Open Source Software Risks : How to prioritize


With the fast-paced development timelines in today’s business world, it is rare for organizations to develop completely original software code. Instead, they choose to brave open source software risks and use open source frameworks and third-party components. The result is a dramatically faster development process and reduced time to market. Open-source software (OSS) has become so prevalent that some 80% - 90% of code in a typical enterprise application is made up of third party components. 

Common Open Source Software Risks

Open-source software components are a significant part of practically every software development team’s best practices. Even more significant, they are part of most organizations’ offerings to their customers throughout all industries and verticals. There is inherent risk in all applications, in just using OSS in development, but that risk increases when these components come into contact with the end-user. 

New call-to-action

Identifying Open Source Risks

As organizations use OSS in hundreds or even thousands of applications, they need to gain better visibility into the composition of their software to identify and manage these risks. This is achieved through Software Composition Analysis (SCA). However, many organizations today have hundreds or even thousands of applications. How do you decide where to focus first? That’s where Software Intelligence comes in using CAST Highlight for SCA.

Prioritizing and Managing Open Source Software Risks with CAST Highlight

CAST Highlight presents information at a portfolio level, enabling technology and business leaders to gain instant visibility that identifies open source risks across their enterprises. 

Furthermore, in addition to the objective data that Highlight gathers via an automated source code scan similar to other SCA solutions, it also captures business context metrics via an integrated survey. This helps decision-makers make much more informed decisions.

HL App Portfolio Open Source Risk and SCA - BI Callout (002)

Highlight’s Business Impact metric is calculated based on critical characteristics of the application that cannot be captured by simply scanning source code. 

Here are some examples of application characteristics :

  • How many users does the app have?
  • Does the app service both internal employees and external customers?
  • If the app has an outage, will it impact the organization’s revenue or mission-critical operations?

Insights like these that are used to calculate the business impact metrics when integrated into the dashboard along with the standard SCA metrics deliver true software intelligence -- software intelligence which will allow for faster, smarter decision making for prioritizing open source risk mitigation and remediation actions.

Prioritizing OSS Risks - Why Business Impact Metrics Matter

Let’s take two different apps as an example. Common SCA tools would show you the following types of information:

App #1 – 43 Medium Severity Vulnerabilities, 2 High Severity Vulnerabilities

App #2 – 12 Medium Severity Vulnerabilities, 1 High Severity Vulnerability

An organization using most common SCA tools would see this data and likely choose to focus on fixing App #1 as a priority. It is a natural conclusion based on the numbers - teams might even suggest that it is the “educated” decision.

However, let’s now look deeper at these apps using Highlight’s SCA tool that provides additional business impact metrics on top of the above vulnerabilities data:

App #1 – Business Impact Score of 22 out of 100

App #2 – Business Impact Score of 94 out of 100

In turns out that App #1 is a small internal system for ordering office supplies and App #2 is an e-commerce system used by customers and salespeople. Now which one seems like the obvious choice to work on first?

Obviously, this is an extreme example to make a point and it would be easy to make this decision if an IT team member were to look at just the two applications. However, what if the organization has hundreds or thousands of applications? How do they quickly decide where to focus efforts to reduce open source risk?

CAST Highlight provides Software Intelligence across the enterprise application portfolio with a Business context to help today's leaders make more informed decisions about their critical software assets rapidly.

Contact CAST to learn more about how we can help you better manage your open source risk with Software Intelligence.

  This report describes the effects of different industrial factors on  structural quality. Structural quality differed across technologies with COBOL  applications generally having the lowest densities of critical weaknesses,  while JAVA-EE had the highest densities. While structural quality differed  slightly across industry segments, there was almost no effect from whether the  application was in- or outsourced, or whether it was produced on- or off-shore.  Large variations in the densities in critical weaknesses across applications  suggested the major factors in structural quality are more related to  conditions specific to each application. CRASH Report 2020: CAST Research on  the Structural Condition of Critical Applications Report
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
Making sense of cloud transitions for financial and telecoms firms Cloud  migration 2.0: shifting priorities for application modernization in 2019  Research Report
Greg Rivera
Greg Rivera Vice President
As Vice President of CAST Highlight, Greg leads product strategy for the CAST SaaS platform helping customers and partners accelerate app modernization / cloud migration, rationalize their app portfolios, and reduce open source risk. He has worked with Fortune 1000 companies such as Microsoft, IDG Communications, and Arrow Electronics for over 20 years in technology and media, helping them make successful digital transformations. Greg has a B.S. in Electrical Engineering and an M.S. in Management of Technology and is passionate about applying technology to improve business and our everyday lives.
Load more reviews
Thank you for the review! Your review must be approved first
You've already submitted a review for this item