Open source a silent killer? CAST talks about their new alliance with Software Heritage

We sit down with CAST Software CEO Vincent Delaroche to discuss the company's new partnership with Software Heritage and how the use of open source code can get organisations into some hot water.

Open source software (OSS) is fairly hard to avoid these days as an enterprise organisation. The promises of OSS are simply too good to ignore, allowing organisations to arm its developers with code that has been looked over by thousands of eye-balls, all striving to improve it or adapt it to specific use cases that anyone can take advantage of. It's a great promise that leads to some great rewards, and implementation is not slowing down any time soon.

A businesses' Open Source Software assets can present a bit of a minefield, as it can be hard to ascertain exactly where the components of OSS originally come from, and who has worked on it in the interim. This presents a challenge in both security vulnerabilities (i.e. are there known weaknesses in certain OSS code?)  and Intellectual Property issues, as it can be hard to determine which OSS licences the code falls under.

Some licences demand that any meaningful modification or utilisation of the software, in keeping with OSS principles, also be made publicly available. This can even extend to OSS components that are used as a small building block of a wider ‘proprietary' application. What this means is, even if businesses use one tiny piece of OSS code in their in-house applications, they could be subject to an obligation to release the source code or face legal action for non-compliance.

Combine IP lawsuits with the aforementioned security concerns and organisations could really have a problem on their hands, which is why the market for software composition analysis (SCA) tools is picking up a bit of steam. SCA tools aim to provide a ‘diagnostic' view of the all the OSS components that exist within a business and determine whether or not there is a vulnerability or particular licencing requirement to consider. CAST is one of these vendors, and they've just announced a new alliance with source code archival not-for-profit Software Heritage, with the aim of taking SCA one step further.

Essentially CAST is working with Software Heritage, who oversee the world's largest open archive of software source code, to develop a ‘provenance index' which allows users to trawl through Software Heritage's archive using CAST's Highlight SCA software to identify the original occurrence of any given source file, and all of its subsequent occurrences. CAST says this will allow users to assess any third-party source code within Software Heritage's library of five billion plus known source code files, weeding out and vulnerabilities and licencing risks they present.

We spoke to Vincent Delaroche, CEO at CAST, to find out a little bit more about the project and what it could offer for users.


Regarding the provenance indexing partnership with Software Heritage, why did CAST decide to work on this and what were the goals of the project?


CAST entered the SCA (software composition analysis) market in 2018, and we realised there was a big need for a solution to properly check and control IP risk exposure. But to do so effectively, one needs reliable detection of the original component holding the initial license, since it is the one driving all the "descendants". This must be done automatically to enable a repeatable, systematic process that can be replicated across every project (i.e. not manual).

As Software Heritage is the largest database available and they're committed to growing the archive, it made a lot of sense for us to partner with them. We are aligned with the mission of Software Heritage, and we also know that identifying and archiving all the OSS in the world can't be done by one single company… it's a community project, where everyone must contribute.  


How will the project work?

Software Heritage is already accessible through an open API. With CAST Highlight, users can automate and scale their searches to extract a full list of components that appear in their source code. Through our agreement with Software Heritage, CAST will also identify the original "ancestor" of that component.

This last point is very unique: CAST Highlight is the only solution able to automatically flag at-risk components (from an IP perspective) and offer best-fix remediation advice thanks to the Software Intelligence we deliver through our MRI for software.


What security risks are presented to an organisation by open source code that isn't investigated?

When open source isn't managed properly, organisations can be either hacked or sued. In the case of a hack - open source components are great to use, because they accelerate the development process, but it also means that black hats have access to those same components and can find weaknesses in the code. If organisations don't track their use of open source, they will use components that have known vulnerabilities (also known as CVEs), making it much easier to breach or hack the company.

In the case of a suit - most open source components are governed by alicense, essentially setting the ground rules for use. Some licenses are very open and allow a person or organisation to use the open source component in any way desired. Other licenses are much more restrictive, often stating that anything built on or using that component must also become open source. This can be catastrophic for an organisation's IP, as it could be lost to the open source world if components are used with restrictive licensing.


Is the providence indexing project all about security, or are there other benefits?

The objective of the Software Heritage and CAST collaboration is to leverage CAST patented technologies to build a "Provenance Index" on the Software Heritage archive. The goal here is to help save time and give transparency to developers about the open source components they use so they can design and code safer software from a security and legal perspective.


Do you have any information/data on the likelihood that an organisation will be found to have vulnerable open-source code (if that organisation is in the 93% using open source code)?

The National Vulnerability Database tracks more than 100,000 known vulnerabilities. For organisations that have more than a handful of applications that use open source, there is almost a 100% chance that their software has or had a known vulnerability.


What are some ways that organisations can avoid inheriting problematic open-source code in the future? Are there some best-practices that they can take? Stop using so much open-source code?

The use of open source will only rise in the future. Organisations don't need to be afraid of it, they just need to catalogue and track their open source use.

Using software composition analysis, organisations can detect and manage all of their open source components and identify any known vulnerabilities.  If they have a process to check and fix these known vulnerabilities, it will dramatically reduce the risk of using open source software.


How long will it take to get the project up and running, and to create the ‘unique indexing technology' developed through the partnership?

We are still in the process of creating the index. We have committed to a project duration of three years, but we expect to deliver early versions of the index within 12 months.