Open Source Software Risks : How to prioritize

Aug 27, 2019 | Digital Transformation Open Source Software Risks : How to prioritize

With the fast-paced development timelines in today’s business world, it is rare for organizations to develop completely original software code. Instead, they choose to brave open source software risks and use open source frameworks and third-party components. The result is a dramatically faster development process and reduced time to market. Open-source software (OSS) has become so prevalent that some 80% - 90% of code in a typical enterprise application is made up of third party components.

Common Open Source Software Risks

Open-source software components are a significant part of practically every software development team’s best practices. Even more significant, they are part of most organizations’ offerings to their customers throughout all industries and verticals. There is inherent risk in all applications, in just using OSS in development, but that risk increases when these components come into contact with the end-user. 

New call-to-action

Identifying Open Source Risks

As organizations use OSS in hundreds or even thousands of applications, they need to gain better visibility into the composition of their software to identify and manage these risks. This is achieved through Software Composition Analysis (SCA). However, many organizations today have hundreds or even thousands of applications. How do you decide where to focus first? That’s where Software Intelligence comes in using CAST Highlight for SCA.

Prioritizing and Managing Open Source Software Risks with CAST Highlight

CAST Highlight presents information at a portfolio level, enabling technology and business leaders to gain instant visibility that identifies open source risks across their enterprises. 

Furthermore, in addition to the objective data that Highlight gathers via an automated source code scan similar to other SCA solutions, it also captures business context metrics via an integrated survey. This helps decision-makers make much more informed decisions.

HL App Portfolio Open Source Risk and SCA - BI Callout (002)

Highlight’s Business Impact metric is calculated based on critical characteristics of the application that cannot be captured by simply scanning source code. 

Here are some examples of application characteristics :

  • How many users does the app have?
  • Does the app service both internal employees and external customers?
  • If the app has an outage, will it impact the organization’s revenue or mission-critical operations?

Insights like these that are used to calculate the business impact metrics when integrated into the dashboard along with the standard SCA metrics deliver true software intelligence -- software intelligence which will allow for faster, smarter decision making for prioritizing open source risk mitigation and remediation actions.

Prioritizing OSS Risks - Why Business Impact Metrics Matter

Let’s take two different apps as an example. Common SCA tools would show you the following types of information:

App #1 – 43 Medium Severity Vulnerabilities, 2 High Severity Vulnerabilities

App #2 – 12 Medium Severity Vulnerabilities, 1 High Severity Vulnerability

An organization using most common SCA tools would see this data and likely choose to focus on fixing App #1 as a priority. It is a natural conclusion based on the numbers - teams might even suggest that it is the “educated” decision.

However, let’s now look deeper at these apps using Highlight’s SCA tool that provides additional business impact metrics on top of the above vulnerabilities data:

App #1 – Business Impact Score of 22 out of 100

App #2 – Business Impact Score of 94 out of 100

In turns out that App #1 is a small internal system for ordering office supplies and App #2 is an e-commerce system used by customers and salespeople. Now which one seems like the obvious choice to work on first?

Obviously, this is an extreme example to make a point and it would be easy to make this decision if an IT team member were to look at just the two applications. However, what if the organization has hundreds or thousands of applications? How do they quickly decide where to focus efforts to reduce open source risk?

CAST Highlight provides Software Intelligence across the enterprise application portfolio with a Business context to help today's leaders make more informed decisions about their critical software assets rapidly.

Contact CAST to learn more about how we can help you better manage your open source risk with Software Intelligence.