Software developers use a lot of third-party software today, much of which is open source. As software designs continue to become more modular, the use of third-party software is increasing. As a result, software is becoming more difficult to understand, even by the people who built it, which enables licensing and security risks to creep in. Flexera Software is addressing the problem with FlexNet Code Aware.
FlexNet Code Aware is an automated open source risk assessment and package discovery solution that enables software developers to quickly scan their products for security and intellectual property (IP) compliance risks. It integrates seamlessly with InstallShield or InstallAnywhere, so it becomes a standard part of the build process. Using FlexNet Code Aware, developers can expose and assess IP and vulnerability risks before their products ship.
“Developers depend on 50 percent of code they did not write and no one is able to track it by themselves.” said Jeff Luszcz, VP of Product Management at Flexera. “As a result, they aren’t able to securely manage, track, discover, and get vulnerability alerts on the third-party software they’re using.”
Manage Known Vulnerabilities
Software developers using third-party software have had no effective means of managing all their licenses and detecting security vulnerabilities, historically. FlexNet Code Aware solves those problems so organizations can minimize the likelihood of costly and embarrassing exploits like the OpenSSL Heartbleed vulnerability.
“FlexNet Code Aware provides a data feed to the National Vulnerability Database which is the clearing house for vulnerabilities. It’s the single source of truth for the industry,” said Luszcz. “The database tells you what the problem is, how serious it is and where to go for more information.”
Comply with Licensing Terms
FlexNet Code Aware identifies the libraries developers are using and what the associated licensing terms are so they can use components with greater levels of confidence.
“Open source people are very nice. They say, ‘You can use my library as long as you do A, B, C, and D,” said Luszcz. “However, we’ve got to make sure we’re doing those things. FlexNet Code Aware helps you discover what you have to do in order to use those components in a practical way.”
Enable Consistent Vigilance
Some organizations check the status of their licenses annually, which is insufficient given the fast pace of software delivery and the rate at which technology and software methods change. FlexNet Code Aware ensures that licensing and security vulnerabilities are checked during every build.
“If you’re only doing this once a year, the lists get stale, which means you’re not managing risks and you’re not alerting developers in a timely manner,” said Luszcz. “You need to do this for every build, every day so that you’re always watching out for new problems that may be introduced. It’s the only way to ensure that you’re really building a compliant and secure product.”
According to Flexera research, companies are only aware of four percent of the third-party software they’re using. As software teams continue to become even more dependent on third-party software, they need to be better informed about the associated rights and obligations they inherit when they use that software.
“Four percent awareness is pretty close to zero,” said Luszcz. “FlexNet Code Aware helps these teams deal with serious problems they’re not addressing adequately. For example, they’re not managing their open source software usage and they not managing third party software usage. FlexNet Code Aware makes it easy to start that process.”
A decade ago, developers were using less than 100 open source libraries per release. Now they using as many as 600 and over 1,000 in some industries, Luszcz said.
“Today’s software supply chains are very long. We’re all wrapping up our own applications and other people’s applications and there’s only that four percent disclosure rate,” said Luszcz. “We’re not passing on the right compliance information to the supply chain and we’re not asking for that information when we’re buying things. That’s something our industry really needs to address.”
As enterprise developers use more code from external parties, the number of dependencies increases and the complexity of projects increases. The trend will become more pronounced as software development becomes even more modular, particularly with the growing popularity of containers and microservices.
“It’s a lot more about wiring than coding,” said Luszcz. “We’re wiring together pieces of third-party software as opposed to writing the majority of it ourselves. In doing that, we’ve given up some of our first-hand knowledge of the code so we need to respect what the licenses say.”
Where to Go for Help
Flexera is reimaging the way software is bought, sold, managed, and secured. Its products collectively address those issues. The company also provides a rich set of educational resources which include free webinars, white papers, basic education services, training services and software support services.
Learn more at www.flexerasoftware.com.