Introducing the Software Composition Analysis Maturity Model
In this post, we discuss a model that has recently been created to help software organizations and development teams understand where they lie on the security spectrum.
Join the DZone community and get the full member experience.Join For Free
Organizations have benefited greatly from the use of, and investment in, Open Source Software. Improved build times and higher quality code has led to more than 50% of applications being made up of open source software. The management of these Open Source assets is still nascent. This is due to a narrow focus on a quick bill of materials, rather than a broader consideration of how Open Source management teams work and how they fit into the larger organization.
To help legal, security, and development teams and leaders identify their existing gaps and direct future investment, Flexera has developed a maturity model framework based on an analysis of our customers and the market. The maturity model provides:
- A place to start.
- A benchmark to define where you are compared to your peers.
- Process maturity and business value.
- A way to define what improvement means for your organization.
The model consists of four levels of maturity and is split along four dimensions that apply to all software organizations. By design, the model is not specific to any given industry.
Security and license compliance maturity in an organization is measured across these dimensions.
- Vulnerability management - to prevent security defects due to third party component usage.
- License management - to manage open source license dependencies and reduce the impact of legal risk.
- Obligation management - to manage obligations related to the use of open source software, based on associated licenses and company policies.
- Component management - to achieve insight into how or what components are used, and include this insight in usage and product roadmap decisions.
Open Source is here to stay. And it is creating value for a lot of companies. But the real test of Software Composition Analysis (SCA) will come in these key areas: can companies make the most of their tooling, training, monitoring services, and incident management methods to achieve security and compliance. Flexera's Maturity model is designed to help you identify gaps and manage your risk related to your use of Open Source software.
In the coming weeks, we will describe the SCA maturity model in detail, and walk through assessing your security and compliance risk at all levels of maturity. Stay tuned!
Published at DZone with permission of Ritu Kapoor, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.