Open Source Dependency Management as a Risk Mitigator in Modern Software Development
Motivation
The software development industry is increasingly adopting open source software (OSS) , such as libraries, modules or just snippets, to both increase time-to-market and reduce development costs. OSS has been deeply absorbed from startups to large enterprises and even governments.
However, organizations that rely heavily on open source dependencies face a myriad of risks concerning the license models of each dependency, as well as, how vulnerable to threats they are. Adding a degree of code surveillance is a must for enterprises that want to mitigate financial and security risks, and brand exposure.
Software Composition Analysis (SCA)
Having hundreds or thousands of dependencies in the codebase to investigate is certainly an unfeasible task to manually pursue, thus a higher degree of automation is required. Luckily there are companies providing specialized software around this topic. Such tools are categorized as Software Composition Analysis (SCA) and provide a comprehensive amount of features that help mitigate risks many software organizations are not looking at today, mostly related to licensing and security issues with open source code.
Licensing Concerns
"Do you know what licenses lie beneath your product?"
Protecting the company against intellectual property misuse due to violation of open source licenses can become tricky as combining open source software to deliver a product may lead to conflicting licensing schemas. License violation may impose financial setbacks and possibly require changes to a running architecture to replace components, or even rebuilding them from scratch.
License violation prevention used to come into play in two options:
- Letting developers understand license models and invest time into getting the right component with the right license for the project which might not be feasible to track;
- Having a procurement and intellectual property team to oversee what is being used and report on that.
Security Concerns
Open source dependencies are software components engineered by third-party teams which may or may not have followed security best practices, so they are out of control of the organization making use of it.
Exploits on software, including open source, are made public regularly in global vulnerability databases, like NVD (U.S. National Vulnerability Database) and CVE (Common Vulnerabilities and Exposures). Those databases can work as a reference to the security team but also exposes weaknesses to attackers.
But how can a team follow up and track a large amount of open source dependencies and be able to raise a flag when action is required as a vulnerability is found?
Capabilities of Software Composition Analysis tools automate the entire process of vulnerability analysis and, in some cases, even indicate the actions that need to be taken for remediation
Top Contenders & Features
Encora experts analyzed the strongest players in the market and compiled a list of the main features to consider when selecting the best fit for each scenario:
- Dependency discovery
- License analysis
- Vulnerability analysis in public and private vulnerability databases
- Ability to do risk classification
- Ability to provide recommendations and solutions for known issues
- Ability to apply fixes to detected vulnerabilities
- Intuitive dashboards and reports
- Ability to track the score progress of each software version
- Ability to be integrated into DevOps pipelines
- Keep false positives low
- Keep execution duration to a minimum
- Support for a large range of programming languages
Price ranges vary between the tools as each has a subset of the presented features, but in general it
is calculated based on the number of developers contributing to a project. Among the top contenders we analyzed, three stand out:
BlackDuck is easy to use, feature rich and supports a good set of languages. Its Web interface is well designed and easy to understand. It fits continuous integration pipelines and supports all the reports needed for vulnerability and license compliance.
Snyk succeeds on usability, but lacks on features compared to the other contenders. One can navigate easily in its features and achieve the main objectives for license and vulnerability management. As well as the other contenders, Snyk has the ability to be integrated in the continuous integration builds
WhiteSource provides a web interface that can be difficult to understand at first, but comes with a lot of functionalities. With its rich set of supported languages, capabilities and integrations, it’s leading the evolution of SCA tools.
Assessing Value of Investment in SCA
To assess SCA value for money, the software organization first needs to understand the risks that will be mitigated versus the cost of letting those risks happen. Then a clear business case can be structured to enable SCA tools adoption.
How Encora Can Help
Encora recommends that a software composition analysis tool should be part of the software development lifecycle, inserted in a DevOps pipeline as close as possible to developers, because the sooner a risk is detected and corrected, the more valuable the tool is.
Defining exactly when, where and how often to execute the analysis and remediation can be challenging depending on the requirements and specific toolset in place. This is particularly true if there’s a need for very fast development cycles in which case keeping the pipeline lean is critically important. But the effort cannot end there.
Although the tools analysis reports are able to give a lot of insights, software development expertise is
required to correctly interpret issues and exploits discovered by the SCA tool, in order to adjust risk perception and develop custom policies. For instance, vulnerabilities may apply only if specific use cases are in place, which might not be true.
This scenario may translate into a need to augment teams for capacity or capability within either the DevOps or Security domains. If this is the case, Encora is available to assist with assessment, adoption and operation of SCA tools.
Conclusion
Software Composition Analysis tools bring an important level of compliance monitoring to software development organizations. At first as an eye-opener, they will soon be a must-have for any company concerned with legal risks and brand exposure. Good commercial tools are available, however in order to unlock the full potential of the technology, having DevOps and Security skills in the team is strongly recommended.