The fast pace of modern software development is only possible due to open-source software (OSS) use, with up to 90% of applications comprised of OSS. However, over 75% of companies using OSS have moderate to no formalized curation process in place, creating massive risk and bottlenecks due to necessary security reviews.
Hidden vulnerabilities – such as the recent Log4J exploit – and license compliance issues can be incredibly costly and take time to remediate once in production. Thus, organizations need to control the OSS that developers use without impacting velocity. Having a set of curated OSS repositories, enables organizations to service development teams with an approved catalog.
Achieving curation using fragmented tools, teams, and priorities can be cumbersome, induce blind spots, and generally hinder the process. Whereas using an integrated DevOps and security platform automates, and streamlines the task of curating a robust set of third- and first- party packages ready for development.
CHALLENGES TODAY: CURATION WITHOUT IMPACTING VELOCITY
Automation of the Manual Review of OSS Packages
Package curation enables developers with a development-ready repository of OSS dependencies. Many organizations are utilizing sluggish and siloed manual processes which can often take weeks to resolve, hampering innovation. With automated policies and approvals set up by your cross-functional experts, you can maintain velocity and smoothly develop, commit, build, integrate and deploy your applications.
Opaque Processes that Hinder Visibility
Organizations face difficulties tracking and monitoring the use of open source across development teams. Developers have little or no knowledge of which packages have been or are in the process of being approved. This leads to delays in the release of software, expensive remediation at a late-stage development, or vulnerable software being released.
Controlling OSS Package Use
Businesses lack the means to guide developer behavior that can prevent vulnerable packages from entering development. With larger teams spread across multiple sites, organizations need a single source of truth to track and store package workflow, approval, and usage metadata; and provide shared visibility with a structure that defines how, who, and where packages can be used.
HOW JFROG CAN HELP: COMPREHENSIVE INSIGHTS INTO SOFTWARE COMPONENTS
Automate OSS Package Approvals to Streamline Development
Bring Operations, Security, and Compliance personas into the DevOps process by allowing them to set automated rules and approval policies central to their domain. This increases velocity of development while keeping usage secure. The system will automatically calculate the approval status based on the domain policies, reducing curation to days versus weeks.
Curation Process to Provide Visibility and Management
Empower stakeholders to search for specific packages and drill down into the details of their approval, timestamps, and risk. Have visibility of the packages that have not yet been approved and those that have recently been found to have a vulnerability, with a clear indication of any affected repositories or builds together with proof of mitigation.
Best Practices to Streamline Development and CI/CD
Seamlessly integrate curation processes with current development workflows to maintain velocity. Unapproved packages are isolated from the main development and production repositories until approved. Developers can consume the dependency status within their IDE. Curation policies will be applied before any commits or promotions through development, integration into a build, or distribution to production.
“In the wake of recent events such as the recent Log4J vulnerability and the software supply chain attacks in 2021, organizations are beginning to realize they need more insight and control over the open-source components their developers are embedding in their applications.”
-Jim Mercer, Research Director, IDC’s DevOps and DevSecOps