The way software is created is in the midst of fundmental change. Agile, component-based software development are helping coders create applications faster and more efficiently than ever before, but the process has also introduced complex new risks and requirements. Four critical steps can help reduce those risks.
Guest author Jason van Zyl is the founder of the Apache Maven project, the Plexus IoC framework and the Apache Velocity project and helped establish Codehaus, an incubation facility for open-source community projects. He currently serves on the board of the Eclipse Foundation and is CTO of Sonatype.
For most of its history, software has been written – applications consisted primarily of custom-developed code and internally developed components with only a small fraction of code sourced from outside the organization. During the past ten years the widespread use of cloud- based infrastructures and the rise of open-source technologies have heavily influenced the software development landscape with start-ups and established organizations demanding increased flexibility and improved time to value.
As a result, modern software development has become increasingly component-based, where applications are assembled from existing components rather than written from scratch and the vast majority of components are sourced from outside the organization. In most cases externally sourced components are open source. In fact, more than 80% of a typical Java application is assembled from existing open-source components and frameworks.
The GitHub Effect
Just how popular collaborative, open-source development has become was made clear with the historic $100 million investment by Andreessen-Horowitz in GitHub, the code sharing and social networking site for programmers.
Developers are turning to forges like GitHub at an accelerated rate and with good reason. It’s easy to use, the cost is nominal and it provides an invaluable service – version control for community-driven projects and the simplification of contribution management.
GitHub, and other repositories like it, democratize open-source development and help young projects grow. But once source-code graduates and becomes binary code ready for mass adoption, project teams distribute their finished products via the Central Repository – a free, openly available, cloud-based repository where developers distribute their software to millions of users globally. The Central Repository, which is operated by Sonatype, has become the industry’s primary source for open-source artifacts, housing more than 400,000 components, servicing more than 7.5 billion requests per year to 60,000 organizations worldwide, including more than half of the Global 2,000.
Complex New Risks
While development teams have embraced agile software development processes – rapid, continuous and collaborative – the shifting software development landscape has also introduced new risks and requirements. Applications can be composed of hundreds of components sourced from myriad open-source projects and these components can in turn, depend on other components, known as transitive dependencies. This creates an enormously complex supply chain, where a single application may contain components originally published by dozens of individual projects. Whether provided by commercial vendors or open-source initiatives, components can introduce significant management, security and licensing challenges. Recent analysis by Aspect Security using data from the Central Repository uncovered widespread security vulnerabilities among the most commonly used open-source components.
Component flaws may pose substantial business and technical risks to an organization, including security breaches and intellectual property claims as well as application stability and performance defects. Few organizations, let alone cash-strapped start-ups, have the proper controls in place to mitigate the risks posed by flawed components.
A complicating factor is the the double-edged sword of open-source innovation. On the one hand, open-source projects evolve and release frequently (the average component is updated four times per year) enabling users to reap the benefits of rapid innovation and bug fixes. On the other hand, the ecoystem lacks an effective update awareness mechanism, making it very difficult to keep up with projects and manage change – especially for large enterprises that consumes thousands of components each month.
Component Lifecycle Management
To firmly establishing both control and visibility across today’s complex and agile software supply chain, organizations young and old should take the following steps toward Component Lifecycle Management (CLM) – the practice of proactively managing the use of components throughout the supply chain.
Step 1: Inventory – Gather information about your current component usage
- Tack component downloads and usage to understand consumption.
- Inventory internal component repositories to determine what is being distributed to development teams.
- Understand the software supply chain to determine which components and dependencies are being introduced to the organization.
Step 2: Analyze – Understand vulnerabilities in applications and repositories
- Analyze key applications to uncover known security vulnerabilities.
- Analyze internal component repositories to discover vulnerable components.
Step 3: Control – Establish controls throughout the development lifecycle
- Establish policies regarding security, the use of viral licenses and out-of-date or out-of-version components.
- Eliminate or blacklist known vulnerable components in internal repositories.
- Establish mechanisms to prevent known flawed components from entering the organization.
- Implement controls in build and continuous integration (CI) systems to prevent inclusion of flawed components in software builds.
Step 4: Monitor – Maintain awareness of component updates
- Maintain an inventory of all components and dependencies used in production applications.
- Continuously monitor application bill-of-materials for updates and newly discovered vulnerabilities.
Properly managing the use of open-source components throughout the software development lifecycle will let organizations focus not merely on the cost savings it can bring, but also on the wealth of innovation. The component revolution is upon us.
Are you ready?