“…during an economic downturn, organizations will look to lower costs, take control of their own destiny, and strive to do more with less. Adopting Open Source helps these organizations survive and thrive,” this according to Dries Buytaert, creator of Drupal and co-founder of Acquia.
Things are starting to open back up, for sure, but many are still trying to adjust and shift to better manage this critical time in history. A pandemic won’t stop the creative development minds, however, from pushing forward with more innovation and technology advancements. In line with Mr. Buytaert, I’m predicting two things:
- Open source use will continue to rise, and
- Risk related to license compliance and security vulnerabilities will also go up.
First and foremost, developers are curious, right? That drive pushes developers to continue to learn, experiment, and innovate, not just despite what’s going on around us, but perhaps in spite of. Just do a search. There are various articles highlighting the important work being done using open source to help fight the challenges brought by COVID-19. Companies moved fast. That’s one of the benefits of using open source.
Automation and governance are the call of the day.
Automation
It’s difficult to talk about the terrible “ugly” part of an economic downturn. These days, there tends to be so much ugly with reduced resources being high on the list. That engineering team of five has been whittled down to two or three. The workload, however, remains the same. The need to ship safe products is still a priority (or dang well should be). Workers must prioritize efficiency and productivity. Sometimes, certain processes are deprioritized. Related to devops and open source management, with 500 new published vulnerabilities in May alone—34% with high severity ratings—can companies afford the risk of ignoring software composition analysis?
Another proof point—economic downturns increase automation. Automating the analysis of your software composition to identify open source use, license compliance issues, and security vulnerabilities can make up for a reduced workforce. The outcome of choosing the right automated open source scanning solution is increased accuracy, reliability, and security, not to mention peace of mind.
An automated SCA solution allows you to meet the open source transparency needs of your organization while enabling your software development team to remain productive and focused on value-driven projects.
Governance
Having confidence in the oversight and control mechanisms used to monitor and track open source use should be a no brainer in the current economic climate. Threat actors don’t take a break in downtimes like we currently face.
Sooner rather than later is the ideal time to establish a strict open source governance program, integrating it into the development toolchain in order to comply with open source licenses, manage obligations, and maintain an up-to-date knowledge of relevant security vulnerabilities impacting your application. I’ve talked about it before. Don’t just “shift-left,” expand-left. Rather than implementing scanning toward the end, start earlier in the DevOps lifecycle. Scan early and scan often to get a firm grip on your software supply chain.
Knowing what’s in your code and maintaining a Software Bill of Materials (SBOM) provides a much-needed layer of clarity—an imperative for every effective governance program.
