The client in question is India’s largest fashion e-commerce company and biggest online shopping site for Fashion & Lifestyle. They are headquartered in Bengaluru. They are the one stop shop for all footwear, clothing, accessories, cosmetics and lifestyle products for both women & men featuring over 500 leading Indian and international brands. They aim to provide a hassle free and enjoyable shopping experience to shoppers across the country with the widest range of brands and products on their site. The brand is making a conscious effort to bring the power of fashion to shoppers with an array of the latest and trendiest products available in the country.
Today with numerous open source components available for developers to leverage on and build innovative products, most companies face the challenge of identifying what open source components are used, how to manage these open source components in their codebase and the security risks associated with them. Companies do not want to be in a situation where they are prone to hacker attacks and data breaches. At the same time for the usage of open source components,they do not want to face any copyright conjunctions from the code author. This is one of the reasons organizations go for open source audits.
The client’s main development headquarters centre housed many individual teams working on different areas of development of the e-commerce site. Each development business unit comprised many levels of subteams and each of these subteams worked on many repos and projects. With years of experience in conducting open source audits, the client approached Lyra to help them perform an open source audit on their code dumps. They wanted to address the challenge of whether their code was compliant with OSS policies and also check if the code is free from open source security vulnerabilities for the dependencies used.
Combining a decade of Lyra’s open source audits expertise and the enterprise solution for code scans and finding security vulnerabilities, we first performed an open source audit with a total code size of close to 80 GB. We scanned the code to find the amount of open source code in the code base. Knowing the amount of open source code and creating a software inventory we analyzed the components for potential threats and known security vulnerabilities. We also checked if the code was compliant with open source policies or not. We created Jira tickets for all the issues we encountered with the respective client’s dev teams. As mentioned above, the total code size of 80GB was split up between individual development teams and multiple repos. Once the initial audit was done, we helped the client with sharing of first level individual and consolidated master reports for both FOSS Compliance and security vulnerabilities.
In addition to the above,we created individual reports team wise, project wise and for the top level management to get a sense of the OS audit report. We made it so easy for team heads and repo heads to understand how many issues and problems were there in their respective teams as well as potential threats in individual repos or projects. Now, the top level management were able to get a very high level overview of the audit report. Once individual teams received info on the issues, we shared a master global combination of all the reports highlighting everything right from all the teams to repos and sub level projects.
Reports were further detailed and split for both FOSS Compliance and Security Vulnerabilities. Not only that, we even went ahead and shared a complete Dashboard view for top level management like VP, CTO to understand the number of issues, ones with high level, medium and low risk, how to remediate those issues, coordinate with app sec teams and the timeline for remediation.
Insights from the Codescans and Audits:
With respect to priority projects, from one of the code scans of a particular team’s code which was close to 1 Gigabyte of code to check for FOSS Compliance, we were able to find 28 P1 (high risk) and 29 P2 (medium risk) issues which needed immediate attention. With respect to finding security vulnerabilities for potential threats, we found 113 P1 (high risk) and 42 P2 (medium risk) issues for the dependencies used.
Similarly, for another priority project with a code size of 1 GB of code, we were able to find 20 P1 (high risk) and 18 P2 (medium risk) issues for FOSS compliance. And, for finding security vulnerabilities, our audits revealed 59 P1 (high risk) and 49 P2 (medium risk) issues.
We then shared these issues with the client for remediation of these issues in each of the priority projects. Lyra also provided consultation to get the fixes and solutions for the issues raised in FOSS compliance and OSS Security Vulnerabilities.
Based on the client’s teams remediation plan we at Lyra then worked on delta audits to check and verify the fixes done by the client’s teams and then again share the list of reports as shared earlier. This process of remediating the fixes and delta scans went on for 2-3 months with many iterations. As many as 358 issues were brought to notice with continuous engagement with the client for the above two priority projects.
With constant engagement with the client, Lyra were able to provide a complete list of issues and fix them for FOSS compliance and security vulnerabilities with issues-list drilled down by teams, sub teams, individual repos and for top level management. Thanks to numerous data-oriented master and consolidated reports, everyone in the development teams had a clear view of all the issues and the issues which needed remediation to stay compliant with open source policies and from potential attacks and data breaches.
Interested in an Open Source Audit for your company too? Get in touch with us today!