The fourth episode of the FOSSA Podcast is a conversation about open source and what organizations are prioritizing as they evaluate software composition analysis (SCA) tools to manage OSS license compliance and security risks. Several longtime FOSSA employees talk about open source issues customers are trying to address and the tooling evaluation process, from research to POC to rollout.
Episode Outline
- Introductions
- Problems customers are trying to solve with SCA tools like FOSSA: 2:21
- Considerations for evaluating SBOM tools: 7:58
- Seasoned SCA users vs first-time SCA users: 14:10
- How organizations can ensure smooth integration/rollout of SCA: 22:38
- What companies should expect during an evaluation/POC of an SCA tool: 26:33
- Best practices when transitioning from POC to a full rollout: 33:19
- SCA tooling trends to know: 37:42
- Final thoughts and takeaways: 45:50
Episode Highlights
Problems customers are trying to solve
Open source usage has increased significantly over the last five to ten years. Organizations are trying to understand how much of their codebase includes open source and the license compliance and security risks associated with it. They aim to enable engineers to code and innovate quickly. The urgency around this has been accelerated by the requirements around SBOMs for companies doing business with the U.S. federal government.
Traditionally, customers have implemented best practices around publishing attribution notices, staying on top of compliance, and detecting vulnerabilities. However, recent incidents like log4j and SolarWinds and the Biden administration’s cybersecurity executive order have highlighted open source as a critical component of the software supply chain.
Whether it's legal teams looking into license compliance or security teams addressing vulnerabilities, the primary goal is empowering developers to innovate and build faster. This is achieved by operationalizing open source risk management at scale.
What stakeholders should keep in mind when evaluating SBOM tools
Legal teams should ensure any tool they evaluate for SBOMs accurately tracks all open source use and surfaces license obligations. When new vulnerabilities are discovered, security and engineering teams should consider how quickly these can be identified and resolved in their own codebases. Customers should seek solutions that generate an SBOM on-demand and focus on shifting left, integrating this into their development lifecycle for continuous visibility into open source components.
Different approaches to evaluating SCA tools
Newer SCA buyers might need guidance on foundational elements like open source license compliance. They may transition from manual to automated open source management processes. Veteran SCA users often have automation in place. More experienced buyers look for accurate information, easy integration, and comprehensive code base coverage. They seek tools that continuously scan every code commit and prioritize accuracy to avoid development slowdowns from false positives. Automation in report generation minimizes human error.
What organizations can do to ensure smooth SCA integration/rollout
A solid implementation plan is crucial for rolling out solutions and achieving quick value. Validate plans with vendors and align with priorities and requirements. Consider training and documentation to help developers understand and use the tools. Buy-in from all stakeholders is critical for a successful rollout. Successful teams inform, educate, involve, and engage their peers in the process.
What companies should expect during an evaluation/POC
At FOSSA, we provide coaching around the evaluation framework, ensuring details like test requirements and ROI are documented. Define success criteria and a timeline. Multiple stakeholders mean setting expectations for the process is vital. Understand vendor onboarding and procurement processes to create an end-to-end project plan. FOSSA's discovery process involves collaboration on goals, optimal workflows, and best practices, building trust before POC.
Best practices when transitioning from POC to a full rollout
Due diligence in the POC process ensures fit and alignment. Document customer goals, problems, timelines, roles, and training requirements. Prepared rollouts with customer success team collaboration typically succeed.
Trends in SCA solutions that customers should be aware of
Security emphasis has shifted from identifying as many vulnerabilities as possible to addressing actionable issues. Customers embrace a shift-left approach, aligning teams on shared open source management goals. Evaluate build vs. buy decisions for SCA, considering accuracy improvements from vendors. Open source management is becoming cross-functional, highlighting its importance in the software supply chain and the necessity for comprehensive visibility into open source risks.
Episode Host and Guests
Sara Beaudet, Support Engineer, FOSSA: Host of the FOSSA Podcast, passionate about cybersecurity and open-source software.
Alexandria Schulz, Regional Sales Manager, FOSSA: Early employee, regional sales manager for the West Coast.
Max McCone, Regional Sales Manager, FOSSA: East Coast region manager, recent NYC transplant.
Deepak Mehta, Head of Sales Engineering, FOSSA: Manages the POC process at FOSSA.