Feature Focus: Portfolio Advisor for Open Source, an automated and smart way to segment an application portfolio better prioritizing third-party component risks

We are very proud to present the Portfolio Advisor for Open Source which joins the growing family of Portfolio Advisors that have already been released for Cloud and Technical Debt. This capability automatically segments a portfolio of applications and identifies Open Source risk priorities for each application by combining unique Software Intelligence insights. Learn more about how the capability works in this article.

Why segmenting and prioritizing an application portfolio is key for strong Open Source governance

As Philip II of Macedon said: “divide et impera”, which can be translated into “divide and conquer”. While this maxim was used in the context of human relationships, politics, and wars at that time, it also applies to many business scenarios such as: breaking a huge effort into multiple small tasks to streamline the total workload, reducing the size of large groups of people to become more agile, etc.
When it comes to managing the risks of using of Open Source, it is even more true as the primary user of insights may differ for security vulnerabilities (infosec and development teams), legal/license risk (legal and compliance teams) or technology obsolescence (development and maintenance teams).

Prioritization is also extremely important, especially when considering that many development teams are currently inundated – if not submerged – by information on Open Source vulnerabilities, licensing issues or deprecated components. While remediations are often a good course of action for an application, managers and executives may want to take a step back and rationalize time-intensive tasks. Taking into account, for instance, whether an application is publicly accessible or critical to the business helps make more informed decisions on how best to utilize limited resources for remediation.

This is where CAST Highlight can help using the new Portfolio Advisor for Open Source to automatically segment and prioritize your application portfolio with recommendations of the critical actions to take for each type of audience.

9180

How CAST Highlight’s Portfolio Advisor for Open Source works

In CAST Highlight, we have developed a flexible and robust “Portfolio Advisor” foundational capability that is now progressively introduced in the product. Here is how it works.

The six Portfolio Advisor for Open Source segments recommend specific actions to take on applications and are defined as follows:

  • Immediate attention: These applications are important to the organization and have multiple 3rd party component risks which include two or more of the following: security vulnerabilities, risky licenses, obsolete components.
  • Fix Vulnerabilities: These applications are important to the organization and are using 3rd party components that have critical or high severity security vulnerabilities.
  • Evaluate Legal Risk: These applications are important to the organization and are using 3rd party components that have risky licenses.
  • Upgrade Components: These applications are important to the organization and are using 3rd party components that are out of date or obsolete creating operational risk.
  • Consider Alternate Components: These applications are less important to the organization and have multiple 3rd party component risks which include two or more of the following: security vulnerabilities, risky licenses, obsolete components.
  • Role Models: These applications are using 3rd party components that have low risk for the organization

Business Impact Open Source Safety OSS Security OSS License OSS Obsolescence
Immediate Attention High Low
Fix Vulnerabilities High Low
Evaluate License Risk High Low
Component Upgrade High Low
Consider Alternate Components Medium Medium/Low
Role Models High

For each application, CAST Highlight blends relevant Software Intelligence insights, weights, and benchmarks together to determine the recommended segment. Below are the list of indicators the Portfolio Advisor for Open Source uses to establish the segmentation recommendations:

  • Business Impact scores (from the Business Impact survey)
  • Open Source Safety scores and benchmarks
  • OSS Security scores (calculated from component vulnerability count by criticality)
  • OSS License scores (calculated from component licenses and their corresponding level of compliance with the organization’s license policy)
  • OSS Obsolescence scores (calculated from component version dates and gaps with the latest known versions)

9182
The segment calculation is quite simple. For a given application, CAST Highlight evaluates each segment criteria separately and gives points to these segments. These segment points cumulate and the one having highest points will be the retained segment. In the case of score ties on segments, the ultimate recommendation is based on this sequence: 1. Immediate Attention 2. Fix Vulnerabilities 3. Evaluate License Risk 4. Upgrade Components 5. Consider Alternate Components 6. Role Models.

How to use the Portfolio Advisor for Open Source capability

All you have to do is to click on the “Compute” button as soon as you want to visualize segments for your existing application portfolio, or  to refresh this segmentation with new application results.

Portfolio Visualization: The output is a unique dashboard where you can quickly view the relative size of each Open Source segment (e.g., how many apps are recommended for upgrading components vs. fixing vulnerabilities). The parliament chart on the left displays the portfolio distribution for each segment. Clicking on a specific segment will drill down, automatically filtering the bubble chart on the right to the applications recommended for the selected segment, enabling further prioritization.

Case-by-case app segmentation: Since the segmentation created by the Portfolio Advisor for Open Source are recommendations (other aspects not captured by CAST Highlight can be considered), a Portfolio Manager can manually change the segment of an application. These changes are maintained by clicking on the “Save” button. At any time, users can roll-back to the original CAST-calculated recommended segments.

Export: from the Portfolio Advisor view, click on the “Export” button to generate an Excel report listing all applications with their corresponding segment recommendations and key metrics used for the segmentation.

Next steps: Role-based Segment Guidance

Now, the next question is probably “what should we do next when we see some applications falling in a specific segment? And who should do this?” Below is some additional guidance on the different segments and what they mean for different personas in an organization.

Applications falling into the “Immediate Attention” segment:

  • Development and Security teams should investigate the components in use in these applications in depth using the CAST Highlight application level dashboards and Software Bill of Materials (SBOM) export to identify which components have critical and/or high severity security vulnerabilities that can be avoided by updating the component. Obsolete components should also be identified and replaced with updated versions or alternative components to reduce operational risk.
  • Legal and/or compliance teams should investigate the components in use in these applications in depth using the CAST Highlight application level dashboards and Software Bill of Materials (SBOM) export to identify which components have risky licenses that could have legal ramifications. These components may need to be updated or replaced by the development team to reduce licensing risks.

Applications falling into the “Fix Vulnerabilities” segment:

  • Development and Security teams should investigate the components in use in these applications in depth using the CAST Highlight application level dashboards and Software Bill of Materials (SBOM) export to identify which components have critical and/or high severity security vulnerabilities that can be avoided by updating the component.

Applications falling into the “Evaluate Legal Risk” segment:

  • Legal and/or compliance teams should investigate the components in use in these applications in depth using the CAST Highlight application level dashboards and Software Bill of Materials (SBOM) export to identify which components have risky licenses that could have legal ramifications. These components may need to be updated or replaced by the development team to reduce licensing risks.

Applications falling into the “Upgrade Components” segment:

  • Development teams should investigate the components in use in these applications in depth using the CAST Highlight application level dashboards and Software Bill of Materials (SBOM) export to identify which components are out of date or obsolete. These components should be updated or replaced by alternatives to avoid operational risk.

Applications falling into the “Consider Alternate Components” segment:

  • Development and Security teams should investigate the components in use in these applications in depth using the CAST Highlight application level dashboards and Software Bill of Materials (SBOM) export to identify which components have critical and/or high severity security vulnerabilities that can be avoided by updating the component. Obsolete components should also be identified and replaced with updated versions or alternative components to reduce operational risk.
  • Legal and/or compliance teams should investigate the components in use in these applications in depth using the CAST Highlight application level dashboards and Software Bill of Materials (SBOM) export to identify which components have risky licenses that could have legal ramifications. These components may need to be updated or replaced by the development team to reduce licensing risks.

Applications falling into the “Role Model” segment:

  • Development teams should take note of the components in use by these applications using the CAST Highlight application level dashboards and Software Bill of Materials (SBOM) export as they are lower risk to the organization and should be considered for use in applications as alternatives to components with higher risk.

 

For more in-depth instructions on how to use these various areas of CAST Highlight, see this video tutorial below (starts at 1’17”):

Obviously, this guidance is a recommendation and you might want to adapt it to your organization’s specificities.