Since our previous discussion on the EU Cyber Resilience Act (CRA) and Software Bill of Materials (SBOMs), significant updates have clarified and expanded the framework for compliance. The European Parliament approved the CRA on March 12th, marking its importance in enhancing product security across the EU. This follow-up explain these developments, focusing on new guidelines and the evolving expectations for SBOM compliance.
New clarity on SBOMs from Germany: TR-03183
To provide more detailed guidance, Germany’s Federal Office of Information Security (BSI) released the Technical Guideline TR-03183: Cyber Resilience Requirements for Manufacturers and Products (Part 2: Software Bill of Materials (SBOM)), version 2.0. This 20-page document sets the groundwork for SBOM requirements under the CRA. Key highlights include:
Mandatory SBOM Compilation: An SBOM is essential for meeting CRA compliance.
Minimum Information Requirements: The SBOM must include the component name, version, dependencies, license (preferably using SPDX or ScanCode identifiers), and a SHA-256 hash.
Version-Specific SBOMs: A separate SBOM must be generated for each software version, with updates made only for error corrections or new information.
Preferred Formats: SBOMs must adhere to CycloneDX (v1.4 or higher) or SPDX (v2.3 or higher).
Process Integration: The SBOM must be generated as part of the build process or an equivalent mechanism.
Other recommendations, such as using CSAF with a VEX profile for distributing vulnerability information, aim to enhance transparency without directly embedding vulnerabilities in the SBOM.
Challenges in SBOM Implementation
While TR-03183 provides critical guidance, several unresolved issues highlight the complexities of SBOM creation and usage:
Identification Gaps: The absence of mandatory CPE or PURL requirements makes vulnerability reporting from SBOMs prone to errors.
Undefined “Scope of Delivery”: The guidelines use this term to define the depth of transitive component enumeration but lack clarity on acceptable thresholds.
SHA-256 Ambiguity: The methodology for computing a SHA-256 hash of source code remains unspecified.
Relationship Details: While all transitive components must be recursively included, relationships among them are not explicitly required. This omission can hinder the effectiveness of SBOMs in vulnerability management.
Preparing for CRA Compliance
The CRA’s adoption signals a critical need for manufacturers and software developers to refine their compliance strategies. With enforcement set for early 2027, organisations should prioritise:
Automating SBOM Generation: Tools like Meterian can streamline SBOM creation, ensuring accurate dependency mapping and compliance with CRA’s format requirements.
Enhancing Vulnerability Management: Despite the lack of mandatory CPE or PURL, integrating these identifiers into internal processes can improve accuracy.
Staying Updated: Monitoring updates to technical guidelines like TR-03183 will be vital as CRA implementation progresses.
Looking ahead
The CRA represents a significant step forward in securing the digital ecosystem. By leveraging clear guidelines and robust tools, organisations can align with compliance requirements while strengthening their cybersecurity posture. The publication of TR-03183 marks progress but also underscores the need for continued refinement as industry feedback shapes the future of SBOM practices.
Navigating the complexities of SBOM creation and CRA compliance doesn’t have to be overwhelming. Meterian provides automated solutions designed to simplify the generation and management of SBOMs, ensuring:
Effortless Compliance: Meterian supports both CycloneDX format, helping you meet the CRA’s technical requirements with ease.
Comprehensive Dependency Mapping: Automatically scans your codebase to identify all components and transitive dependencies, ensuring nothing is missed.
Ongoing Vulnerability Monitoring: Integrates seamlessly with vulnerability databases to keep your SBOMs updated and your products secure.
Time-Saving Automation: Embeds SBOM generation into your build processes, reducing manual effort and increasing efficiency.
With Meterian, you can confidently meet CRA requirements while enhancing your overall security posture. Contact us to learn how we can support your journey toward compliance and beyond.
Great news for all you mobile developers out there! Meterian, a leading Software Composition Analysis (SCA) platform, has just rolled out support for Dart, the programming language that’s become super popular for building Flutter apps. If you’re crafting mobile apps with Flutter, this update is specially tailored for you. Let’s dive into what this means and why it’s a game changer for Flutter developers.
Why Dart and Flutter are a big Deal
Developed by Google, Dart is all about building smooth and stunning mobile and web applications, and it’s the powerhouse behind Flutter—Google’s UI toolkit for crafting beautiful, natively compiled applications from a single codebase. Flutter’s ability to deliver apps that feel great on both Android and iOS has made it a hot favorite. With Dart now getting the spotlight it deserves, security and efficiency in app development are set to reach new heights.
Meterian embraces Dart
With Dart on its radar, Meterian is making sure that your development toolkit is not just powerful but also secure. This inclusion means Meterian can now safeguard your Flutter projects right from the get-go, catching potential security slip-ups before they become real headaches.
Meterian’s leap to include Dart is more than just an update—it’s setting a new standard for mobile app security. By embracing the needs of the Flutter community, Meterian is not only beefing up the security of apps but is also paving the way for projects that scale smoothly and stay robust under pressure.
What’s in it for Flutter developers?
We believe Flutter will eventually get a dominant position in the mobile development scene, so it’s essential to have tools that ensure that your applications are rock-solid safe. Meterian’s support for Dart brings you a suite of benefits:
Boosted Security: Spot vulnerabilities early in the development cycle with Meterian’s SCA tools, keeping your apps safe from security threats.
Stay on the Right Side of Compliance: Keep up with the latest security standards easily, ensuring your app complies with legal and regulatory requirements.
Seamless Development Flow: Meterian fits right into your existing workflows, helping you patch up security issues without slowing you down.
Scale with Confidence: As your app grows, Meterian grows with it, making sure that even the most complex projects stay manageable and secure.
With Dart in Meterian’s toolkit, it’s an exciting time to be building apps with Flutter. This move shows Meterian’s commitment to supporting the latest and greatest in app development, making it easier for you to build apps that aren’t just awesome but are also secure and compliant. To learn more about Meterian’s support for Dart/Flutter and how it can help improve the security of your projects, visit Meterian’s website at www.meterian.io.
The EU’s Digital Operational Resilience Act (DORA) represents a significant step towards ensuring that the financial sector can withstand and rapidly recover from ICT-related disruptions and threats. Among the wide variety of security testing tools and actions mandated by DORA, Software Composition Analysis (SCA) emerges as a critical component. Let’s explore why SCA is vital in this new regulatory landscape and how solutions like Meterian can be particularly beneficial.
What is Software Composition Analysis?
Software Composition Analysis (SCA) is a cybersecurity process that helps organizations identify and manage open source components within their software inventory. SCA tools scan software projects to detect open source libraries and frameworks, check the versions used, and compare them against databases of known vulnerabilities. Additionally, SCA assesses license compliance risks, ensuring that the open source licenses are compatible with corporate policies on software usage.
The Role of SCA Under DORA
The DORA framework emphasizes the need for a broad and adaptable approach to cybersecurity, recognizing the diverse nature of financial entities and their varying levels of ICT maturity. Here’s why SCA is integral to this approach.
Vulnerability Management Financial entities utilize a plethora of software solutions, many of which rely on open-source components. SCA provides a systematic approach to detecting vulnerabilities in these components, some of which may be critical and widely exploited in the financial sector. By identifying these vulnerabilities early, financial institutions can patch them before they are exploited.
Compliance and Risk Management DORA calls for rigorous compliance standards, including in areas like software licensing. SCA tools automatically detect the licenses of every component and alert teams about potential legal and operational risks, thus supporting compliance with DORA requirements.
Enhanced Operational Resilience By integrating SCA into their cybersecurity practices, financial institutions can improve their operational resilience. Knowing exactly what is in their software reduces the time and resources spent on crisis management in the event of a security breach.
Supporting Advanced Testing Requirements As entities mature, advanced testing such as Threat-Led Penetration Testing (TLPT) becomes viable. SCA ensures that the foundational elements of software security are addressed, which is critical for conducting more sophisticated, scenario-based tests effectively.
How Meterian Can Help
In the context of DORA, Meterian stands out as a valuable ally for financial institutions aiming to enhance their software security posture. Here’s how Meterian can specifically support compliance and resilience:
Continuous Security and Compliance Monitoring: Meterian continuously scans your software projects, providing real-time alerts on new vulnerabilities and compliance issues. This ongoing monitoring ensures that financial entities can respond promptly to emerging threats.
Automated Fix Suggestions: Beyond identifying issues, Meterian provides actionable insights and automated fix suggestions. This helps in quickly resolving vulnerabilities and license conflicts, significantly reducing the window of exposure.
Ease of Integration: Meterian’s platform can be seamlessly integrated into existing development workflows. This integration ensures that security and compliance checks occur throughout the software development life cycle, aligning with DORA’s emphasis on continuous improvement and adaptation.
Customizable Reporting: Meterian offers detailed, customizable reports that can assist financial entities in demonstrating their compliance with DORA regulations to regulators. These reports provide clear evidence of the proactive measures taken to ensure operational resilience.
By leveraging SCA tools like Meterian, financial institutions can not only meet the stringent requirements set forth by DORA but also significantly strengthen their cybersecurity frameworks. This proactive approach to software security is essential in a landscape where digital operations are increasingly integral to financial stability and success.
Stop worrying about missing critical vulnerability alerts. As application security experts, we know the constant struggle to stay informed about the latest threats facing your open-source components. That’s why we’re excited to introduce Meterian’s vulnerability notification system, designed to provide timely, accurate, and actionable information so you can take immediate steps to protect your applications.
Unparalleled Insight into Open-Source Risks
Meterian boasts the largest OSINT vulnerability database on the market, meticulously tracking over 335,000 vulnerabilities daily across 20+ diverse sources. We go beyond mere quantity, offering almost 94,000 unique vulnerabilities spanning 16 programming languages, ensuring comprehensive coverage for your development stack. Every day,
Never Miss a Critical Update
Our system proactively identifies new open-source component vulnerabilities and critical updates, delivering comprehensive notifications straight to your inbox. Each notification contains all the essential details to address the issue effectively:
Precise component name and ecosystem
Affected version range
Detailed vulnerability description
CVE identifier (if available)
Associated CVSS and EPSS scores
List of unaffected versions
Links for further exploration
What’s a CVE?
A CVE is like the official scoreboard listing of a severe foul or broken piece of equipment (a security flaw) that the entire league (the tech world) agrees must be fixed. Meterian acts as your team’s Defensive Coordinator, constantly watching the game for any new fouls and sending a precise, instant notification only to the players (developers) who are currently using that faulty gear, telling them exactly how to swap it out for a legal one before the referee throws a flag (a breach).
We believe that staying informed about vulnerabilities requires a comprehensive view. That’s why our platform not only delivers daily updates but also offers a valuable 30-day history, for free. This historical perspective allows you to track the evolution of vulnerabilities: whether you’re a seasoned developer or an individual user, understanding the trends over the past month can empower you to make informed decisions and take proactive security measures. Visit our Meterian Vulnerabilities pages to explore this rich history and stay ahead of the curve.
Tailored Alerts for Subscribed Users
We understand that information overload can be counterproductive. That’s why we offer two distinct notification systems for subscribed users:
Sentinel that continuously monitors previously scanned projects
Allerta that provides alerts based on a user specific preferences
Our Sentinel Notification System is your ticket to continuous security monitoring. It offers timely alerts to development teams, even without active scans. Once a project is under Meterian’s purview, Sentinel automatically and routinely examines it for new vulnerabilities. This seamless process ensures ongoing security screening, eliminating the need for user intervention. With Sentinel, you can rest assured that your projects remain protected around the clock.
The Allerta Notification System is designed with flexibility in mind. It allows users to tailor security alerts based on their preferences. You can define your interests, specifying preferred ecosystems, and scoring thresholds, ensuring that you receive notifications that align with your specific needs. Whether you’re a developer focusing on a particular programming language or a security professional seeking a broader view, Allerta provides precise information tailored to your requirements. With Allerta, you gain the ability to customize your security alerts while staying well-informed about the vulnerabilities that matter most to you.
Empowering Developers and Security Teams
Developers can focus on specific languages, while security personnel maintain a global view. All notifications provide granular details, including the affected component and version, so everyone has the context needed to make informed decisions. Don’t wait for a breach to expose your vulnerabilities. Meterian’s notification system empowers you to take control of your application security.
Sign up for a free trial today and experience the power of proactive application security. See for yourself how Meterian can keep you ahead of the curve and your applications safe. And remember, you can always consult thedaily vulnerability report online, completely free: no subscriptions needed.
Take action now and protect your applications from the ever-evolving threat landscape!
Managing the technology stack and known vulnerabilities is becoming a key criteria for cyber insurance pay outs
Open source software has once again made the headlines following warnings to organisations about the release of a new version of OpenSSL. Released on 1st November 2022, the new version patched vulnerabilities in version 3.0 and above of the nearly ubiquitously used cryptographic library for encrypting communications on the Internet.
The OpenSSL Project team took the unusual step of pre-warning organisations five days ahead of the 1st November release date that a critical update was being issued to address the vulnerabilities. This came as a surprise to many as the OpenSSL library rarely has critical vulnerabilities, but due to its popularity and widespread use, organisations were advised to be cautious and to prepare.
Based on the assessment by the OpenSSL team, the vulnerabilities can be exploited and trigger data leakage or remote code execution. It is hard to predict the potential damage and risk of these vulnerabilities, which is why it’s vital for organisations to act swiftly, determine any use of the affected OpenSSL and patch immediately if they are exposed to the vulnerabilities. However, as these vulnerabilities were classified as “high severity” and not critical as initially thought, widespread exploitation is not expected.
Open Source the foundation of modern software
The benefits of open source software are numerous and well known, so let’s be clear open source is not the problem – our ability to learn from the past is.
There have been a couple of big open source incidents in the last year that have sent shock waves through the cyber security world. Firstly, the vulnerability in the widely deployed Log4J component, and now this new vulnerability in OpenSSL. This is only the second such flaw ever found in the open source encryption project. The first was Heartbleed.
The December 2021 zero-day vulnerability in the Java logger Log4J, known as Log4Shell, was characterised by many security experts as the single biggest, most critical vulnerability of the last decade. If left unpatched, attackers can hack into systems, steal passwords and logins, extract data, and infect networks with malicious software causing untold damage, not least to brand reputations.
Unfortunately, a situation that specialty insurer Crum & Forster, owned by Fairfax, know all too well after falling victim to the hacking group known as RansomHouse. Despite widespread news coverage of the Log4shell vulnerability, which was revealed in December 2021, it appears the insurer was still vulnerable.
The breach at Crum & Forster was first discovered on 22nd July 2022. The hacking group were able to exploit an unpatched system, resulting in a total of 1.7 gigabytes of sensitive data being released, including medical information, insurance policies, employee data, and customer lists.
Crum & Forster are by no means an isolated case, there are many examples over the years of companies falling victim to known vulnerabilities.
History repeating itself
The Heartbleed vulnerability, discovered in 2014, impacted hundreds of thousands of web and email servers worldwide. Among the many systems confirmed to be affected were large organisations such as Yahoo, Eventbrite, and even the FBI’s own website. Many of the big companies confirmed to be affected were able to get their ducks in a row and patch before anything severe happened.
Others weren’t so quick off the mark and hackers were able to exploit the vulnerability in several cases. The Canadian Revenue Agency was one of the many victims that suffered a breach as hackers exploited the Heartbleed vulnerability. The breach resulted in the theft of hundreds of social ID numbers in a six-hour period before the Canadian Revenue Agency realised and removed public access to its online services.
In the aftermath of a breach, companies are quick to express that lessons will be learnt. Unfortunately, in a case of history repeating itself, the Canadian Revenue Agency was once again hitting the headlines. In 2017, just 3 years after Heartbleed, the company had to shut down its website for filing federal taxes due to falling victim to the open source Apache Struts2 vulnerability.
Fail to patch, plan to fail
Several years on from when Heartbleed was discovered and a patch issued, there are still servers harbouring the Heartbleed vulnerability. In November 2020, a security researcher at the SANS Internet Storms Centre discovered that over 200,00 machines are still vulnerable to Heartbleed. The news cycle may have moved on but that doesn’t mean unpatched vulnerabilities have disappeared.
Too many headlines are showing that hacks have one thing in common, they are caused by a known vulnerability within an open source component.
A well know example is the Equifax data breach in 2017, which remains one of the largest cybercrimes related to identity theft. The private records of 147.9 million Americans along with 15.2 million British citizens and approximately 19,000 Canadian citizens were compromised in the breach.
A key security patch for open source software Apache Struts was released by the Apache Software Foundation on 7 March 2017 after a security exploit was found. All users of the framework were urged to patch immediately.
For one reason or another, the patching process within Equifax completely broke down, resulting in vulnerable systems being left open to compromise. Subsequent scans conducted by the Equifax IT department to identify any vulnerable systems appears to have failed and, as the saying goes, the rest is history.
The cost of downplaying security
Recent estimates suggest the 2017 Equifax data breach cost the company at least $1.38 billion, with some sources suggesting the final bill could be closer to $2 billion. The root cause of the data breach was the failure to patch a known open-source web application security flaw. The company effectively left the door open for cyber criminals to walk in and wreak havoc.
In the aftermath of the breach Equifax was condemned for its lax security posture, shambolic emergency response and poor leadership, which led to many senior executives being accused of corruption. The Equifax breach investigation highlighted several security lapses that allowed attackers to enter, allegedly secure, systems and exfiltrate terabytes of data.
More than five years on, the Equifax data breach remains a cautionary tale in failing to manage cyber security risk effectively and lacking the tools and processes to implement a robust vulnerability and patch management regime.
Cybercrime has become a highly lucrative operation; it is not going away and is only set to worsen as companies continue to engage digital technology. Many have taken out cyber insurance to insulate themselves from the punishing costs of cyber-attacks and data breaches.
However, companies across the world are likely to face increases in the cost of insurance as the number of claims increase year on year. According to research conducted by FitchRatings, US claims volume has risen 100 percent annually over the past three years.
In part as a result, the cost of cyber insurance has risen steeply in 2022 in both the US and the UK. According to Marsh, the UK cyber insurance market experienced a pricing increase of 102% year-over-year in the first quarter of 2022.
As a result of rising claim costs, the insurance industry is tightening their qualifying requirements and limiting their coverage. Cyber insurers now require organisations to provide information about their security controls if they want coverage. This can include technical, procedural, and human controls.
Keeping track of your open source exposure
Software Bill of Materials (SBoMs) are an emerging approach to keeping track of your software dependencies, both open source and commercial. SBOMs provide the ingredients list to understanding what code exists within the applications that your business relies upon.
Only by understanding what exists inside applications can organisations evaluate their exposure to risk. Used effectively, SBOMs enable companies to evaluate and target remediation efforts. But most importantly, companies won’t be blindsided when the next big open source vulnerability is announced.
Known vulnerabilities are your responsibility
Many cyber insurers have tightened their standards and are no longer paying out for breaches that have resulted from a known vulnerability. This should serve as a sharp wakeup call to boardrooms that deploy technology, with little thought to the security implications. If companies want to ensure they continue to receive all the benefits of their policy, it’s vital that they have a rigorous patch management system. Corporates may have short memories when it comes to known vulnerabilities but, as the evidence shows, cyber criminals do not.
Companies must increase visibility and transparency of the components in their open-source software and applications if they are to stay one step ahead of cyber criminals. Without continuous management of your governance, risk, and compliance of open source your company is walking a tight rope, without a safety net. Those that fail to learn from history are doomed to repeat it.
We are happy to report that now Meterian supports pnpm, a new fast and more efficient alternative to npm. It’s comparably faster, especially when installing packages, compared to npm and it also saves a lot of disk space as it used symlinks to represent modules. Pnpm also supports very well monorepos using workspaces, and it has built-in support for multiple packages in a repository.
Pnpm support is available out of the box now in GitHub Actions, Azure DevOps, Bitbucket Pipes and of course using either the thin CLI or the dockerized CLI, so that you can continue to be informed about any vulnerable, out of date, or non-business friendly node module in your dependencies.
Yesterday, 28th January was an important day… The Council of Europe celebrated this year the 14th edition of Data Protection Day.
This practice was to raise awareness about good practices in this field, informing users about their rights and how to exercise them.
This date is aligned to the anniversary of the opening for signature of the Council of Europe’s Convention 108 for the Protection of individuals in relation to automatic processing of personal data. For the past 30 years this has been a cornerstone of data protection, in Europe and around the world.
Why is Data Protection so important?
Data protection issues are very present throughout everyone’s lives. Not to mention in the work environment, in public relations, in the health sector, when buying goods and services, in travel or merely whilst using the internet.
However, not all people are informed on their rights. For this reason, the 28th January has been allocated to inform more users on their rights and so that data protection professionals address data subjects. It is important our digitally advanced society understands what personal data is collected from them and why, as well as what their rights are when their data is processed. This in turn, will help users be aware of the risks which comes with illegal mishandling and unfair processing of personal data.
Meterian can help!
Here are a list of our blogs which can help users be more cyber resilient and diligent when it comes to managing sensitive data.
Cyber due diligence is increasingly taking the spotlight when considering M&A transactions. With the rise of cyber attacks across organizations, acquirers are now having to address the impact of a target company’s incidents to determine the deals they make. According to EY Global Information Security Survey 2018-19, 77% of organizations have limited cybersecurity. Cyber due diligence is important to avoid the devaluation of your organization.
What is cyber due diligence?
The official definition of cyber due diligence is ‘the review of governance, processes and controls that are used to secure information assets’. Essentially, cyber due diligence teams will gather a target’s risk profile and make recommendations to the purchaser.
Would you buy a home without having it inspected by a surveyor? Many people wouldn’t. In the past, the lack of inspection has proven to cause traumatic consequences. Take the Grenfell Tower fire of 2017. The lack of inspection in the build, design, and maintenance of this residential building (and many others discovered after the tragedy) has made building due diligence a crucial aspect to many organizations. The same can be said when applying cyber due diligence. Proper attention to issues within a target company will allow more informed decisions and safer outcomes.
The importance of cyber due diligence is seen through the example of Yahoo! In late 2004, senior offices and legal staff learned that unauthorized access to its computer network had been gained by what Yahoo! had identified as ‘state-sponsored actor’. However, the board had not received a report. In 2016, Yahoo! and Verizon Communications entered a stock purchase agreement. Yet, around the same time, a hacker claimed to have obtained Yahoo! user data. Shockingly, after doing checks they found that up to 500 million user accounts had been stolen from Yahoo!’s network in 2014. Not surprisingly, this meant Yahoo! had to modify their terms with Verizon.
This proves how cyber due diligence is essential when making M&A transactions as it strongly influences the decision of the acquirer in regards to their target company.
Financial, Legal and Technical Due Diligence
Although cyber due diligence does not provide an accurate picture, it still allows the acquirer to have a good approximation of the condition of a target’s digital assets. An acquirer will have a process in their assessment of a target company and will examine:
How much money does the company have, spend and earn?
What are the margins of the target’s competitors?
Is the company in any debt?
This is financial due diligence. Every investment has a level of risk. There needs to be in-depth research to understand the risk well, and to avoid any harm to either party in the transaction. Avoiding financial due diligence can result in misunderstandings from the investor and cause them to be responsible for financial loss after the deal is closed. If you’re a business owner, ask yourself:
Does your company own the software?
What is the IP ownership of the software your company has created?
Is your company in compliance with its legal obligations with respect to software licences, software updates, data protection and processing laws?
What are the risks if compliance fails?
Here we have legal due diligence. This helps both entities work together to push forward a deal by addressing any legal problems that might be obstructing a decision. So this is when an M&A document will be produced. Legal due diligence is very important: the general law does not, in the absence of fraud or misrepresentation, protect the acquirer if they later see the business is not what they understood it to be. So buyer beware! Understanding the target’s liabilities is crucial. Make sure your legal team knows what they are doing, as they have the important role of communicating to external advisers.
Evaluate the cybersecurity program protecting the high-value digital assets: is it appropriate?
Look at the target company’s previous breaches and how they responded to the incident?
Assess the target’s resilience and ability to resist cyber attacks on their digital assets in the future
Be a technical due diligence wiz and know what your technical assets are. Technical due diligence allows to identify any vulnerabilities within the software or network of the target company. Look at the product, the infrastructure and its processes. Many software applications rely on open-source software components. If left unsecured (or used at whim without due diligence assessing its risk to the business), this creates a potential weakness for organisations from two aspects. Firstly, vulnerable open source components are popular attack vectors for cyber attackers. Secondly, having components with a licence that’s not compatible with your company’s policy could harm your business. Companies should make sure their software is being used in compliance with its licence so they can avoid being sued for improper use of intellectual property.
As seen with the example of Yahoo!, the lack of technical due diligence allowed Verizon to make an uninformed decision. Although this was also a problem with Yahoo! not disclosing the issue, it shows how legally the deal had to be adapted and both companies suffered financial loss. This shows the integrated importance of financial, legal and technical due diligence, and the areas that need to be addressed by the acquirer during M&A transactions and considerations.
How can Meterian help with due diligence process?
With Meterian, you can automate the due diligence of identifying and patching open source risks in minutes. Immediately see if open source components used in your team’s project code bases are free of security, stability and licensing risks. So that you don’t run into any surprises down the line in your code’s software supply chain.
Although open source applications are built to a very high standard, open source software does not come with any guarantees of quality. It is the user of the open source software that is responsible for assuring its quality (and therefore data processing security). There are still licence agreements one must comply with. Since anyone can download and use open source software, without payment, it’s difficult for organisations to know what’s used in their code bases. Meterian helps companies ensure their software is audit ready and all open source licences are compliant and business friendly. Our software scanner runs and checks as developers build the software, so why not put your mind at rest and strengthen your business? See sample reports and analyse 1 free codebase by signing up on our website today.
