In the previous installment of this two part blog post we talked about why prioritization is important in open source governance, especially when considering that many development teams are currently inundated – if not submerged – by information on vulnerabilities, licensing issues or deprecated components and how CAST Highlight can help by using the new Portfolio Advisor for Open Source to automatically segment and prioritize your application portfolio with recommendations of the critical actions to take for each type of audience.
Now let's get into how to use it.
How to use the Portfolio Advisor for Open Source capability
All you have to do is to click on the “Compute” button as soon as you want to visualize segments for your existing application portfolio, or to refresh this segmentation with new application results.
Portfolio Visualization: The output is a unique dashboard where you can quickly view the relative size of each Open Source segment (e.g., how many apps are recommended for upgrading components vs. fixing vulnerabilities). The parliament chart on the left displays the portfolio distribution for each segment. Clicking on a specific segment will drill down, automatically filtering the bubble chart on the right to the applications recommended for the selected segment, enabling further prioritization.
Case-by-case app segmentation: Since the segmentation created by the Portfolio Advisor for Open Source are recommendations (other aspects not captured by CAST Highlight can be considered), a Portfolio Manager can manually change the segment of an application. These changes are maintained by clicking on the “Save” button. At any time, users can roll-back to the original CAST-calculated recommended segments.
Export: from the Portfolio Advisor view, click on the “Export” button to generate an Excel report listing all applications with their corresponding segment recommendations and key metrics used for the segmentation.
Next steps: Role-based Segment Guidance
Now, the next question is probably “what should we do next when we see some applications falling in a specific segment? And who should do this?” Below is some additional guidance on the different segments and what they mean for different personas in an organization.
Applications falling into the “Immediate Attention” segment:
- Development and Security teams should investigate the components in use in these applications in depth using the CAST Highlight application level dashboards and Software Bill of Materials (SBOM) export to identify which components have critical and/or high severity security vulnerabilities that can be avoided by updating the component. Obsolete components should also be identified and replaced with updated versions or alternative components to reduce operational risk.
- Legal and/or compliance teams should investigate the components in use in these applications in depth using the CAST Highlight application level dashboards and Software Bill of Materials (SBOM) export to identify which components have risky licenses that could have legal ramifications. These components may need to be updated or replaced by the development team to reduce licensing risks.
Applications falling into the “Fix Vulnerabilities” segment:
- Development and Security teams should investigate the components in use in these applications in depth using the CAST Highlight application level dashboards and Software Bill of Materials (SBOM) export to identify which components have critical and/or high severity security vulnerabilities that can be avoided by updating the component.
Applications falling into the “Evaluate Legal Risk” segment:
- Legal and/or compliance teams should investigate the components in use in these applications in depth using the CAST Highlight application level dashboards and Software Bill of Materials (SBOM) export to identify which components have risky licenses that could have legal ramifications. These components may need to be updated or replaced by the development team to reduce licensing risks.
Applications falling into the “Upgrade Components” segment:
- Development teams should investigate the components in use in these applications in depth using the CAST Highlight application level dashboards and Software Bill of Materials (SBOM) export to identify which components are out of date or obsolete. These components should be updated or replaced by alternatives to avoid operational risk.
Applications falling into the “Consider Alternate Components” segment:
- Development and Security teams should investigate the components in use in these applications in depth using the CAST Highlight application level dashboards and Software Bill of Materials (SBOM) export to identify which components have critical and/or high severity security vulnerabilities that can be avoided by updating the component. Obsolete components should also be identified and replaced with updated versions or alternative components to reduce operational risk.
- Legal and/or compliance teams should investigate the components in use in these applications in depth using the CAST Highlight application level dashboards and Software Bill of Materials (SBOM) export to identify which components have risky licenses that could have legal ramifications. These components may need to be updated or replaced by the development team to reduce licensing risks.
Applications falling into the “Role Model” segment:
- Development teams should take note of the components in use by these applications using the CAST Highlight application level dashboards and Software Bill of Materials (SBOM) export as they are lower risk to the organization and should be considered for use in applications as alternatives to components with higher risk.
For more in-depth instructions on how to use these various areas of CAST Highlight, see this video tutorial below (starts at 1’17”):
SHARE