Manage open source risk in turbulent times through governance & automation – ITProPortal

The phrase corporate change management frequently conjures images of CEOs, executives and leadership teams spearheading responses to market fluctuations, industry shifts, technological disruption and unknown forces like the current coronavirus pandemic. Todays turbulent times require a fresh approach. Modifications to processes organisation-wide can help teams prepare and respond to changing environments, while strengthening an organisations position and ability to withstand challenges.

When any of the events above happen, companies can find themselves with reduced or reorganised resources. When resources are limited, automating processes that were previously done manually can become top priority. As companies take cost cutting measuresreducing staff, streamlining teams, tightening their belts on resourcesit becomes a good time to strengthen infrastructure, technology and back office systems and processes.

One area where this is particularly relevant is in the management of open source software (OSS), including management of the license compliance and security issues that come with its use. Developers leverage OSS in their proprietary applications to speed up time to market and drive innovation; applications often include up to 80 per cent+ of OSS. However, the OSS knowledge gap continues to increase, with an OSS usage disclosure rate of only 6 per cent of what is actually found in audits. This usage can lead to more security vulnerabilities, exploits and breaches, driving an emphasis on regulations from multiple industry groups. Now is not the time to reduce open source usage or disregard open source risk.

Software Composition Analysis (SCA) is the process of identifying and recording the use of all open source software components in your codebase. Open source software can enter your codebase in many forms including software packages, containers, build dependencies, complete source code files, copy/paste fragments of source code files, binaries, images, documents and multimedia files. SCA helps manage IP risks due to non-compliance with legal obligations, security risks due to vulnerable OSS components and reputation risks. Ignoring or deprioritising SCA due to resource constraints might seem prudent in the short-term, but can lead to incompleteness and inaccuracies in your Software Bill of Materials (SBOM), leading to an increase in the aforementioned risks over time.

The need to respond to corporate changes presents an opportunity to invest in engineering process improvements and technical debt burndown, while mitigating the risk that comes with reliance on OSS components. Limited engineering cycles mean that wasting time on remediation isnt wise; anything that can help catch issues early and often becomes a critical task to allow engineering to continue to focus on innovation. Integrating SCA into the DevOps process can help companies gear up for higher customer demand when the economy improves and the pace of engineering further increases. Managing open source risk in a changing environment is all about governance and automation, in tandem.

Governanceincluding oversight and controlof an open source software usage program is more important than ever to protect against malicious attacks in times of disruption or great change. In order to implement any governance program, understanding whats in your software is essential. A SBOM, created through the SCA process, becomes imperative for any effective governance program. The SBOM provides transparency into the makeup of your software applications and records the sub-components and dependencies, along with associated licenses and security vulnerabilities comprising your applications. The SBOM can help inform your approach to open source policy and help you react to vulnerabilities. Due to the level of complexity in todays software applications, without a complete and accurate SBOM, achieving and governing a complete, secure open source ecosystem is impossible.

There is no time like the present to establish an open source governance program and integrate it into the development toolchain in order to comply with open source licenses, manage obligations and maintain up-to-date knowledge of relevant security vulnerabilities impacting your application. Rather than performing ad-hoc scans or implementing scanning toward the end of your application development cycle, start earlier in the DevOps lifecycle, with an automated and cost-effective process. This expand-left approach helps manage compliance and security risks early and often, while protecting your intellectual property (IP). On the other hand, an incomplete, delayed or ignored SCA process may lead to costly litigation or last-minute remediation work.

Moving this scanning earlier in the lifecycleand scanning oftencan help streamline the efforts required to meet regulatory standards. For example, SBOMs are essential to meet PCI (payment account data) standards for secure software; the EUs General Data Protection Regulation (GDPR) requirements for security of processing; the US Food & Drug Administration (FDA) updated cybersecurity recommendations; and the National Telecommunications and Information Administration (NTIA) guidelines for software component transparency. All of these initiatives share the following common requirements to:

The good news is that all of these requirements can be satisfied with continuous SCA. In a nutshell, continuous SCA is an evolution from ad-hoc audits to a manage by exception process. It includes the following key initiatives:

As staff contracts and internal audit teams are often scaled back during times of turbulence and extreme corporate changes, remaining staff gets burdened with more work. That skeleton crew must prioritise efficiency and productivity in order to get through the workload.

Automation in SCA makes up for lost and often forgotten manual efforts. An automated, standardised and repeatable process can help manage open source license inventory with increased accuracy, even at a time when staffing constraints are particularly tight. However, like all complex processes that require human interpretation, some manual processes will always remain. It is therefore important to factor those into your process and help set the right expectation with your stakeholders.

An automated SCA lifecycle includes:

Automation makes open source management an intrinsic part of an engineering process. First and foremost for staff, it means that no one has to push a button or otherwise remember to start an inventory management process at a particular time. Automated alerts inform users of critical changes to their SBOM items, including IP compliance issues and new security vulnerabilities. Tasks are automatically created and assigned to the appropriate users to track remediation work for non-compliant items.

Data currency is also strengthened through automation. Manual methods, including audits, provide snapshots of a codebase at a particular point in time. While useful, these snapshots become outdated quickly and can result in compliance issues being identified too late into the software development life cycle. Furthermore, the volume of data in a snapshot model is overwhelming, whereas an automated, continuous use approach is more manageable. Since your codebase and the resulting SBOM arent static, integrating code scanning into the DevOps environment is a way to ensure that risks are caught and remediated early and often. The cost to remediate a security issue in a released application can be up to 150x that of an issue being identified early in the development process.

Nothing is static. Code isnt static and neither are the processes related to ensuring its security. The only constant is change. Because risk compounds over time, addressing risk early and implementing an effective program for ongoing monitoring of that risk is critical. Ignoring license compliance or deferring security risk management can be more costly in the long run than actualising an open source governance program from the start.

Alex Rybak, Director of Product Management, Revenera

Read this article:
Manage open source risk in turbulent times through governance & automation - ITProPortal