Jun 27, 2022 | Portfolio Governance An Open Source Risk Sherpa

Finding a Safer Path Through Open Source Risks

Open source software (OSS) has clearly become ubiquitous with over 70% of applications utilizing open source components according to Gartner. Although this is helping organizations dramatically reduce the time to market of delivering software, Common Vulnerabilities and Exposures (CVEs) within OSS components continue to be a significant risk. For example, the Heartbleed vulnerability affected over 66% of all active websites in the world with an estimated cost of almost $500 million to fix it.

Software Composition Analysis (SCA) products such as CAST Highlight automate the analysis and detection of OSS risks in enterprise software applications to help provide insight on how to reduce the security and legal risks associated with using open source components. Recent innovations in CAST Highlight such as the Portfolio Advisor for Open Source will even automatically recommend where to focus attention on the most serious risks across hundreds or even thousands of applications. But, the best path to take when remediating unsafe OSS components is not always clear – until now. The latest product release of CAST Highlight has introduced the innovative OSS Safe Component Version Recommender that automatically recommends the best remediation path to take for unsafe OSS components…it’s like having an open source “Sherpa” giving you expert guidance on how best to navigate OSS risks.

Guidance from a Sherpa

The term “Sherpa” originates from the Tibetan ethnic groups native to the many mountainous areas of Nepal. This group became regarded as expert mountaineers and were often called on as guides for travelers attempting to climb the mountains of the Himalayan region, especially Mount Everest, the highest mountain on earth. Today, the term Sherpa has become synonymous with someone acting as an elite guide or mentor in other situations including international negotiations such the G20 Summit.

This metaphor also works well when considering the treacherous task of navigating unsecure open source software components. When discovering an OSS component has critical CVEs, organizations often struggle with the enormous number of options to pursue to remediate the unsafe component. It’s akin to deciding on the best path to take when climbing the largest mountains on the planet. There could be dozens of newer versions of an unsafe component to utilize. Can you imagine having to make these decisions across hundreds or thousands of applications in a typical enterprise application portfolio? The new CAST Highlight OSS Safe Component Version Recommender acts as a Sherpa and automatically recommends safe upgrade paths for unsecure OSS components.

Automated Recommendations for Safer Open Source

When CAST Highlight detects a critical CVE in your application portfolio, the new OSS Safe Component Version Recommender now acts like a Sherpa and automatically recommends a couple of different paths to take:

• Safer and Closest: A recommendation on a safer version to upgrade to that is closer to the current component version in use since it is not always easy to upgrade to a much newer version immediately (it’s like a Sherpa breaking up a long mountain climb into shorter more manageable segments to reach the peak).
• Safest: A recommendation on the safest component version that you should ultimately try to adopt (it’s the Sherpa’s ultimate path to the peak).

CAST Highlight continues to innovate by delivering automated software intelligence insights and guidance, taking the guesswork out of making better decisions across your application portfolio. See below for some of the other innovations included in the Summer 2022 product release of CAST Highlight.

What’s new in CAST Highlight?

OSS Safe Component Version Recommender Speed up the process of remediating vulnerable open source components across your application portfolio with automatic recommendations on safer versions of components to adopt. OSS License Compatibility Reporting Reduce license compliance risk by defining a license compatibility model at the portfolio level that automatically checks and reports possible license conflicts between components and dependencies within an application. Discussion Threads on Application Results Collaborate and track team member notes on applications across your portfolio directly in the CAST Highlight user interface with automatic email notifications when users are mentioned in a discussion thread. Read more about this feature Enhanced Default OSS License Risk Profile Improve accuracy and flexibility of default license risk levels that are now based on the recently released license rulebook capability. Additionally, generate custom license risk profiles automatically across application portfolios or for specific applications. Read the default license risk profile change notice See how to automatically generate license risk profiles based on license rulebooks Scala support for Software Health Improve technology coverage with 30+ new code insights for Software Health (resiliency, agility, elegance) for Scala. See technology coverage Many other feature improvements The product team also took the opportunity with this new release to introduce many additional feature improvements such as: expanded Google Cloud service recommendations, an improved portfolio-level OSS License dashboard, easier/lighter SAML implementation, improved CloudReady pattern documentation, Custom Segmentations can now include Custom Indicators, and much more.