May 1, 2024

It's Time for Managed Open-Source Software!

Fifteen months ago, we introduced the industry’s first SBOM Manager with SBOM360 for Software Builders. We followed that up with SBOM360 Hub – the industry’s first SBOM Exchange for buyers and sellers of software. Lineaje TPRM (Third Party Risk Management), launched in December 2023, enabled companies to manage the software they buy.

Today, we announce the Lineaje Open-Source Manager – the industry’s first comprehensive solution that illuminates embedded open-source software components in your applications and proactively manages and mitigates the risk they create for your organization. OSM provides enterprise-strength open-source governance for complex organizations.

A diagram of cubes with text

The Open-Source Software Supply Chain of Vulnerabilities and Risks

Today, 90% of Modern Applications use open-source components. A typical application uses about 70% open source, the rest is private source or third-party code. Lineaje’s own research shows some applications with greater than 99% open-source – especially those delivered by software contracting firms. On average, the following holds true for modern applications:

  • 95% of all vulnerabilities in an application come from their open-source dependencies.
  • 32% to 56% of vulnerabilities in open-source are never fixed by open-source developers.  
  • Open-source dependencies in a typical application can span 100+ languages. Most development teams effectively support 5-6 languages.
Text Box

In addition, 70% of any open-source package pulled in by application developers is made up of open-source dependencies from other open-source packages. These dependency chains are up to 30 levels deep with packages at each level developed by a different set of developers.  

Even if enterprises get their open-source dependencies from well-known open-source organizations, these open-source organizations cannot fix the vulnerabilities in their own dependencies nor have any influence over them. Lineaje’s research of the Apache Software Foundation (ASF) software revealed, 82% of components in ASF projects are highly risky.

Open-Source Software Management is Different from Managing your own Private Software Components.

As an industry, we have invested in sophisticated tools that help us manage the code that our developers write, build, integrate, and deploy. On the other hand, open-source code is written, built, integrated, and packaged outside our control necessitating new controls that provide visibility in all aspects of this deep multi-tier open-source world.

Text Box

Open-source innovation fuels our innovation and accelerates our digital transformation. Open-source developers are typically great innovators but not-so-great maintainers of software. Open-source developers are driven by an urge to innovate, to create new value that excites them. Organizations pick these dependencies assuming that they will be supported by open-source developers. Over time developers move on to other things. The tedious, and increasingly more complex, task falls on fewer and fewer unpaid developers even as total lines of code increase with each version.  

A screenshot of a phone

It’s time for managed open-source: Introducing Lineaje Open-Source Manager

Lineaje Open-Source Manager is your fully automated Open-source office in a box.  This comprehensive, first-of-its-kind solution brings transparency to open-source software components in applications and proactively manages and mitigates associated risks. Lineaje’s OSM enables full lifecycle governance of open-source software with trust, speed, and reliability helping to build an overall stronger security posture for complex software development organizations.

A logo of a cube and a line of arrowsDescription automatically generated with medium confidence

Sophisticated software development is a team sport. It involves many functions – legal, engineering, dev-ops, dev-sec-ops, GRC, product management and more – each assessing what you source from a different policy and compliance angle. OSM automatically aligns each function by the appropriate software stage and applies their policies at the gate of their choosing to ensure all open-source components meet expectations at all times, at all points, at all stages of software development from sourcing to shipment.  

OSM goes beyond discovery by introducing an innovative "plan & fix” module. Not all patches or vulnerability fixes are equally compatible or applied at the same dependency depth. Lineaje AI with BOMbots generates plans in minutes for open-source patching so that developers can apply all compatible and all incompatible patches in batches. This reduces mean time to protect (MTTP) and saves up to 40% in software maintenance efforts.  

Unmaintained components with unfixed vulnerabilities and policy violations can be routed to inner or out-sourced teams chartered to maintain risky open-source dependencies. 

Lineaje Open-Source Manager Enables Full Lifecycle Management of Open-Source with Trust

The OSM solution enables companies to: 

  • Simplify Selection and Discovery: Developers, adding new dependencies, can get assessments of new open-source components they wish to use against corporate policies. OSM automatically discovers all direct and transitive open-source components and assesses them for risk and integrity.
  • Analyze Inherent Risk: Automatically examine each component and application for risks–vulnerabilities, licenses, code quality, security posture, maintainability, age, supplier, provenance and more. Generate Findings that violate policies from each function.
  • Continuously Monitor Tamperability & Integrity Levels: Sophisticated fingerprinting identifies components with suspicious and unknown origins. 
  • Establish Governance: Use consistent criteria for selecting, upgrading, and fixing open-source components, and create rules for each. Auto-detect components violating policy using Lineaje’s Findings engine.
  • Optimize Planning and Fix: Lineaje AI, using BOMbots, builds SMART “what if” plans in minutes. These SMART plans reduce maintenance efforts by up to 40%. LIneaje OSM can help developers generate CSAF/VEX statements for vulnerabilities and risks that do not impact their application and tie it to the generated SBOMs reducing downstream churn for developers and customers.
  • Fix Unmaintained Open-Source: 95% of all vulnerabilities come from open-source; 56% of them are left unresolved. Unmaintained open-source components identified by OSM are routed to the inner or outer-sourced development teams with detailed remediation instructions.
  • Integrated Search: Search all dependencies in seconds for vulnerabilities, licenses, provenance, supplier details, and more across all supply chain trees, enhancing operational efficiency.

Try it Out Online or Come See us at RSAC 2024

OSM is an exciting product. We are excited to roll it out and get your feedback. Come see us at RSA at our booth (NXT-3 at South Building, Level 2) or register online for a demonstration. We will be delighted to offer you a free demonstration or POC for your Open-Source Supply chain.  

Text Box

It is time you manage your open-source supply chain like you manage the software you build. Your users and customers want you to and so does the government. We are here to help!