IT organizations today are more dependent on open source code than ever; they’re just not always sure where it came from, whether they can legally use it or how secure it is.
Stepping into the middle of that potential legal and security quagmire this week is Sonatype, which has launched a new service that essentially allows an organization to check the provenance of any particular piece of open source code.
Sonatype’s main claim to fame is that it built and currently manages a central repository that many organizations use to discover pieces of open source code. Now the company is using that position to deliver Insight Application Health Check, an analytics tool and service that organizations can use to not only make sure they are using the latest, most secure version of a piece of code, but also that all the licenses associated with that code are in compliance with one another.
The licensing issue, says Sonatype CTO Jason van Zyl, isn’t always that well appreciated by developers who tend to not appreciate that, for example, code released under a General Public License (GPL) is often incompatible with code released under an Apache license. Often, developers combine code released under different licensing models that could create a potential legal issue when whatever application they build is ultimately released.
In addition, van Zyl notes that most open source projects have a formal way of updating developers when a new version of a particular piece of code has been made available or that a patch has been made available to address a specific security issue. As such, developers often wind up using code that is out of date.
Of course, some organizations have created their own repository to limit the open source code used by their organizations to projects they have vetted. But van Zyl says those “walled gardens” of code still have no automated way of being alerted every time a piece of code that has previously been vetted gets updated.
The Insight Application Health Check essentially provides a dashboard that highlights potential issues in any piece of code. Customers run the source code scanner provided by Sonatype. The results of that scan are then sent to Sonatype, which alerts the organization that the report is available via an email. The goal, says van Zyl, is to keep the process as unobtrusive as possible in order to make sure the compliance process doesn’t get in the way of actually developing code.
In an era where most applications are being built by stitching together reusable pieces of open source code, dependencies on code that are discovered later to have all kinds of security issues and dependencies can be catastrophic. Sonatype expects to help organizations address that issue in two forms. One is a subscription service that developers can invoke while building applications, while the other is essentially a one-time scan of applications that have already been deployed.
In either scenario, the goal is to limit potential liabilities that arise when using open source code. None of this means IT organizations should stop using open source code; it just means they should exercise a little more prudence when it comes to making sure the open source code they are deploying is really everything they think it is.