Still Using an Open Source Code to Identify Your Open Source? It’s 2019. You Can Do Much Better. Introduction How it All Began The Three Pitfalls of Relying on Open Source Scanners If Not Open Source Scanners, Then What? Introduction Open Source is free to use, modify and distribute – but comes with the condition to abide by its relevant license. Many organizations are familiar with the legal requirements due to audits for M&A, IPO and investment purposes. Internal requirements can also be raised by various teams such as legal counsel or compliance officers. Open Source makes up 60-80% of the total code, and manual audits are very time-consuming. Up until 3 years ago open source scanning tools were popular but have since lost their customer base. How it All Began Black Duck Software introduced the first open source scanning solution in 2002. It was able to identify open source components and their licenses. Scanners were able to identify snippets of code which resemble open source components. Users still had to manually review alerts, meaning scanning tools weren’t automated as expected. The Three Pitfalls of Relying on Open Source Scanners Pitfall #1: The Never-ending tale of False Positives Development teams would rule out a huge portion of alerts from scanning. With millions of open source components in use, the number of false positives became unmanageable. This lead to time consuming work and ran the risk of delays. Pitfall #2: Agile SDLC Process? Not with an Open Source Scanner Scanning for open source components cannot be done continually. Adoption of agile methodology means teams are trying to release product versions more frequently, which the pace of open source scanners can’t maintain. Pitfall #3: Time is of the Essence with Security Vulnerabilities When a security vulnerability becomes known, it is critical to fix it as soon as possible. With open source scanning, you will only be made aware of vulnerabilities at the next scan which could be months. A continuous solution to open source auditing is necessary for tighter security control. If Not Open Source Scanners, Then What? Scanners were a good solution before the huge increase in open source usage and agile frameworks. The first agile open source management solution was introduced by WhiteSource in 2011. The shift to Software Composition Analysis tools has helped continuous security improvements in the development process – more automated, more functional and less time required. CHECK OUT The Importance of Open Source Security