Open source a silent killer? CAST talks about their new alliance with Software Heritage

We sit down with CAST Software CEO Vincent Delaroche to discuss the company's new partnership with Software Heritage and how the use of open source code can get organisations into some hot water.

Open source software (OSS) is fairly hard to avoid these days as an enterprise organisation. The promises of OSS are simply too good to ignore, allowing organisations to arm its developers with code that has been looked over by thousands of eye-balls, all striving to improve it or adapt it to specific use cases that anyone can take advantage of. It's a great promise that leads to some great rewards, and implementation is not slowing down any time soon.

A businesses' Open Source Software assets can present a bit of a minefield, as it can be hard to ascertain exactly where the components of OSS originally come from, and who has worked on it in the interim. This presents a challenge in both security vulnerabilities (i.e. are there known weaknesses in certain OSS code?)  and Intellectual Property issues, as it can be hard to determine which OSS licences the code falls under.

Some licences demand that any meaningful modification or utilisation of the software, in keeping with OSS principles, also be made publicly available. This can even extend to OSS components that are used as a small building block of a wider ‘proprietary' application. What this means is, even if businesses use one tiny piece of OSS code in their in-house applications, they could be subject to an obligation to release the source code or face legal action for non-compliance.

Combine IP lawsuits with the aforementioned security concerns and organisations could really have a problem on their hands, which is why the market for software composition analysis (SCA) tools is picking up a bit of steam. SCA tools aim to provide a ‘diagnostic' view of the all the OSS components that exist within a business and determine whether or not there is a vulnerability or particular licencing requirement to consider. CAST is one of these vendors, and they've just announced a new alliance with source code archival not-for-profit Software Heritage, with the aim of taking SCA one step further.

Essentially CAST is working with Software Heritage, who oversee the world's largest open archive of software source code, to develop a ‘provenance index' which allows users to trawl through Software Heritage's archive using CAST's Highlight SCA software to identify the original occurrence of any given source file, and all of its subsequent occurrences. CAST says this will allow users to assess any third-party source code within Software Heritage's library of five billion plus known source code files, weeding out and vulnerabilities and licencing risks they present.

We spoke to Vincent Delaroche, CEO at CAST, to find out a little bit more about the project and what it could offer for users.


To continue reading this article register now