Introducing the Software Composition Analysis Maturity Model

Organizations have benefited greatly by the use of and investment in Open Source Software. Improved build times and better quality code has led to more than 50% of applications made up of open source software. The management of these Open Source assets is still nascent. This is due to a narrow focus on quick bill of materials, rather than a broader consideration of how Open Source management teams work and how they fit within the larger organization.

To help legal, security and development teams and leaders identify their existing gaps and direct future investment, Flexera has developed a maturity model framework based on an analysis of our customers and the market. The maturity model provides

  • a place to start
  • a benchmark to define where you are compared to your peers
  • process maturity and business value
  • a way to define what improvement means for your organization

The model consists of four levels of maturity and is split along four dimensions that apply to all software organizations. By design, the model is not specific to any given industry.

Security and license compliance maturity in an organization is measured across these dimensions.

  • Vulnerability management – to prevent security defects due to third party component usage.
  • License management – to manage open source license dependencies and reduce the impact of legal risk
  • Obligation management –to manage obligations related to the use of open source software, based on associated licenses and company policies.
  • Component management – to achieve insight into how or what components are used, and include this insight in usage and product roadmap decisions.

Open Source is here to stay. And it is creating value for a lot of companies. But the real test of Software Composition Analysis (SCA) will come in these key areas: can companies make the most of their tooling, training, monitoring services, and incident management methods to achieve security and compliance. Flexera’s Maturity model is designed to help you identify gaps and manage your risk related to your use of Open Source software.

In the coming weeks, we will describe the SCA maturity model in detail, and walk through assessing your security and compliance risk at all levels of maturity. Stay tuned!

Leave a Reply

Your email address will not be published. Required fields are marked *