The Gartner Security & Risk Management Summit in June highlighted the leading security technologies and the impact they will have on IT organizations going forward. Security has become a critical element of the IT organization digital business initiatives and the technologies list presented by the analysts suggests key areas of focus for IT organizations in 2017.
The threat level to the enterprise continues to be high this year and new technologies need to address threats related to cloud services and big data, mobile, containerized environments in rapid release DevOps environments. While container security or cloud workflow protection are fairly anticipated to be in the spotlight due to the level of attention the underlying technologies get, one less expected very specialized technology featured in the 2017 top list is OSS Security Scanning or Software Composition Analysis. OSS scanning has been around for a while, however, keeps evolving in breadth and scope with the massive expansion of open source software adoption. What traditionally common during IP acquisition scenarios primarily during M&A transactions where it has become a standard requirement, OSS scanning is also seeing a move the mainstream enterprise application space.
Software composition analysis solutions provide the OSS audits by investigating the source code and files comprising the application to provide the IT organization with the complete inventory of commercial, proprietary, and open source components used in the application. While knowing how an application is built is important for proper maintenance and management, the reason most companies initially conduct their OSS audits is mitigating the risk of hidden security vulnerabilities in their applications or avoid the IP rights and use model challenges resulting from complex OSS licensing obligations.
As a leading provider of advanced OSS audit and software composition analysis services, the position in Gartner’s top technologies for 2017 does not come as a surprise. The growth of open source use in the enterprise is steady and continues to accelerate. In hundreds of application audits performed by Rogue Wave for our enterprise dominant customer base we find that over 98 percent of the applications scanned contained open source software. In fact, almost half of the files scanned within those applications contained OSS. Licensing challenges are also common to identify with 60 percent of applications audited in 2016 containing strong copy left licenses requiring companies to open source their proprietary code or prohibit any commercial use. Developers embed OSS code pieces or entire packages in their projects as a common practice making any type of governance practically ineffective. Without composition analysis, it would be extremely difficult to find and maintain these code elements down the road. Thousands of high-quality components are available for developers who rely on a diverse composition of OSS packages to address specific business needs and accelerate new functionality releases. We find on average 63 different OSS components utilized per application.
This becomes a complex matrix when we consider that OSS may enter from multiple sources – in house developers, outsourcing vendors, commercial software, acquired software, OEM’s and OSS projects using other components. Take for example vendors relying on a long supply chain of components and embedded parts such as automotive or aerospace manufacturers. These industries see a massive growth in IoT and connected devices making their way into their delivered products, already developed very strict security and quality standards to address the tremendous cost and risk of launching a poor-quality product. But with open source making its way into their supply chain they are now concerned with licensing and security issues related to OSS code hiding in the massive code base going into a car or aircraft.
OSS is not less secure or more difficult to maintain compared to proprietary code, arguably it is even more secure. The challenge, however, is awareness, understanding the composition of the application. This is exactly where OSS scanning or composition analysis becomes a key technology to consider and a top choice for 2017. Regardless of the size or number of applications the audit service provides complete insight into the composition of the application, impact of license obligations for the specific use models and a detailed analysis of the security vulnerabilities present in the code.