Open Source Software (OSS) forms the majority of the codebase in any modern software application, but it’s rarely built for a specific industry (and therefore may not comply with an industry’s regulations), or with government legislation in mind, and therefore may not be in compliance with government regulations.
As a result, ensuring your software complies with internal IT guidelines, industry regulations and government legislation can be challenging without the proper tools in place. One key tool is governance, which is the policies and processes an organization puts in place to manage and control the use of OSS. Governance is typically implemented and enforced through policy, but you’ll also need the ability to report on adherence, as well as flag any violations that arise.
Today, governance is too often applied after the fact – after the software has been created – typically via internal audits that tend to be far too expensive and time consuming. Instead, governance should be part of the software development process, enforced at every step by policy, and documented by artifacts like attestations and Software Bills Of Material (SBOMs).
For example:
- The US Food and Drug Administration (FDA) requires medical device manufacturers to provide SBOMs to their customers.
- Software vendors whose customers include the US government must align with NIST’s Secure Software Development Framework (SSDF), which requires that SBOMs and attestations are part of every release.
- Internally, IT rules revolve around establishing a secure tech stack suitable for commercial use, which means enforcing licensing and security requirements.
A secure-by-design solution like ActiveState, with its automated tooling, documentation and policy capabilities can help enterprises prove license compliance, provenance and adherence to regulatory body requirements.
Compliance Artifacts For Open Source Software
ActiveState is unique in delivering the kinds of software and documentation artifacts required to prove compliance in a single platform, rather than forcing enterprises to integrate multiple point solutions, which can significantly raise total cost of ownership. Consider:
- Policy management is the key to ensuring all stakeholders adhere to internal and external guidelines during the software creation process, rather than the much more expensive process of conforming after release. Point solutions typically provide guidance within developer tools and/or the CI/CD process, but without the ability to flag policy violations, notify stakeholders, approve exceptions, and create an audit trail in a comprehensive manner, organizations have no way to know their current compliance stance, or prove it to customers and regulators.
- Ensuring license compliance with commercial requirements and regulatory guidelines means not only being able to identify all the licenses associated with third-party components, but also that you’re working with a complete catalog of dependencies in the first place. Point solutions typically scan prebuilt binaries and may end up missing some dependencies and/or transitive dependencies. Worse, they may not recognize all the open source licenses associated with a dependency since many packages contain buried and/or multiple licenses, all of which must be surfaced. These “phantom dependencies” and license issues all present challenges that can result in forcing an enterprise to publish their codebase or else face litigation and/or significant fines that can run into the millions of dollars.
- Provenance attestations are key to proving that your software is trustworthy by providing a way for users to independently validate the security and integrity of your application. But to be worthy of that trust, you’ll also need to prove that all the third-party components from which it’s built have been sourced and built securely, as well. Most organizations build their software with prebuilt open source dependencies imported from public repositories that currently provide no way to verify the security and integrity of their ecosystem’s components, undermining compliance efforts.
- Software Bills of Material (SBOMs) can help create a complete catalog of third-party dependencies. But point solutions generally rely on reverse engineering software using a binary scanner, which all too often result in phantom dependencies, exposing the organization to non-compliance risks. Besides, SBOMs are of far greater use than just cataloging dependencies. Using an integrated, end-to-end solution like ActiveState means you can auto-generate an SBOM every time your runtime environment changes, and then pull the result into your CI/CD pipeline in order to verify that malicious components haven’t been injected into the software build process prior to the signing stage, as happened most famously with Solarwinds.
The industry is moving from point solutions to platforms in order to lower complexity and total cost of ownership, but ActiveState remains unique in offering all these capabilities in the context of how you build your software – integrated directly within your software development process – rather than external to it.
How To Regulate Open Source Software Compliance
ActiveState’s automated universal CI builds open source software from vetted source code by first generating a complete dependency tree for each built artifact. This eliminates phantom dependencies, ensuring that all artifacts generated by the build process are complete, accurate and reliable.
As a result, ActiveState generates:
- Complete licensing and vulnerability information for each dependency, which are key to ensuring compliance with IT and security guidelines.
- A complete SBOM for each component, as well as each runtime environment, which is a key US FDA requirement for Healthcare.
- Provenance attestations for each open source component, which is a key requirement for SSDF and CISA attestations.
- A forensic audit trail of all changes, which is a key requirement for SOC2 compliance.
And all of it reinforced through policy management to ensure compliance is built in, rather than a costly afterthought.
Next Steps
Contact Us to see how you can simplify your compliance efforts with a single, turnkey solution that can help you meet security standards, industry regulations, and government legislation, eliminating the need for extensive internal infrastructure and manual compliance audits, while reducing bureaucratic hurdles.
