The fourth episode of the FOSSA Podcast is a conversation about open source and what organizations are prioritizing as they evaluate software composition analysis (SCA) tools to manage OSS license compliance and security risks. Several l0ngtime FOSSA employees talk about open source issues customers are trying to address and the tooling evaluation process, from research to POC to rollout.

Note: If the embedded podcast recording is not visible in your browser, you can access the direct link by clicking here.

Episode Outline

  • Introductions
  • Problems customers are trying to solve with SCA tools like FOSSA: 2:21
  • Considerations for evaluating SBOM tools: 7:58
  • Seasoned SCA users vs first-time SCA users: 14:10
  • How organizations can ensure smooth integration/rollout of SCA: 22:38
  • What companies should expect during an evaluation/POC of an SCA tool: 26:33
  • Best practices when transitioning from POC to a full rollout: 33:19
  • SCA tooling trends to know: 37:42
  • Final thoughts and takeaways: 45:50

Episode Highlights

Problems customers are trying to solve

Open source usage has increased significantly, especially in the last five or 10 years. Organizations are trying to understand how much of their codebase includes open source and the license compliance and security risks associated with open source. They want to enable their engineers to have the freedom to code and innovate and move quickly. The urgency around this has been accelerated by the  requirements around SBOMs for companies doing business with the U.S. federal government.

Traditionally, customers have looked at open source management as implementing best practices around publishing attribution notices, staying on top of compliance, and detecting vulnerabilities. But in the past few years, the log4j and SolarWinds incidents coupled with the Biden administration’s cybersecurity executive order have made organizations realize that open source is also a critical component of their software supply chain.

But, overall, whether it is legal teams looking into license compliance or security teams trying to address vulnerabilities, the primary goal of organizations is empowering their developers to innovate and build faster — without open source risks being a hurdle — by operationalizing open source risk management at scale.

What stakeholders should keep in mind when evaluating SBOM tools

Legal teams should ensure that any tool they are evaluating for SBOMs accurately tracks all the open source being used and surfaces the license obligations for those open source libraries.

When new vulnerabilities are discovered, security teams and in some cases engineering teams should also consider how quickly they can identify them in their own codebase and how soon they can be resolved.

Engineering teams usually consume these insights and activities and work closely with legal and security to resolve and remediate any issues promptly.

Customers should also look for a solution that can generate an SBOM on-demand rather than look at it as a one-time scan or fire drill for a specific event. They should be focused on shifting left and integrating this as part of their development lifecycle. This will enable them to have continuous visibility into their open source components.

Different approaches to evaluating SCA tools

Newer SCA buyers might need more guidance on foundational elements like open source license compliance. They may also be transitioning from at least some manual open source management processes to automated ones, which might be in contrast to veteran SCA users that already have automation in place.

More experienced SCA buyers tend to look for tooling that provides accurate information, offers the ability to get things integrated properly, and makes it easy for developers to remediate issues and get coverage of their entire code base.

CI/CD has meant that organizations now deliver code daily, so companies are looking for SCA tools that continuously scan every code commit. Another key factor customers look at is the accuracy of the information provided. When teams deliver software updates daily, time spent triaging and addressing false positives significantly slows development velocity. Remediation and resolution of real issues become key attributes for customers. Seasoned SCA users are also trying to automate most of their report generation to minimize human error.

What organizations can do to ensure smooth SCA integration/rollout

The first thing is to have a solid implementation or execution plan to roll out the solution and quickly get to value. The next step is validating that plan with your vendor to align with your priorities and requirements. And then start thinking about the training and documentation needed so developers can access and understand the tool.

Getting buy-in from all the stakeholders that the solution impacts is extremely important for a successful and smooth rollout of any SCA solution. The most successful teams that we've worked with have taken the time to inform, educate, involve, and pull their peers into the cycle.

What companies should expect during an evaluation/POC

At FOSSA, we provide coaching throughout this process around the evaluation framework. We make sure that all the details, like what needs to be tested and why, are covered.

We also walk users through what's called a value assessment that includes what you're solving and what kind of ROI the tool can produce for you. We then also work together to identify what success looks like and map out a timeline. All these are defined in writing, and during the POC period, we actually test and take those measures of success.

It is critical to set expectations for what the process will look like, especially when multiple stakeholders are involved.

Oftentimes, buyers don't necessarily know about procurement processes within an organization. We make sure they are aware of their vendor onboarding process and what processes and timelines to expect. Based on that, we work backward to create an end-to-end project plan.

A key element that we do particularly well at FOSSA is the discovery process where we understand what an organization’s goals are and collaborate on the optimal workflow or processes where we share our insights and best practices with them. This helps us build a trusted relationship even before POC.

Best practices when transitioning from POC to a full rollout

We try to do as much due diligence as possible early in the POC process to ensure mutual fit and alignment. We want to make sure we understand what the customer’s goals are and what the problem they're trying to solve is. We then put details around those goals including the timeline, who’s going to be involved, and what the day-to-day process looks like, including user training.

Rollouts typically go pretty well when you're prepared, so having a plan and partnering with your customer success teams to drive those plans is crucial.

Trends in SCA solutions that customers should be aware of

There has been a shift on the security side where the emphasis has gone from identifying as many vulnerabilities as possible to focusing on issues that need to be and can be addressed. Additionally:

  • Customers are embracing the shift-left approach of finding and fixing issues as early in the lifecycle as possible.
  • Teams are aligning on shared goals and overall initiatives among the various stakeholders within their organization when it comes to open source management.
  • Organizations are evaluating the build vs. buy approach when it comes to SCA and if accuracy is gained by moving to an SCA vendor.

We have also seen open source management move from being a siloed activity to a company-wide, cross-functional initiative. There is a growing realization that open source is a critical component of the software supply chain, and it is extremely important for organizations to have visibility into their open source risks.

Episode Host and Guests

Sara Beaudet, Support Engineer, FOSSA: Sara is the host of the FOSSA Podcast. They are passionate about cybersecurity, open-source software, and helping people explore the world of technology.

Alexandria Schulz, Regional Sales Manager, FOSSA: Alex is one of our early employees and is currently our regional sales manager for the West Coast.

Max McCone, Regional Sales Manager, FOSSA: Max is a recent transplant to New York City and our regional sales manager for the East Coast region.

Deepak Mehta, Head of Sales Engineering, FOSSA: Deepak is our head of sales engineering and his team manages the POC process at FOSSA.