Open source dependency management as a risk mitigator in modern software development
The software development industry is increasingly adopting open source software (OSS), such as libraries, modules or just snippets, to both increase time-to-market and reduce development costs. OSS has been deeply absorbed from startups to large enterprises and even governments.
However, organizations that rely heavily on open source dependencies face a myriad of risks concerning the license models of each dependency, how vulnerable to threats they are and how they are maintained. Adding a degree of code surveillance is a must for enterprises that want to mitigate financial and security risks and brand exposure.
Software Composition Analysis (SCA)
Having hundreds or thousands of dependencies in the codebase to investigate is certainly an unfeasible task to manually pursue, thus a higher degree of automation is required. Luckily there are open source and commercial specialized software around this topic. Such tools are categorized as Software Composition Analysis and provide a comprehensive number of features that help mitigate risks many software organizations are not looking at today, mostly related to licensing and security issues with open source code.
Licensing Concerns
Do you know what licenses lie beneath your product?
Protecting the company against intellectual property misuse due to violation of open source licenses can become tricky as combining open source software to deliver a product may lead to conflicting licensing schemas. License violation may impose financial setbacks and possibly require changes to a running architecture in order to replace components or even rebuild it from scratch.
License violation prevention used to be approached in two ways:
- Letting developers understand license models and invest time into getting the right component with the right license for the project which might not be feasible to track;
- Have a procurement and intellectual property team to oversee what is being used and report on that.
These approaches do not scale in a scenario where software is composed of hundreds, if not thousands, of open source components. They are usually implemented as a sign-off process to include a dependency in a project but do not include continuous monitoring of the dependencies or tracking of version upgrades. This is where modern Software Composition Analysis tools can help. By providing real-time analysis of license usage - as new components are added to the codebase - and visibility of dependencies, they reduce the burden on teams that will now be able to just focus on development and remediation.
Security Concerns
Open source dependencies are software components engineered by third-party teams which may or may not have followed security best practices, so they are out of control of the organization making use of it
Exploits on software, including open source, are made public regularly in global vulnerability databases like NVD (U.S. National Vulnerability Database) and CVE (Common Vulnerabilities and Exposures). These databases can work as a reference to the security team, but also expose weaknesses to attackers.
But how can a team follow up and track a large number of open source dependencies and be able to raise a flag when action is required as a vulnerability is found?
Capabilities of Software Composition Analysis tools automate the entire process of vulnerability analysis and, in some cases, even indicate the actions that need to be taken for remediation.
Top Contenders & Features
Encora experts analyzed the strongest players in the market and compiled a list of the main features to consider when selecting the best fit for each scenario:
- Dependency discovery
- License analysis
- Vulnerability analysis in public and private vulnerability databases
- Ability to do risk classification
- Ability to provide recommendations and solutions for known issues
- Ability to apply fixes to detected vulnerabilities
- Intuitive dashboards and reports
- Ability to track the score progress of each software version
- Ability to be integrated into DevSecOps pipelines
- Keep false positives low
- Keep execution duration to a minimum
- Support for a large range of programming languages
Based on this feature set, we evaluated open source and commercial SCA tools.
Open source tools
The open source landscape for SCA tools is mostly focused on vulnerability analysis but lacking on license analyses. In general, the tools are focused on a programming language or package manager and do not provide advanced reporting features or dashboards.
Among the projects we analyzed, we would like to highlight OWASP’s Dependency Track:
OWASP’s Dependency Track is one of the few open source offerings that support both vulnerabilities and license analyses. It is an API-first product that can be easily integrated with CI/CD pipelines. It relies on other tools to create a Software Bill of Materials which can then be uploaded to the service for analysis. It also features a web UI where you can check the results and create reports.
Commercial tools
Price ranges vary between the tools as each has a subset of the presented features, but in general, it is calculated based on the number of developers contributing to a project.
Among the top contenders we analyzed, three stand out:
Black Duck is easy to use, feature-rich and supports a good set of languages. Its Web interface is well designed and easy to understand. It fits continuous integration pipelines and supports all the reports needed for vulnerability and license compliance. Black Duck is featured as a leader in Forrester’s Wave for SCA (Q3, 2021).
Snyk succeeds in usability and vulnerability analysis but is weaker on license compliance features compared to the other contenders. One can navigate easily in its features and achieve the main objectives for license and vulnerability management. Like the other contenders, Snyk has the ability to be integrated into the continuous integration builds. Snyk is featured as a Strong Performer in Forrester’s Wave for SCA (Q3, 2021).
WhiteSource provides a web interface that can be difficult to understand at first but comes with a lot of features. It supports a rich set of languages, capabilities and integrations. It has a Merge Confidence score which measures the potential of an update to break the build. WhiteSource is featured as a leader in Forrester’s Wave for SCA (Q3, 2021).
Assessing Value of Investment in SCA
To assess SCA value for money, the software organization first needs to understand the risks that will be mitigated versus the cost of letting those risks happen. Then a clear business case can be structured to enable SCA tools adoption.
How Encora Can Help
Encora recommends that a Software Composition Analysis tool should be part of the software development lifecycle, inserted in a DevSecOps pipeline as close as possible to developers, because the sooner a risk is detected, the cheaper it is to correct.
Defining exactly when, where and how often to execute the analysis and remediation can be challenging depending on the requirements and specific toolset in place. This is particularly true if there's a need for very fast development cycles in which case keeping the pipeline lean is critically important. But the effort cannot end there.
Although the tools’ analysis reports are able to give a lot of insights, software development expertise is required to correctly interpret issues and exploits discovered by the SCA tool, in order to adjust risk perception and develop custom policies. For instance, vulnerabilities may apply only if specific use cases are in place, which might not be true.
This scenario may translate into a need to augment teams for capacity or capability within either the DevSecOps or Security domains. If this is the case, Encora is available to assist with the assessment, adoption and operation of SCA tools.
Conclusion
Software Composition Analysis tools bring an important level of compliance monitoring to software development organizations. At first as an eye-opener, they will soon be a must-have for any company concerned with legal risks and brand exposure. Good commercial tools are available, however, in order to unlock the full potential of the technology, having DevSecOps and Security skills in the team is strongly recommended.
About Encora
Fast-growing tech companies partner with Encora to outsource product development and drive growth. Contact us to learn more about our software engineering capabilities.
