Bitergia has created Bitergia Risk Radar for large enterprises that need to control the risk of open source library dependencies.
What’s the Problem?
Software supply chains are on shaky ground, often relying on under-maintained open source projects that pose risk.
A popular xkcd cartoon depicts this point. In it, a tower of haphazard blocks–labeled “All modern digital infrastructure”– teeters on top of one single block (or “A project some random person in Nebraska has been thanklessly maintaining since 2003”).
It’s funny, and also a little scary.
In any given company, the software “tower” is built with an array of building blocks from open source software (OSS) libraries. In fact, The 2024 Open Source Security and Risk Analysis Report found that 96% of the total code base is open source.
Perhaps that tower is strong, or perhaps there are vulnerabilities that could send it tumbling. Knowledge is the key to managing risk and bringing peace of mind.
Companies build their software using OSS libraries as much of its base. These blocks are powerful resources for innovation and faster time to market, but it’s important to know when they’re not sustainable. According to an IEEE study, “systems using outdated dependencies are four times as likely to have security issues as opposed to systems that are up-to-date.” This stark number points to the urgency of understanding the maintenance activity of OSS libraries.
We’ve also found that most organizations don’t even know what libraries they depend on, let alone the riskiness of those libraries. We help to identify dependencies and then run the model against them.
The result is knowledge, predictability, and peace of mind.
Why Our Solution is Unique
Working together with our large enterprise customers, we’ve developed (and are continuously fine-tuning) a risk assessment model for dependency use that scales.
Our solution is unique. We identify problematic software development practices before problems manifest in the software. While other models analyze the software code itself (software composition analysis is important!) or good development practices, we are looking at the problem from a social or developer community perspective, asking questions like:
- How well are the libraries being maintained?
- How many developers are maintaining the libraries?
- Where are vulnerabilities most likely to happen?
We have two practical aims in creating Bitergia Risk Radar: manage and reduce risk from using OSS libraries, and provide user-friendly results.
At the very core of Bitergia Risk Radar is the idea that the health of an open source project is indicative of the quality of software it produces. An unhealthy open source project is unlikely to fix vulnerabilities in a timely manner. A healthy project establishes best practices to prevent vulnerabilities from becoming manifest, for example, by practicing rigorous code reviews.
We want to offer a solution that gives organizations predictability and control in their dependency use.
How We Help You: Step-by-Step
We understand the complexities involved in understanding dependency use. That’s why we aim to make the process as easy as possible for you.
Here’s a rundown of the Bitergia Risk Radar process:
- As the visual shows, we first work together to identify all of the OSS libraries used by your enterprise’s software components. If you do not yet generate a Software Bill of Materials (SBOM), you will need to do so anyway to comply with the new European Cyber Resilience Act (CRA), and we can help establish the detection of OSS libraries in use.
- Armed with this list of OSS libraries you use, we analyze the developer communities that developed these OSS libraries. Specifically, we feed the risk model with data from data sources such as git, GitHub, and GitLab. Raw data becomes enriched into actionable knowledge.
- The Bitergia Risk Radar platform provides you with expert analysis, visualizations, and a simple risk level score.
- We recognize that each enterprise has unique needs. Our consultancy team works with you to customize the scoring weights, select the most impactful visualization choices, and establish a repeatable reporting format. We meet stakeholders where they are and support their decision process with quality data.
What 7 Risk Metrics to Watch
We’ve found that we can predict the risk level of an OSS library with 7 risk metrics. Each metric analyzes the social developer activity in maintaining the OSS library from a different perspective. Here are metrics, their perspectives, and the essential questions they answer:
- Median Lead Time for Issues: How efficient and effective are the maintainers in addressing its issues?
- Median Lead Time for Pull Requests: How efficient and effective are the maintainers in addressing its pull requests?
- Backlog Management Index (BMI): Are the maintainers able to keep the pace of solving issues?
- Review Efficiency Index (REI): Are the maintainers able to keep the pace of solving code reviews?
- The Pony Factor: How sustainable is the project? Does the project depend on only a few people?
- Retention Rate: What is the inflow of active contributors that can sustain the project? How many of the existing contributors are leaving the project? Is this ratio well-balanced?
- Growth of Active Contributors: How is the number of people currently active in the project evolving?
To dive deeper into understanding these metrics, check out this post on how to evaluate each metric for predicting risk.
In short, each risk metric has specified thresholds to determine the risk level. The individual risk metrics are combined into a Total Risk Score, which is easy to read, interpret, and communicate. The Total Risk Score gives users a good overview fast. Then they can drill down into the 7 risk metrics to analyze how each social aspect of the developer community informs the Total Risk Score.
Here’s an example:
Conclusion
The new Bitergia Risk Radar is filling a gap in the current risk assessment landscape. It goes beyond traditional SBOM and SCA approaches that evaluate the software source code. Instead, we look at the developer activity itself as early indicators of risk. We approach the problem with the premise that the risk of an OSS library is higher when it comes from an unhealthy open source project.
We aim to bring predictability and peace of mind so that the software “tower” you’ve built using OSS libraries won’t go toppling. Visit the Bitergia website to learn more about managing OSS risk!
This blog post was written by Julia Lawson with help from Miguel Ángel Fernández and Georg Link.
