I’m giving away my affinity for Star Wars. It’s true. I was there when the first movie hit the big screen (let’s just say, a while ago) and now dreading while at the same time wildly anticipating the release of this last movie in the Skywalker saga, Start Wars: The Rise of Skywalker. As mawkishly sentimental as it may appear, I had to work it into a blog. Only here, in the end, will we most likely understand some of the true plot lines of this epic story.
How does this relate to my thoughts about open source software? I look at how the Skywalker story evolved over the years, how it took shape, and what and who impacted the narrative.
The same lookback can be undertaken for open source and, in fact, it has, right here in my own blog on the occasion (Happy Birthday, Open Source. The Term Turns 21). Let’s take that story a little further.
There are events that have shaped the course of open source and how companies use and implement it; lawsuits such as Oracle v. Google, Versata v. Ameriprise, and a number of years ago Free Software Foundation went after Cisco over some GPL code in one of their routers. The Struts vulnerability, of course, has a place in history given the impact it had on companies such as Equifax.
Likewise, Software Composition Analysis (SCA) has changed the course of open source and the engineering practices surrounding the management of perceived risks. SCA enables companies to be more proactive in their management of open source. There was a realization after Heartbleed that just because the source code is open doesn’t mean that it’s without examination and oversight to mitigate risks.
SCA allows companies to better understand what open source software they are using. It allows for the discovery of that open source, and it allows for the remediation of threat issues in a way that isn’t possible without the ongoing automated and controlled monitoring of an SCA platform.
During the exposure of the Heartbleed vulnerability, development teams went on hunting missions. They scrambled to understand what version of OpenSSL they had and then conducted fire drills to figure out how to rectify and remediate quickly and efficiently. SCA is a game changer for those companies that had to crawl painstakingly through complicated processes and manual work to get a handle on the situation. With SCA there is a continuous process that allows for in-the-moment understanding of what open source libraries you’re using and what versions are in use.
One of the challenges is that companies could have multiple versions of the same open source library in their product. Version control is a real issue. The ability to leverage SCA to make sure you have the latest version of a particular library and the version that is approved, safe, has the most desirable license terms according to your policies, and is used consistently across the entire product line is a huge benefit.
In the end, you’re accountable. You’re accountable from a reporting standpoint and to stakeholders about what’s in your solutions. That’s peace of mind.
“Your focus determines your reality.” Qui-Gon Jinn