In our previous blog, we discussed how open source adoption introduces two risk factors to the enterprise: License compliance and security vulnerabilities. In order to help mitigate these risks, it’s important for organizations to gain visibility and control over open source software (OSS) licensing and security. This starts with adopting an encompassing OSS acquisition policy.
A dedicated OSS governance group (or a subset of the development team) is created and then tasked with maintaining and enforcing the policy. This group is responsible for scanning the code base, defining companywide sets of permissions around specific OSS use, and enforcing corporate OSS acquisition rules.
To automate these tasks, OSS governance teams adopt on-premises auditing and usage management solutions. However, with the scale and distribution of OSS, this traditional approach has proven to be only partially successful, still suffering from several clear challenges.
Challenges for on-premises OSS governance
The growing complexity of OSS licensing and the multitude of paths in which OSS code makes its way into the enterprise demands specific expertise to first identify the OSS code and resolve it to its sources. It also requires understanding the specifics and restrictions of each license obligation. Identifying OSS packages inventory can be done to some extent by automated scanning technologies, but interpreting the scanning results correctly to an accurate inventory and deciphering the licensing obligations requires domain expertise.
Companies must dedicate resources for OSS governance. Scanning and analyzing the audit data requires a well-trained expert. Often, new OSS code is not introduced continuously even in Agile environments. To save costs companies usually allocate expensive developers time to perform these scans rather than recruit full time dedicated resources. This is inefficient and costly since OSS auditing is not the developer’s primary area of expertise and the time taken off development, delays the actual application release.
Maintaining an on-premises system requires physical infrastructure, IT management resources, and constant maintenance. The scanning and OSS resolution systems are heavy on data and processing due to the large number of available OSS code. Some lighter solutions only scan package level data rather than code snippets and individual files. Though it may satisfy some compliance standards, it is not sufficient in addressing license or security concerns. OSS scanning needs the ability to also identify partial packages and embedded pieces of “copy & paste” code snippets. These computing requirements increase the total cost of ownership (TCO) of on-premises solutions.
Effectively enforcing strict OSS usage policies can work well in large, disciplined organizations that have the process in place and resources to fully control and maintain use policies. Most organizations do not realize the value of investing in such intense level of control and prefer to utilize their resources elsewhere. Governance effectiveness also becomes limited because it is difficult to track the sources from which code including OSS makes its way into an application. As the size of applications and number of developers grow, proactively enforcing OSS acquisition policies becomes a burden and usually the “library” of approved components cannot keep up with the innovation in the OSS world.
Custom code coverage
OSS scanning and governance solutions at the hands of a skilled engineer will help to identify components and related known security threats. The more sophisticated attacks however attempt to target the application’s custom code or interfaces with OSS. Targeted attacks often take advantage of multiple vulnerabilities to maximize impact. Finding security threats in custom or proprietary code requires a completely different level of expertise. Proprietary code is not covered by the national CVE database and automated OSS scanners will skip it. To achieve better application security coverage companies, need to complement the OSS audits with a deep diagnostics security audit.
Advantages of expert OSS audit
To provide better results at lower TCO, companies are increasingly choosing to rely on skilled experts to perform their OSS audits. It is no different than moving to a cloud platform in favor of having your developers build and maintain the data center. Expert OSS auditors use automated scanning technologies and manual OSS resolution. Processing and analysis is done remotely relieving the enterprise from deploying and maintaining a scanning environment on-premises. Consistent, professional OSS analysis experts can be called as needed for a specific focused task rather than deviate developers from delivering the application. Understanding the applicability of licensing models and security threats unique to the application’s distribution model and environments is not usually a task developers are trained to deliver.
One of the key advantages of such audits is their ability to also cover the custom application code and provide additional layers of protection from proprietary code vulnerabilities. As security becomes a greater concern for the enterprise, it is critical to have the visibility into the OSS components comprising the application. An audit provides the company with the inventory of all OSS and from that point on monitoring the public vulnerabilities database allows the company to ensure that their code is compliant.
As an on demand or periodic service, it is up to the company to determine the required frequency of the audits. It often depends on the typical rate in which new OSS components are being introduced to the application and its releases to production. Whether the application is reexamined quarterly or even monthly, incremental audits identify changes in the OSS inventory. An annual audit may be sufficient for mature production applications who see less architectural changes. Choosing the audit solution to match the characteristics of the applications allows companies to lower their TCO while acquiring the highest level of expertise to ensure security and compliance.