Organizations now Continuously Source (CS) more than 70% of components from outside their CI/CD pipeline. 90% of the fixes needed in these sourced components cannot be fixed by your developers- even when available. Current SCA tools with developer integration lack the necessary visibility, the required intelligence, and the remediation capabilities to resolve these issues that can ONLY be addressed left of shift-left — in your software supply chain. Lineaje AI with BOMbots creates the industry’s first remediation solution to remediate open-source dependencies.
Software innovation is humming bringing opacity
Pre-built open-Source Software is helping developers unleash an amazing amount of innovation. Developers assemble pre-built components alongside those built by them to deliver capabilities and features. Today, the CI/CD (Continuous Integration/Continuous Deployment) process integrates and deploys more code from outside the organization than that built by your developers. In some cases, 99% of components now come from outside your organization.
Pre-built Open source is also used by Open-source developers in projects you source from them. Our research “What’s in your Open Source Software” showed that 68% of all components in the software you source are not built by the developers of the project you sourced but are pre-built components from other Open-source projects. The fact is that supply chain depths now exceed 20 levels of pre-built components frequently. Much of the code your developers consume is compiled code. And much of what your dependencies consumed from other open-source projects is also compiled code. Not just innovation but opacity is high for developers.
Software Maintenance pipes are clogged.
The implications of this opaque, software supply chain are significant and are impacting both security and development organizations negatively. Supply chain tools like SBOM360 can now detect the comprehensive supply chain tree our software consumes. With only a small percentage of your software built in-house, software maintenance has become complex, and developers are overwhelmed being asked to fix issues in opaque software they didn’t create.
- What you did not build, cannot be maintained by your developers: In fact, if you analyze your software, your developers can only fix about 10% of the vulnerabilities in your products without modifying those components. They cannot fix 90% of vulnerabilities. Add other issues like code quality, security posture, unmaintained components etc. and you realize that the more pre-built components you have, the more your software ages badly.
- Fixing vulnerabilities is making it harder to fix vulnerabilities: This is counterintuitive so let me explain. Security tools in recent years, have driven the prioritization of vulnerabilities and then done amazing integrations to get developers to fix those vulnerabilities. Given the pressure from security teams, developers fix vulnerabilities both in their code and in open-source pre-built components. This creates a branch specific to your organization in that code line. From that moment on, your developers now own updating it every time that dependent project evolves. In short, security tools have made software maintenance worse- clogging developer queues, effectively inner-sourcing open-source components. These pre-built projects are now inner-sourced -without funding- slowing follow-up innovation and increasing maintenance load.
- Upgrading on demand is an inefficient idea: Fixing security issues frequently requires upgrading a component. And developers can upgrade one component that already exists easily. However, Pre-built components are assembled together and tested to work together. Compatibility is not what security tools worry about but it is critical for software to co-operate. It’s made more complex because a pre-built open-source component is used an average of 2.7 times in the same application — in different contexts working with different parents, peers, and children. When a developer upgrades a single component, the “blast radius” of that change is significant. This is one reason why we deliver hotfixes, minor updates, and major releases. The blast radius of each is dramatically different. Security tools have failed to comprehend this different blast radius of independent patches, minor updates, and upgrades even as they merrily push software developers into upgrades.
- Shiny pre-built dependencies also need to be well maintained: Slightly more than half of critical vulnerabilities in pre-built components are not fixable. Why? Developers in the project are less enthusiastic about maintaining their project than about adding new, exciting features. Many open-source developers no longer maintain their pre-built projects you may depend on. Ensuring better dependency selection is key to ensuring that your software maintenance load is manageable.
Lineaje AI with BOMbots: Unclogs Software Maintenance and reduces costs upto 40%
BOMbots are AI-powered automation bots that can deeply analyze your SBOM. They work together seamlessly through a simple, interactive generative AI paradigm. Each BOMbot is trained to solve a single complex problem exceedingly well. Because BOMbots can process and understand incredibly large amounts of data, their recommendations are superior and tuned for each user for their unique situation. The automation around BOMbots enables execution that reduces software maintenance overhead by up to 40 percent enabling organizations to decrease maintenance investments and costs and fix more vulnerabilities and issues.
All BOMbots also interact with each other and influence each other’s decisions so Lineaje AI creates a single coherent experience for the user delivering interactions that resolve conflicts between recommendations automatically based on a user’s needs.
BOMbots can assess your SBOM and Software Supply Chain, so they can comprehend the right place to drive a fix- when to rely on pre-built dependencies to fix issues, when to let your developers fix them and when to inner-source or to eliminate a dependency. They offer the most comprehensive integration balancing security goals with developer efficiency across your software supply chain.
Regardless of company size, BOMbots alleviate compounded pain points associated with software maintenance. Key BOMbots available in this release include:
- Compatibility BOMbot: Fixing vulnerabilities, resolving security issues, and taking advantage of new features frequently means that software components must be upgraded to newer versions — which may or may not be compatible with the other software components. The Compatibility BOMbot evaluates thousands of components in an SBOM and creates a compatibility matrix aligned with an organization’s goals to tune the recommendations from “least effort” to “most secure.” This enables organizations to eliminate as much as 25% of effort through the “compatibility dividend.”
- Maintainability BOMbot: Software components, including open-source dependencies, frequently age badly. The Maintainability BOMbot identifies dependencies that are risky and no longer maintained. It remediates by driving developers to fix that issue in the dependency themselves or choose a better alternative.
- Vulnerability BOMbot: 95% of vulnerabilities now come from the software supply chain. Unfortunately, many vulnerability prioritization approaches today focus on security urgency and not executability by developers. The Vulnerability BOMbot considers both executability and security parameters in its prioritizations, separating out all vulnerabilities into fixable by the organization’s developers or by dependency organizations. It then works together with the Compatibility and Maintainability BOMbots to figure out the most optimal recommendation. The Vulnerability BOMbot can distinguish between independent patching and upgrades, as well as implications of major and minor versions. It then automates execution through the software supply chain to save up to 20% in effort.
These are game-changing innovations for software producers and key feature additions to SBOM360. Please connect with us to see them in action or ping me directly on Linked-In. We would love to show you what Lineaje AI with BOMbots can do for you!
Follow us on Linked In. We are just getting started and there is much to do. Be the first to know!