The risk plane expands as the reliance on Open-Source Software (OSS) grows. One of the biggest issues isn’t the code itself but rather a lack of understanding of what’s in it. It’s critical to be proactive in identifying and mitigating threats.
According to Revenera’s 2022 Report on Software Supply Chain Compliance, open-source components account for 61% of scanned codebase files. Yet, enterprises are only aware of a small fraction of the open-source components they use. Too many businesses are oblivious to their software supply chain.
When a vulnerability is detected, the goal is to minimize disruption. Companies must adopt a proactive approach to managing open-source, knowing what’s in their code, and complying with any associated licenses to identify and reduce risk.
Here are four actions that businesses can take to improve the trust transparency in their open-source program.
Being proactive includes planning ahead to build a complete ecosystem for OSS management, remaining updated on open source components, associated licensing, and documented security vulnerabilities, and then sharing that knowledge with relevant stakeholders within the company. This begins with identifying all components utilized across the product portfolio and tracking those that may pose software supply chain risks within the company owing to license or security compliance issues.
Now is the time to build a comprehensive policy for all third-party software (including OSS) and create a complete and accurate Software Bill of Materials (SBOM). If they have one already, they must improve it by identifying and bridging gaps. They must, for example, ensure that their process lets them quickly scale to manage the whole software supply chain, including upstream supplier inclusions and compliance artifact distribution to downstream partners and consumers.
Conducting a last-minute code audit soon before a release is neither sufficient nor efficient. Instead, companies must constantly manage their open-source program. They must integrate it into their development toolchain for their applications to be evaluated at every stage of the DevOps cycle, from the artifact repository to the Integrated Development Environment (IDE), build pipeline, code check-in, and application deployment. As release cycles speed up, a continuous scanning technique helps them keep up with the volume of third-party code they consume and allows them to operate on more minor changes as code churns.
Create a Winning Environment for the Team
In recent years, much of the effort in managing open source has shifted to software development and security teams. However, as part of their professional development, many of these individuals have not obtained adequate training in OSS security management and license compliance. It’s unreasonable to expect a good outcome from someone who hasn’t been set up to succeed. Businesses must ensure that they invest in necessary training that covers a broad range of OSS subjects, such as common license types, restrictions, obligations, and specifics about its open-source and security policies and processes.
Understand the Significance of Automation
Automation is a powerful tool for reducing manual work, speeding up turnaround times, and eliminating decision-making errors, all while improving process consistency. However, there are some disadvantages to it. The volume of open source and other third-party components used in applications and their complexity is increasing. There is often a mix of technologies within an application, some of which are well suited to automated discovery and others that are not.
Understanding the quality vs. time vs. resources ratio is critical. Each team must evaluate this based on their level of risk tolerance. For many types of risk mitigation, some amount of human intervention will always be required. For some products, a push-button technique may be ideal, but it may not be for others. Businesses must be aware of the balance and make informed decisions.