In the rush to make establishing an inventory of your open source use easy, many Software Composition Analysis (SCA) vendors overlook one very important thing—YOUR ROUTE TO BUSINESS VALUE.
Sure, the inventory tells me where I am right now, but it can’t tell me how to get where I need to be as quickly and cost effectively as possible. Nor will it tell me how to avoid ending up right back here again.
This rush toward the lowest common denominator misses the real point. A tool alone isn’t enough.
Interpreting results correctly to create an accurate OSS inventory, understanding license obligations, and finding and fixing security issues can be a dark art requiring dedicated resources. For most of us we don’t have or want legions of people focusing on open source remediation.
To provide better results at a lower Total Cost of Ownership (TCO), Gartner predicts that companies will increasingly choose to rely on skilled external subject matter experts to help them manage, monitor and avoid issues in their use of open source.
These experts will focus on the policies, processes and technology required to get clean and stay clean.
In this new model, processing and analysis is done remotely, relieving the enterprise from deploying and maintaining a scanning environment on-premise. Unimaginable five years ago, but no different than moving to a cloud platform to manage your customer data and other more mission critical systems.
Developer, legal and white hat time!
You love open source for its convenience, quality and rate of innovation. But, open source changes faster than most companies’ decision-making processes can handle. Proactively managing open source code and policies can become an overhead the business can’t keep up with.
Fixing code is hardly your developers first love or area of expertise, and it diverts time and attention from the primary goal of creating solutions, features and functions that will delight customers. In the end, not the optimal solution.
Who ya gonna call?
Sure, you have a policy to govern open source use but we live in the real world. Wouldn’t it be great if the presence of a new risk, policy deviation or a previously unknown component appears in your code and you could pick up a big red Bat Phone and get the answers to your problems? Better still, if the person on the other end spotted the issue, worked on it overnight and called you with the answer before you knew it was there?
Managed Service Providers do this. Consistent, professional OSS analysis experts assist in specific activities such as advising on the suitability of a licence given the intended use of your code and how to remedy open source that was once secure, but has become vulnerable. They manage all the way through to sourcing and applying fixes rather than diverting developers from delivering.
Oh, to be so sure.
One of the key advantages of MSPs is the ability to also provide additional layers of protection for code your developers are writing in addition to commercial code.
The MSP establishes and maintains inventory of your OSS usage and from that point on monitors multiple authoritative sources of KNOWN OSS vulnerabilities that respond to changes in its risk profile to proactively alert you AND FIX what needs fixing. The MSP scans your code in line with your build cadence, depending on the rate of OSS components introduction to the application and its release to production.
Whether the application is re-examined hourly, daily, monthly or even quarterly, automatically or on demand, incremental scans identify changes in your OSS inventory. 24/7 open source subject matter experts can be on hand to help you quickly resolve issues.
The other advantage is that the cost of expert resources from a trusted 3rd party is spread across multiple customers, all of whom benefit from their broad base of experience and shared cost.
The MSP’s experience, key learnings and trend spotting gained from managing multiple client code bases can then be leveraged for the benefit of all.
So, establishing desired business outcomes to match the characteristics of your applications allows for the lowest TCO while acquiring the highest level of expertise to ensure security and compliance.
Meanwhile, your developers focus on what you hired them to do—write great code.