In detailing the “Five Traits of a Transformative CIO,” first on the consulting firm McKinsey Digital’s list was that such CIOs are business leaders who take responsibility for initiatives that generate revenue.
In the quest to generate more revenue, it’s a good practice to make sure there aren’t any sources in IT and MIS processes where there is unintentional monetary loss – or revenue leakage. And leading CIOs are finding that best practices adopted around open source software use and governance are paying dividends in terms of shoring up places where money could be lost.
Open source software (OSS) brings tremendous benefits in terms of speed and scale – and can bring enormous cost savings to organizations (the Linux Foundation says it can lower costs as much as 50%). But it also introduces revenue risk. Developers are crucial to ensuring that the same OSS strategies that provide these savings don’t concurrently expose the organization to revenue leakage.
Without proper governance and tools to track components and automate security updates, OSS can expose the organization to risk in a couple of ways.
For one thing, the Software Bill of Materials (SBOM) for many applications has increased from a couple hundred components to thousands. If everything isn’t properly licensed and attributed, the organization could have to pull back releases because of legal action. What’s more, potential security vulnerabilities in the code (which Forrester says are up 50% year over year) present risk internally and propagate that risk outside of the organization’s four walls. Without the proper level of OSS discovery, developers could unintentionally release products with unknown security issues. This could include software that has an outdated or vulnerable version of an OSS component which has not been properly patched and which continues to move through the supply chain. Customers using the software in their products expose themselves and their customers to the same vulnerabilities and so on.
All of it comes with risks of monetary and reputation costs to the organization and prevents developers from focusing on their key objectives– developing innovative features and building exceptional software.
Scanning OSS code and generating an SBOM as early in the process as possible helps minimize the exposure window from vulnerabilities and reducing the cost of remediation. Forrester data shows that organizations that scan less than three times a year have flaws that persist 3.5 times longer than those who scan seven to 12 times a year.
These Software Composition Analysis (SCA) tools also help ensure that all OSS components are properly licensed and that organizations are compliant with the associated license obligations. SCA tools easily integrate into the engineering tool chain to actively monitor the SBOM for changes, alert developers to non-compliant items and new security vulnerabilities and automatically initiate the remediation or patching of vulnerable code. The obligation fulfillment process is supported as well via generation of third-party notices and delivery of compliance artifacts with each release.
By ensuring that the open source components they’re using to build products are secure, up to date, properly licensed and attributed, developers do more than protect the organization from all sorts of monetary and reputation risk borne of open source security vulnerabilities. They build a strong case for using open source software to create amazing products in a faster, safer and more cost effective manner. This strengthens open source strategy in the organization, empowers developers to put innovation first and build confidence in their work and propagate trust across the organization and through the software supply chain.
Get started and “Proactively Plug Your Revenue Leaks” (the first step of which is checking out our recent webinar for more information on how).