolio with a Business context to help today's leaders make more informed decisions about their critical software assets rapidly.
Erik Oltmans, an Associate Partner from EY, Netherlands, spoke at the Software Intelligence Forum on how the consulting behemoth uses Software Intelligence in its Transaction Advisory services.
Erik describes the changing landscape of M & A. Besides the financial and commercial aspects, PE firms now equally value technical assessments, especially for targets with significant software assets. He goes on to detail how CAST Highlight makes these assessments possible with limited access to the targetâ€™s systems, customized quality metrics, and liability implications of open source components - all three that are critical for an M&A due diligence.