Open source a silent killer? CAST talks about their new alliance with Software Heritage
Open Source

Open source a silent killer? CAST talks about their new alliance with Software Heritage

Open source software (OSS) is fairly hard to avoid these days as an enterprise organisation. The promises of OSS are simply too good to ignore, allowing organisations to arm its developers with code that has been looked over by thousands of eye-balls, all striving to improve it or adapt it to specific use cases that anyone can take advantage of. It's a great promise that leads to some great rewards, and implementation is not slowing down any time soon.

A businesses' Open Source Software assets can present a bit of a minefield, as it can be hard to ascertain exactly where the components of OSS originally come from, and who has worked on it in the interim. This presents a challenge in both security vulnerabilities (i.e. are there known weaknesses in certain OSS code?)  and Intellectual Property issues, as it can be hard to determine which OSS licences the code falls under.

Some licences demand that any meaningful modification or utilisation of the software, in keeping with OSS principles, also be made publicly available. This can even extend to OSS components that are used as a small building block of a wider ‘proprietary' application. What this means is, even if businesses use one tiny piece of OSS code in their in-house applications, they could be subject to an obligation to release the source code or face legal action for non-compliance.

Combine IP lawsuits with the aforementioned security concerns and organisations could really have a problem on their hands, which is why the market for software composition analysis (SCA) tools is picking up a bit of steam. SCA tools aim to provide a ‘diagnostic' view of the all the OSS components that exist within a business and determine whether or not there is a vulnerability or particular licencing requirement to consider. CAST is one of these vendors, and they've just announced a new alliance with source code archival not-for-profit Software Heritage, with the aim of taking SCA one step further.

Essentially CAST is working with Software Heritage, who oversee the world's largest open archive of software source code, to develop a ‘provenance index' which allows users to trawl through Software Heritage's archive using CAST's Highlight SCA software to identify the original occurrence of any given source file, and all of its subsequent occurrences. CAST says this will allow users to assess any third-party source code within Software Heritage's library of five billion plus known source code files, weeding out and vulnerabilities and licencing risks they present.

To continue reading...


« Secret CSO: Gerald Beuchelt, LogMeIn


The CMO Files: Frank Wiener, Sepior »
Pat Martlew

Patrick Martlew is a technology enthusiast and editorial guru that works the digital enterprise beat in London. After making his tech writing debut in Sydney, he has now made his way to the UK where he works to cover the very latest trends and provide top-grade expert analysis.

  • Mail

Recommended for You

Trump hits partial pause on Huawei ban, but 5G concerns persist

Phil Muncaster reports on China and beyond

FinancialForce profits from PSA investment

Martin Veitch's inside track on today’s tech trends

Future-proofing the Middle East

Keri Allan looks at the latest trends and technologies


Do you think your smartphone is making you a workaholic?