Not All Open Source Scanning Tools are the Same

A few months ago  Flexera presented The State of Open Source Software: OSS Trends to Watch in 2019. We talked about important projects supporting OSS governance; the growing acceptance of open source use at an enterprise level, based on fairly substantial acquisitions in the OS space; and the overall maturity of open source. It bears repeating: open source use today is prevalent across virtually all industries and organizations. According to a recent TechCrunch article, “When top companies around the world are polled, few of them intend to have their core software systems be anything but open source.” According to Gartner, by 2022, “50% of organizations will execute at least one DevOps pipeline relying entirely on OSS tools.”

Due to this prevalence and the need for developers and engineers to be more creative and quickly add functionality to products, vendors are mobilizing rapidly to help organizations manage their open source use. In the Software Composition Analysis (SCA) space alone, we’ve seen the number of vendors offering OS governance tools grow significantly over the last few years. In the just-released Forrester Wave™: Software Composition Analysis, Q2 2019, Forrester evaluated 10 SCA providers. Two years ago, there were six. In their Now Tech: Software Composition Analysis, Q1 2019 report, the analyst firm reviewed 17 companies offering SCA solutions. Flexera was one of eight vendors listed in the large enterprise space.

The need is undeniably there to support modern application development using open source. At the same time, developers and their companies should be supported with robust compliance and security management solutions.

Not all open source scanning tools are the same, however. The Forrester Wave takes a detailed look at the vendors in the SCA space with a focus on strategic risk, vulnerability management, and remediation. Additionally, considerations for vendor selection should include adhering to OSS license compliance, reducing license risk, and applying consistent open source policies internally to set usage and remediation guidance. As use of open source climbs sharply, compliance with open source licenses and obligations plays a more significant role.

Companies have a compliance responsibility for any code in use, regardless of where it comes from in the supply chain. Code can enter your company in various ways:

  1. When a developer downloads source code and incorporates that code into their build,
  2. Through a repository manager,
  3. As a sub-component of a commercial or larger open source component, or
  4. Through a third-party (such as supplier or partner code).

Flexera’s Software Composition Analysis solution FlexNet Code Insight, for example, differentiates itself from other vendors’ products with the ability to deliver on license and IP compliance, enabling companies to find all evidence of open source, create a complete bill of materials, and to detect and mitigate license compliance issues in a structured way. In addition, Forrester recognizes Flexera for having a solid security and vulnerability management product offering that is well positioned to serve customers with proactive and continuous monitoring of open source security vulnerabilities. FlexNet Code Insight is further supported by a security research team conducting primary research that gives customers an early warning about potential vulnerabilities – before being officially accepted in the NVD. No other vendor brings this level of research to the table.

Flexera is bolstered with a strong market presence, scoring among the top three vendors with the strongest install base and at the top for corporate profitability. This is significant given that the acquisition of Palamida was a little over two years ago, showing substantial synergy between the two companies with deep expertise in license compliance and vulnerability management.

Interneuron is a U.K. based company using FlexNet Code Insight for open source license compliance and risk management.

Net, when it comes to license/IP compliance and security management, one is not more important than the other, as both require the ability to discover and track all open source use. Vendors bring different use cases to the table. Flexera emphasizes its strength in compliance with open source licenses and the need for IP management.

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *