We’ve all got friends like Dave and Mike.
Dave is a lean, mean highly organized machine. Whereas Mike is more relaxed about his affairs. You can probably guess who’s usually ahead of the curve when it comes to dealing with challenging situations.
Consequently, these two guys can tell us a lot about the benefits of using an automated open source management solution.
Dave and Mike are both lactose intolerant. It only takes a drop of cream or a slither of cheese for the symptoms to kick in.
Dave’s got the situation under control. Before buying food, he always checks the ingredients of what’s going into his basket. And if there’s even a hint of lactose, out of the basket it goes. Mike however just eats whatever he wants, meaning frequently lactose gets by, causing him preventable discomfort. Does this situation remind anyone else about the importance of checking the quality of open source components prior to integration?
Just like Dave and Mike, who need to check foods’ ingredients before eating, we need to check the quality of open source components before integrating them into our software. After all, isn’t it preferable to find out that your components are affected by security vulnerabilities, bugs, or are licensed under problematic licenses such as copyleft ones before integrating it with your code? Remember the longer it takes to detect issues, the more complex and costly they are to fix.
However, detecting component issues pre-integration is only part of the story. As vulnerabilities are often discovered when they’re already in use. Therefore, it’s important to have an alert system in place.
Before Dave goes out, he checks all windows are closed, doors are locked and he activates his top-of-the-range burglar alarm. Like Dave, before Mike goes out, he locks all doors and triggers his cutting-edge security system. However, he always leaves his upstairs window open. So, even if Mike’s got the best burglar alarm system money can buy, intruders still have an entry point.
The same reasoning is true for securing your software. Stay with me for a second. When you integrate open source components, you are also adding all their transitive dependencies. Unless you have verified that your open source components, and all its dependencies, are not vulnerable you may have left a window wide open for hackers. For example, if your team develop a web form which contains an open source component which is vulnerable, your entire software will be vulnerable as well. Therefore, even if you cutting edge cyber-security suite hooked in, hackers still have a vector to exploit. Which is all they need.
Subsequently, having an automated open source management solution which detects and alerts you in real-time on all security issues affecting your components, as soon as they’re added to your build/repositories, is the way to go. For the sooner you detect a security bug, the sooner you can remediate it. Thereby shutting the door, or window, on hackers.
Dave and Mike both wanted to sell their cars. Luckily both found buyers quickly. The difference was that Dave closed his sale before the week was out, while Mike had a problem finalizing the deal.
Mike couldn’t find the documents needed, like the car title and bill of sale, which were necessary to sell his car. He searched all over his house, but eventually he had to contact the DMV for duplicates. Yet, by the time he’d received the documents, it was too late. His prospective buyer had lost patience, meaning Mike had to go back to square one.
If you’ve been through the exhausting process of due diligence, Dave and Mike’s situation might sound similar. Before any software company can be acquired, raise investment or even go public, it needs to prove ownership over their intellectual property and, therefore, produce a full inventory report detailing all open source components contained in their software and its open source licenses.
Your engineers can manually track what components they’re using, but these records will probably be inaccurate due to human error. Furthermore, even if your team can successfully track component usage, tracking each component’s license and dependencies is near impossible. Therefore, an open source management solution, which provides a complete inventory list of all used components, including all licenses and dependencies, would take the hassle and stress out of this whole process.
Without such an automated open source management solution, the due diligence process may take so long that a business’ prospective buyers lose patience, and so the acquisition falls through.
I’m sure you’d agree that when it comes to opens source management, Dave and Mike sure do bring some challenges into focus.
So, when it comes to open source management, who would you prefer to be like. Dave or Mike?