Flexera is reimagining its software supply chain safety by embedding open-source security directly into the software development build process. In order to keep the software supply chain secure, the company announced its new FlexNet Code Aware product, which is an automated, open-source risk assessment and package discovery solution that lets developers quickly scan products for security and IP compliance risks.
According to the company, the new FlexNet Code Aware release extends its customers’ capabilities to do a quick scan for open-source vulnerabilities or issues. Jim Ryan, chief executive officer at Flexera said that with this capability, developers will have insight into what is actually in their code, which they can then share with their customers.
“Driving collaboration between software producers and their customers is essential to eliminating the waste, inefficiency and risk that currently exists in what can only be described as a dysfunctional software supply chain,” said Ryan.
The solution is integrated with Flexera’s InstallShield, a global standard used by developers for creating Windows desktop, server and cloud installers. FlexNet Code Aware also integrates with InstallAnywhere, which is the company’s solution for creating multiplatform installations for physical, virtual and cloud environments. If developers embed FlexNet Code Aware into InstallShield and InstallAnywhere solutions, they will have open-source security scanning as part of the software build process, allowing them discover the vulnerabilities before their software ships, said the company.
RELATED CONTENT: Black Duck audit highlights risks of open-source security vulnerabilities
Much of the code used in development today is open source, according to Flexera’s data, so it’s important that developers understand the vulnerability and compliance risks they take on when they use open-source code. With FlexNet Code Aware, developers are able to identify the libraries they are using, and what the associated licensing terms are to ensure compliance, said the company.
“Open-source security and compliance can’t be a once-a-year process – it simply doesn’t cut it any more given today’s demanding time-to-market pressures,” said Jeff Luszcz, vice president of product management at Flexera. “Build/release engineers are the last people to touch products on a daily basis before they are packaged for installation. Up until now they haven’t really been able to do much around open source vulnerability management.”