A Healthy Approach to Open Source Compliance
Interneuron is a Community Interest Company (CIC) in the U.K. focused on building, developing, and deploying software specifically for the healthcare IT industry. The company’s singular focus is creating high-value software applications that serve the best interest of patients in need of health and social care services.
- Overcoming perception that traditional proprietary software is the least risky option
- Enable complete transparency of open source use, including use in the supply chain
- Decrease the knowledge gap around measuring open source quality and effectiveness
- FlexNet Code Insight
- Managed Services from Source Code Control
- OpenChain Conformance
- Transparent demonstration of quality assurance; unachievable by proprietary solutions
- Automated tracking of security vulnerabilities
- Remove barriers from purchasing decisions, creating competitive advantage
The founders of Interneuron in the United Kingdom (U.K.) have extensive experience in the healthcare industry providing IT solutions to meet the needs of both providers and patients. From that journey, they uncovered a crucial gap regarding the creation and delivery of services. “We realized that how the industry was delivering software and what was being delivered was fundamentally misguided. The number one goal should be on the betterment of the community—the patients,” says Matt Conway, company CTO. “We created Interneuron as a Community Interest Company to develop software solutions focused on the community served by the healthcare system.”
Interneuron delivers software aimed at securing the personal electronic health records of patients within the NHS—one of Interneuron’s primary customers and the majority provider of healthcare services in the U.K. Interneuron’s solutions are based on Open Source Software, something that was new to the owners of Interneuron, but critical in meeting the need to provide high quality, secure enterprise level applications.
The challenge facing Interneruon was convincing organizations to adopt their solutions and build trust in the Open Source Software supply chain. Interneuron turned to Source Code Control for guidance—a company that specializes in creating the right processes for organizations looking to manage open source throughout the software supply chain. Source Code Control recommended Interneuron become OpenChain Conformant through the Linux Foundation. As an OpenChain Conformant company, Interneuron demonstrates to customers and prospects:
- The benefits of Interneuron’s open source solution over traditional proprietary closed source solutions.
- The quality and rigor embedded in their software development and release management processes.
- Full transparency they are managing the open source supply chain and not passing on risk.
Interneuron executives attended “Getting Right with Open Source,” a training course offered through Source Code Control and based on the OpenChain curriculum. “A fundamental requirement of the OpenChain Project is that organizations must identify all third-party open source software components and libraries used to build applications, including how they are licensed and other information such as copyright holders,” says Martin Callinan, Source Code Control’s founder. “Additionally, conformant organizations must demonstrate they are shipping their software with all the required license information related to their open source components, such as license notices and attribution notices, and, in addition, provide access to the source code.”
The training provided clarity to Interneuron’s leadership of the benefits of an end-to-end license compliance and risk management solution to help the company meet its most pressing business challenges.
SOFTWARE COMPOSITION ANALYSIS FOR CONTINUOUS COMPLIANCE HEALTH
Recognizing the need to engineer open source software applications the right way, but also realizing they internally lacked open source license compliance and security skills, Interneuron’s first step was to enter into a Managed Service contract with Source Code Control. The agreement is supported by a Software Composition Analysis (SCA) automated solution from Revenera called FlexNet Code Insight. Code Insight enables Interneuron to create an environment of continuous compliance, and build solutions that are secure by design. The total Interneuron solution includes:
- FlexNet Code Insight from Revenera for robust, deep OS scanning and reporting
- Managed Services from Source Code Control for ongoing compliance support, developer training, and process management
FlexNet Code Insight enables deep scanning capabilities of Interneuron’s applications, identifying open source components in source code, binaries, software packages, code snippets, and more. The tool is integrated with Interneuron’s DevOps environment and allows their developers to self-manage scans and check for vulnerabilities as they initiate product builds. “We thought we were on top of our open source use,” says Matt, “but a test scan of our first product release with [FlexNet] Code Insight revealed we were using outdated components with known vulnerabilities and licenses we were unaware of. That first scan quickly showed us the real value of the tool.”
Source Code Control advises Interneuron on how to license their solutions and the creation and adoption of open source policies. By implementing policies and FlexNet Code Insight, Interneuron avoids license and security issues from the onset, as well as any unnecessary code maintenance costs. The policies guide developers on what third-party open source software components are acceptable and the agreed upon service level agreements for remediating issues. The policies are integrated within Code Insight so that only product releases that pass scans with no policy violations are made available to customers. During a build, if any third-party open source software components are used that create either a license or security risk, the issue is flagged and an actionable alert is immediately sent from the Code Insight scanning tool to the development team for remediation— proactively avoiding issues early in the development process.
In addition, before new product releases are made available to customers, Source Code Control conducts an independent audit using FlexNet Code Insight and creates a time-stamped release report and a Bill of Materials, further demonstrating the code meets all policy requirement. Interneuron can share this report as needed with customers as further evidence of open source compliance.
We just couldn’t operate now without the ability to automate code scans using Software Composition Analysis. Our use of Source Code Control and FlexNet Code Insight is only going to grow as we bring on more developers, develop more applications, and substantially grow our business.”
MATT CONWAY CHIEF TECHNOLOGY OFFICER, INTERNEURON
INTERNEURON STANDS OUT THROUGH OPEN SOURCE MANAGEMENT
The business benefits for Interneuron using FlexNet Code Insight and Source Code Control Managed Services—along with their commitment to OpenChain Conformance—put the company in the healthcare IT spotlight. They are quickly becoming not just thought leaders in the industry, but leaders in providing enterprise-level open source solutions with quality management and security at the heart of their development processes.
According to Matt, “The fact that we are license compliant, can prove we are free of open source vulnerabilities, and show our clients that we value the overall health and security of our applications in order to better serve the community, it has really opened doors for us.”
Significant business benefits using the Software Composition Analysis solution include:
Removing the risk from purchasing decisions. With FlexNet Code Insight’s deep scanning and reporting capabilities, procurement organizations can see applications are risk-free and license compliant. Open source adoption is growing, and expensive proprietary solutions are no longer the only option.
Quality, consistent open source compliance and risk management. Through automated tracking and management of copyrights, license compliance, policy management, reporting, and security vulnerability management, Interneuron provides complete transparency to its Open Source Software use for customers and prospective clients.
New business opportunities. License compliance and a focus on open source risk mitigation helps build trust and confidence with prospects that, once upon a time, wouldn’t consider purchasing applications based on Open Source Software. Interneuron’s Software Composition Analysis solution has opened new doors and helped the company move quickly to capitalize on potential opportunities.
Accountability for security and compliance. The Source Code Control course curriculum provides ongoing training for both existing and new software developers. Issues and problems in the development lifecycle are quickly identified and covered in training, enhancing the accountability for who is executing and deploying a build, as well as the overall level of compliance and security output.
OpenChain Conformance. Scanning capabilities with FlexNet Code Insight and Managed Services from Source Code Control give Interneuron the needed rigor and control of their Open Source Software use, meeting all the requirements for OpenChain Conformance.
Higher quality code and more robust solutions. Interneuron has the confidence and ability to focus on developing quality code because FlexNet Code Insight and Source Code Control are helping to manage license compliance and security risks. Developers and engineers focus on high value tasks leading to higher quality applications.