blogg‎ > ‎

How we help organizations manage third party software components in continuous delivery

posted Apr 21, 2017, 4:48 AM by Björn Spåra   [ updated Apr 21, 2017, 3:38 PM by Software Census AB ]

Continuous Software Composition Analysis
Modern applications are not developed so much as assembled out of components, Tightly glued together and enclosed in custom application code. It is estimated that out of all code making up a typical modern application, roughly 90% of it is third party code components such as frameworks and libraries. Each of those components are subject to the terms of their individual license agreement and potentially vulnerable to security threats. According to Gartner, more than 70% of enterprise DevOps initiatives will have incorporated automated security vulnerability and configuration scanning for open source components and commercial packages by 2019, up from less than 10% in 2016. 

How are you addressing these challenges?
The Software Composition Assessment Service is typically an 8-10 weeks consulting engagement designed to help you identify how and where open source software is used across your enterprise and to establish a foundation for defining continuous software composition analysis requirements. The assessment provides a gap analysis where your organisation’s current practices are compared against industry best practices, and we offer a set of recommendations to address the identified gaps.

The following format is used to deliver this service:
  • Planning - Scoping of engagement, establishing a project team, formalizing a project plan which includes critical success factors and metrics.
  • Data collection - Gathering documentation, policies and key information about your apps, its third party software components and your organisations software development practices. How is your app developed? By who? How is your app delivered? Who is using it? For what purpose? Which OSS and third party components are used?
  • Risk analysis - Data is consolidated and analysed from a risk perspective in three domains
    • Security - Known vulnerabilities currently present in you code base
    • Legal - Rights transfered or granted under each software components license agreement and impact of application delivery model
    • Operational - Component criticality and continued development through community involvement
  • GAP analysis - Requirements for continuous software composition analysis baseline, financial impact assessment and current maturity level. 
  • Recommendations and roadmap - Report and recommend key initiatives for improvement including a high-level plan and road-map for governance, control and operation of continuous software composition analysis. 

Understanding the risks and challenges surrounding open source and third party software components within your enterprise is key to developing a plan for implementing a governance framework and an operating model tailored to your specific risks and objectives. Continuous Software Composition Analysis Workshop is a customized interactive training session designed to guide your team (five to ten attendees) through the issues of managing open source software components in enterprise application continuous delivery. The workshop is targeted at a cross- organisational audience including legal, license management, security, enterprise architect, developer, test and operations personel. The training materials are based on Software Census framework for Continuous Software Composition Analysis and tailored to your application delivery process.

There are plenty of tools available to automate and integrate software composition analysis in an application development and delivery process. A project to evaluate available options, selecting the tools best fitted for the job and implementing them to support the process it typically delivered in 12-16 weeks.

On-going support making sure that the software composition analysis solution and processes operate according to specification and agreed service levels. We also keep you on track and make sure we jointly roll out new capabilities according to road-map and follow up on progress.

To find out more about Software Census and our Continuous Software Composition Analysis offerings please feel free to contact