Over the past decade, businesses have gone from building applications with mostly proprietary source code to building with mostly open source code. The explosive growth in open source usage — around 75% of enterprises now say that open source is very important or extremely important to them — can be attributed to a host of factors:
- It’s cost-effective
- It gives businesses access to the latest technologies
- It accelerates product development and time to market
- It taps into a supportive community
But open source comes with risks, especially in the areas of license compliance and vulnerability management. Organizations have embraced software composition analysis (SCA) as a way to address these concerns. SCA tools help businesses identify, analyze, and control compliance and security risk in their open source code.
SCA tools have evolved considerably since they first launched. While SCA was initially used to perform manual and periodic scans, they are now being integrated into CI/CD pipelines as part of the software development lifecycle (SDLC). Today's SCA tools offer automated scanning and remediation support.
Just like we’ve seen significant advances from the early days of SCA to present, we expect continued growth in the years ahead. But what, exactly, is in store for the future of SCA? In this blog, we’ll explore four new frontiers, with a focus on automation, policy governance, and developer-friendliness.
Note: We recently hosted a webinar on the future of SCA featuring Sandy Carielli of Forrester. This blog highlights some of the key takeaways from that discussion. You can view the full webinar recording by clicking the link below.
1. Governance Around Policy and Standards
Large enterprises often have massive development teams working on multiple projects at the same time. Amid this flurry of engineering activity, it can become time-consuming and hard to scale for compliance and security professionals to apply policies governing open source use across every corner of the organization. They also risk becoming bottlenecks and slowing the development process.
Software composition analysis tools will need to continue to develop capabilities that enable teams to implement policies that work within software development workflows. Automation and scale will be crucial in creating and applying policies with the flexibility and granularity needed for large enterprises with multiple teams and projects.
In other words, policy engines will have to become a standard feature of any reliable and scalable SCA platform; manually checking and creating rules is not scalable for enterprises. A true policy engine informed by both deep license and vulnerability inventory as well as clear and repeatable governance rules can drive open source standards across organizations that make it easier for enterprises to manage their software supply chain and avoid disruptions across the SDLC. And, ultimately, next-generation policy engines are what will enable different stakeholders to have approvals and automation built in as part of their day-to-day workflows.
2. Code Quality and Provenance
Part of being more proactive about open source is going beyond identifying risk to actually improving the quality of your code. We see quality and provenance checks as features that enterprises will begin to request.
- Code provenance: Where is the code coming from? Is it from safe and trusted sources?
- Code quality: Is there enough adoption and contributions from the open source community to give enterprises confidence that they can depend on the libraries long term?
The SolarWinds supply chain attack is an example of why understanding code provenance is so important. Bad actors may look to target an organization’s open source components, so the more you can do to ensure you’re getting your code from trusted sources, the better.
Most developers truly do care about open source security and license compliance, but they also want things like scanning and issue analysis to be mostly automated and presented in a way that aligns with the rest of their day-to-day work and doesn’t slow them down. Many of today’s SCA tools do this to some degree, but as we look to the future, we expect SCA to become even more integrated with a developer’s standard workflow and to offer stronger guidance to support speedy and painless remediation.
This means that the SCA platform should provide accurate, up-to-date, and actionable analysis to help developers remediate open source security vulnerabilities and compliance violations as early as possible and across the SDLC. It should offer insight into the best version of the open source package to upgrade to. And, critically, it should integrate with developers’ native toolsets.
Ultimately, a developer-friendly SCA tool needs to meet developers where they are. The more we build SCA into a developers’ workflow, the easier it’s going to be for them to build risk management into their daily lives. They won’t have to use a new tool or go outside their previous experience. That helps with overall acceptance and efficiency within the organization.
4. Next-Gen Reporting
Reporting is a part of open source usage that doesn’t necessarily get a ton of attention, but it’s critical for a number of reasons, including business enablement. Although individuals like the CISO, chief legal or compliance officer, and non-technical C-suite executives may not be involved in the day-to-day of product development, they often want to be kept apprised of compliance issues and your security posture.
To do this, you need to be able to generate reports that summarize the current state of the application, the open source you’re using, and any potential risks along with how they’re being addressed. These reports should be easily digestible for both technical and non-technical stakeholders, and they must be fueled by real-time data.
This can also pay dividends when it comes to business enablement. For example, an SCA platform that makes compliance data available to the sales and customer support teams in near real time can help them address questions from customers and prospects in a timely manner.
The Future of SCA: A Further Look
Take a deeper dive into the future of software composition analysis in the on-demand webinar “The Changing Role of SCA in Your Open Source Security Strategy, Featuring Forrester.” We’ll provide additional insight on the topics in this blog along with perspectives on:
- The evolution of SCA from scanning to policy
- How to evaluate and choose an SCA solution
- How leading enterprises are approaching the future of SCA
- The business case for SCA
About the Author
Gauthami Polsani is the Senior Product Marketing Manager at FOSSA. She brings an engineering background to help companies build and ship enterprise and developer applications.