Companies across many industries outsource various jobs and tasks with speed, efficiency, and cost benefits in mind. Chief among these benefits is the ability to allocate savings realized through outsourcing to other critical initiatives. While leveraging external experts offers many advantages, the practice also brings significant risk, particularly in software development.
When considering outsourcing of software development, there are a number of issues to consider. Finding the right mix of skill sets, promoting efficient communication among global team members, reaching agreement on best practices, and ensuring the team is aligned on project goals, scope and timeframe are a few. In addition to these challenges, ensuring software security across the global software supply chain is a critical objective for organizations seeking to take advantage of external staffing resources.
Even when hiring reputable, highly skilled external developers, code security is a serious concern—and for good reason. Threats to digital security are increasing in prominence and scope, and the last thing executives want is for their company to make headlines alongside the words cyberattack, breach or hacked. Heartbleed, Shellshock, Poodle, FREAK and other recent open-source-related vulnerabilities illustrate that open-source software, though it offers many advantages on cost and efficiency, is not necessarily more secure than its proprietary counterparts.
Achieving Balance: Realizing the Advantages of Open Source while Minimizing Risks
Organizations are scrambling for balance, attempting to encourage the use of open source while simultaneously circumventing the risk of software code vulnerabilities. The challenges of managing external software development resources (in particular, those distributed across the globe) make it exponentially harder to identify and address open-source-related code vulnerabilities.
Regardless of industry, global software supply chains are increasing in complexity. At the same time, the process of open-source code governance across the software development lifecycle is becoming more challenging. In fact, for most large enterprises, it’s likely that their development teams (both internal and external) are leveraging significant amounts of open-source code regardless of whether senior management fully understands the security, operational and licensing implications of its use. This lack of understanding of, and visibility into, open-source usage understandably gives senior management pause, particularly when vulnerabilities such as Heartbleed come to light.
Given this, it’s no wonder some companies approach software development labor arbitrage with caution. Fortunately, automating the management of open-source code across software development and the supply chain can help companies minimize risks while achieving their labor arbitrage objectives—contributing to their peace of mind as they consider external options for software development.
Automation and the Global Software Supply Chain: Improving Visibility and Control over Code Usage
Companies today routinely receive, modify and reuse software components through their global software supply chain. As a result, the use of automated tools and best practices to gain visibility into suppliers’ code is becoming more strategically important than ever. The more far-removed the supplier or development team, the higher the stakes when it comes to security and licensing risks.
To keep the global software supply chain secure, it’s critical for organizations that are outsourcing software development to identify vulnerabilities associated with open-source code as rapidly as possible, so that vendors, suppliers and other partners can respond quickly and limit possible damage. Automated approaches, combined with a commitment to maintaining open communications about possible security risks across company boundaries, help companies achieve this goal.
The other benefits of automated, global open-source code governance approaches include:
- Helping developers find and assess the best open-source components from among the hundreds of thousands available on the Internet.
- Maintaining quality when software is built from code compiled from large numbers of external components.
- Managing code across the application lifecycle, including open-source, third-party and internally sourced code.
Responding Faster to Vulnerabilities as They Emerge
With automated approaches to implementing controls in the build process, new open-source vulnerabilities can be stopped in their tracks before they enter the production code base and replicate across the software supply chain. The ability to identify open-source security vulnerabilities in the existing code base and map known issues to code in use (down to the level of specific versions, licenses and level of community activity associated with a given open-source project) allows organizations to plan, prioritize and schedule remediation efforts. This approach helps ensure that projects proceed on schedule, even given the inherent challenges of keeping geographically dispersed teams on track.
In addition, automated tools for open-source management allow users to monitor on an ongoing basis for future vulnerabilities associated with the existing open source in their code base. Armed with this information, companies can efficiently manage thousands of applications under development across hundreds of developer teams—regardless of where those teams are located.
When considering software development outsourcing, it’s understandable to be wary. But by taking a best-practices approach to managing code development across the global software supply chain, organizations can meet their cost-savings and efficiency improvement goals while enabling developers to avoid security pitfalls, work faster and smarter, and successfully leverage the advantages of open-source development.
Lou Shipley is the president and CEO of Black Duck Software. He brings more than 25 years of experience as an enterprise software executive. He is a veteran of five Massachusetts software startups: Avid, WebLine (Cisco), FairMarket (Ebay), Reflectent (Citrix) and VMTurbo. Shipley was president and CEO of VMTurbo, Inc., and Reflectent Software (acquired by Citrix Systems in 2006), both of which served the enterprise and financial services industries. Shipley also serves as chairman of the board of CustomerGauge, and is an advisor to AppFirst and Unidesk Software. He holds a BA in economics from Trinity College and an MBA from Harvard Business School. He is a lecturer at the MIT Sloan School of Management, where he teaches the course Technology Sales & Sales Management.