With the increased use of open-source software, the focus on managing that open source has evolved from an initial focus on identifying open-source licenses to identifying and mitigating known vulnerabilities.

This invaluable Gartner report highlights this evolution, along with recommendations for managing the risk of open-source applications. Over 90% of respondents to a July 2019 Gartner survey indicated they use open-source software, mostly within infrastructure and developer tools. In the same survey, respondents identified long-term viability and security vulnerabilities as their most significant challenges posed by the use of open source.

Download the complimentary report


More sophisticated and mature organizations have begun to demand information regarding the overall ‘health’ or reliability of an open-source package."

GARTNER TECHNOLOGY INSIGHT FOR SOFTWARE COMPOSITION ANALYSIS

|

DALE GARDNER, NOV. 1, 2019

Tim Mackey
Principal Security Strategist
Synopsys Cybersecurity Research Center (CyRC)

Synopsys Point of View

When selecting any open source solution for your business or for use within a product, care must be made to ensure that you adopt a fully supported version of that solution.

Unlike commercial software where there is a single vendor for a given application, open source projects can be released by multiple independent groups and source code available from multiple forked locations. This makes managing open source usage more complex than managing a commercial counterpart, in large part as knowing precisely where the code originated is a critical aspect of any patch strategy.

Validating the health of a project with an eye towards ongoing usage then requires an understanding of how updates are released and how well maintained the given code branch might be.

Solving for this complexity is what Software Composition Analysis (SCA) products do—and it starts with one the report’s key recommendations: “Continuously build a detailed software bill of materials (BOM) for each application providing full visibility of components.”

A comprehensive BOM answers basic questions such as:

  • What open source components are you dependent upon?
  • Where will you obtain updates and patches from?
  • Are you using an actively maintained version of the component?
  • How up to date is your version of the component relative to the most recent release?
  • Where does the community developing the component provide support from?

A BOM generated by a SCA tool—vs. doing it manually—provides the best understanding of dependency mapped among various components and frameworks. 

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.