Software development has fundamentally changed over the years. Agile approaches, rapid release cycles, and DevOps culture have transformed how software is created and released. However, amid this changing environment, one truth has gradually emerged: open-source code is increasingly forming the basis of modern applications. Estimates based on surveys indicate that 60 – 90% of the average application's code base consists of open-source components. It is not a factor of convenience, it is a necessity for innovation, speed, and economic viability, but with all the big adoption, there comes an admittedly under-recognised truth: open source introduces risk.
The question is not whether you are using open-source code, but rather whether you are doing it in a practical and managed way. That is where Debricked, a company within OpenText, comes into the picture. Debricked is becoming an essential solution in the modern secure software development lifecycle. Below, I explore why that is the case.
The open source problem no one is talking about
Despite the many benefits of open-source software, it raises unique problems that most organisations would rather ignore:
● Lack of transparency: Most projects have no complete list of all their open-source components.
● Security vulnerabilities: Open-source packages may contain known Common Vulnerabilities and Exposures (CVEs). If these vulnerabilities are publicly disclosed but not yet patched or mitigated, they present an opportunity for attackers to exploit them during this window of exposure
● License compliance: Failure to comply with open-source licenses (e.g., GNU General Public License (GPL), Massachusetts Institute of Technology (MIT), or Apache) would mean costly legal problems.
● Abandonware risk: The vast majority of packages are unmaintained or inactive, rendering them a liability when bugs infiltrate or exploits take place.
These are not abstract concerns; they have real-world implications. Examples include the infamous Log4j vulnerability and attacks on software supply chains, such as the SolarWinds breach. Essentially, the consequences of uncontrolled open-source use are history.
Demystifying open source
Debricked is designed to help development, security, and legal teams make improved, faster, and safer open-source code choices. It achieves this by providing a collection of features that address the threats and inefficiencies associated with wild open-source usage.
1. Automatic software bill of materials (SBOM) generation.
An SBOM is an exhaustive list of all open-source components within an application. Debricked does this work automatically, so that teams understand what they are using — and where. It supports multiple package managers and languages, connects directly with CI/CD pipelines and repositories, and provides real-time insight into your software supply chain.
2. Machine-learning powered CVE scoring.
Not all vulnerabilities are the same. Some are theoretical, others are in use right now. Debricked uses machine learning models to score and rank CVEs by exploitability and real-world risk, allowing security teams to focus on threats that require attention. It removes noise and false positives, helps prioritise patching of large codebases, and automatically refreshes as new threats are found.
3. Licence compliance and legal risk mitigation.
Debricked scans all open-source modules and alerts on license types that are not compatible with your business model. This is necessary to prevent legal exposure and to safeguard intellectual property rights.
It flags incompatible or risky licences, such as copyleft licenses (e.g., GPL, LGPL), which require that derivative works or modifications of the original code be distributed under the same licence. In this manner, the code and any enhancements to the code remain open and freely available. It also delivers actionable, clear licence compliance findings and assists legal and compliance teams with audit-ready reporting.
4. Open-Source Health Metrics.
Would you build your business on software that is no longer maintained? Debricked provides an overview of the health and activity level of all packages you are using, including community engagement, frequency of updates, release history, issue tracker activity, and red flags for packages on the verge of abandonment.
This enables developers to make better decisions when selecting dependencies and reduces long-term technical debt.
One complete security solution
While Debricked excels at managing open-source components, applications are often built on custom code as well. That is where Fortify, another OpenText offering, comes in, offering end-to-end static, dynamic, and mobile application security testing (SAST, DAST, MAST). With this two-pronged solution, your entire code set — both proprietary and third-party — is safeguarded, tracked, and governed with minimal impact on developer productivity.
Why it matters more than ever today
As threats evolve and regulators ramp up compliance requirements, South African organisations—particularly those in the financial, healthcare, and public sectors — can no longer take open-source security and licence management at face value.
● POPIA and GDPR necessitate end-to-end accountability in the processing and securing of data.
● Banks are under greater scrutiny in terms of software supply chains and risk exposure.
● Product developers and teams need technology that does not constrain them, but facilitates secure, compliant innovation.
In an era where software underpins every facet of business, the strategic approach is to integrate security and governance into the process, rather than treating them as an afterthought.
For more information contact iOCO,
© Technews Publishing (Pty) Ltd. | All Rights Reserved.
printer friendly version