Our client is India’s largest fashion e-commerce company and biggest online shopping site for Fashion & Lifestyle. They are headquartered in Bengaluru. They are the one-stop-shop for all footwear, clothing, accessories, cosmetics, and lifestyle products for both women & men featuring over 500 leading Indian and international brands. They aim to provide a hassle-free and enjoyable shopping experience to shoppers across the country with the widest range of brands and products on their site. The brand is making a conscious effort to bring the power of fashion to shoppers with an array of the latest and trendiest products available in the country.
Today with numerous open source components available for developers to leverage on and build innovative products, most companies face the challenge of identifying what open source components are used, how to manage these open source components in their codebase and the security risks associated with them. Companies do not want to be in a situation where they are prone to hacking and data breaches. At the same time, they do not want to face any copyright conjunctions from the code author for using open source components. This is one of the reasons organizations go for open source audits.
The client’s main development headquarters housed many individual teams working on different areas of development of the e-commerce site. Each development business unit comprised many levels of subteams and each of these subteams worked on many repos and projects. They approached Lyra to help them perform an open source audit on their code dumps. They wanted to address the challenge of whether their code was compliant with OSS policies and also check if the code is free from open source security vulnerabilities for the dependencies used.
With over ten years of experience in open source audits, enterprise solutions for code scans, and finding security vulnerabilities, we first performed an open source audit with a total code size of close to 80 GB. We scanned the code to find the amount of open source code in the codebase. After knowing the amount of open source code and creating a software inventory, we analyzed the components for potential threats and known security vulnerabilities. We also checked if the code was compliant with open source policies. We created Jira tickets for all the issues we encountered with the client’s dev teams. The total code size of 80GB was split-up between individual development teams and multiple repos. Once the initial audit was done, we helped the client with the sharing of first-level individual and consolidated master reports for both FOSS Compliance and security vulnerabilities.
In addition to the above, we created individual reports teamwise, Project-wise, and for the top-level management to get a sense of the OS audit report. We made it so easy for team heads and repo heads to understand how many issues and problems there were in their respective teams as well as potential threats in individual repos or projects. Now, top-level management was able to get a very clear overview of the audit report. Once individual teams received info on the issues, we shared a master global combination of all the reports highlighting everything from all the teams to repos and sub-level projects.
Reports were further detailed and split for both FOSS Compliance and Security Vulnerabilities. Not just that, we even went ahead and shared a complete Dashboard view for top-level management from the VPs to the CTO to help them better understand the issues, from a high level, medium, and low risk. We also showed them how to remediate those issues, coordinate with app sec teams, and set timelines for remediation.
Insights from the Codescans and Audits:
From the priority projects, one of the code scans of the teams had close to 1 Gigabyte of code to check for FOSS Compliance. From this code, we were able to identify 28 P1 (high risk) and 29 P2 (medium risk) issues that needed immediate attention.
When it came to finding security vulnerabilities for potential threats, we found 113 P1 (high risk) and 42 P2 (medium risk) issues for the dependencies used.
Similarly, for another priority project with a code size of 1 GB of code, we were able to find 20 P1 (high risk) and 18 P2 (medium risk) issues for FOSS compliance. And the security vulnerabilities for our audits revealed 59 P1 (high risk) and 49 P2 (medium risk) issues.
We then shared this list with the client for remediation of these issues in each of the priority projects. Lyra also provided consultation to get the fixes and solutions for the issues raised in FOSS compliance and OSS Security Vulnerabilities.
Based on the client’s remediation plan we at Lyra then worked on delta audits to check and verify the fixes done by the client and then again share the list of reports. This process of remediating the fixes and delta scans went on for 2-3 months with many iterations. As many as 358 issues were brought to notice with continuous engagement with the client for the above two priority projects.
Through our constant interaction with the client, we were able to provide a complete list of issues and fix them for FOSS compliance and security vulnerabilities with issues-list drilled down by teams, sub-teams, individual repos, and for top-level management. Thanks to numerous data-oriented master and consolidated reports, everyone in the development teams had a clear view of all the issues, even the ones which needed remediation to stay compliant with open source policies and from potential attacks and data breaches.
Interested in an Open Source Audit for your company too? Get in touch with us today!