Case Study
The agency, which provides services to most branches of the United States federal government, manages over 50 custom applications supported by 50+ outsourced developers.
Almost
zero time
to now manage OSS risks versus dozens of hours a month previously
50+
applications
onboarded into CAST Highlight in a few weeks
1000s of
components
managed automatically within the open source ‘control tower’
“CAST Highlight’s automated SCA has reduced the time our team spends auditing OSS risks to almost zero.”
Agency Application Operations
Branch Chief
CAST Highlight enabled the agency to automate the open source risk audit process from dozens of hours a month to almost zero time.
Challenge
The agency owns a portfolio of over 50 applications to deliver services to other government branches. A team of 50+ outsourced developers manages the applications and they utilize 1,000s of open source software (OSS) components that could include IP licensing risks, security vulnerabilities, and obsolete frameworks.
Several years ago, the agency discovered security vulnerabilities in their software stemming from OSS components used by the developers. They began manually auditing all applications for OSS risks using spreadsheets and cross-referencing them with public vulnerability records. This process was more challenging since application maintenance was outsourced to multiple development contractors and it was taking dozens of hours a month to manage.
Solution
The agency Application Operations Branch Chief decided to implement CAST Highlight to establish an open source ‘control tower’. It was operational across all 50+ applications in a few weeks and automated the Software Composition Analysis (SCA) process.
CAST Highlight provided the program management team centralized insight across all their applications even though they were being maintained by outsourced developers. Now all stakeholders including the branch chief, security officers, program managers, project managers, DevOps engineers, and developers had one common centralized view of OSS risks. The analysis was automated as part of an integrated CI/CD code delivery process that ran checks each time new software was delivered.
Results
The agency eliminated their manual audit process and reduced the time to manage OSS risks to almost zero. The automated process now only needed a part-time resource to operate versus other approaches which would have required 1-2 FTE’s.
In addition to these direct benefits, the Branch Chief believes CAST Highlight helped them respond to the log4j vulnerability much more rapidly than if they were using their previous manual process. Now that they have an automated Software Bill of Materials (SBOM) available at their fingertips, they can easily comply with the presidential executive order requiring SBOMs for all software delivered to US federal government agencies.
