Using Kusari Platform to Manage your Open Source Dependencies
Companies need to pay attention to the security of their open source dependencies. Kusari Platform can help.
Tim Miller
August 13, 2025
Companies have relied on open source software for decades to provide a foundation for commercial software development. Open source software accelerates innovation by providing no-fee software to handle undifferentiated functionality. Using open source operating systems, programming languages, frameworks, and libraries, companies can focus their development teams on the differentiated functionality that meets their specific business needs.
But no-fee is not the same as zero total cost of ownership. Like all software, open source software can contain vulnerabilities. The popularity of open source software makes it an attractive target for bad actors looking to conduct supply chain attacks. Across the globe, regulators are increasingly demanding that companies take a proactive approach to securing their software supply chain. Regulations like the European Union’s Cyber Resilience Act (CRA) will require manufacturers to assume liability for the open source software in their supply chain. So what are companies to do?
You can’t contract your way out of it
With vendor-supplied software, you can include contract language to require certain security practices or certifications. You can require your suppliers to assume liability for issues that arise from your use of their software. In fact, we see some industry working groups offering language and policy templates to make inclusion easier and consistent.
That doesn’t work with open source software. In general, you don’t have a contractual relationship with the people who produce the open source software that you use. (Some projects provide a paid support contract for their own software and some third-party vendors provide support for open source projects.) Companies that use open source software have no leverage. In fact, making demands of the project will only result in hostility.
The most effective way to improve the security practices in your open source dependencies is to provide developers time to participate as community members. However, it takes time for new community members to gain the credibility necessary to drive new changes. Given the sheer number of dependencies in modern applications, this can be challenging to scale across your entire dependency graph.
Best practices for using open source software
The UK Government Department for Science, Innovation & Technology published a report titled “Open source software best practices and supply chain risk management” that contains excellent guidelines for companies in any country to secure their open source software supply chain.
The first step in securing your software supply chain is knowing what is in your software supply chain. This comes from building software bills of materials (SBOMs) when you build your software. An SBOM is a comprehensive list of all the components, libraries, and dependencies that make up a software product. It includes information such as version numbers and licenses of each component. An SBOM alone won’t solve your security problems, but it provides a base for building out a full view of your software supply chain.
The next step is continuous monitoring of your software supply chain. Vulnerabilities are not static; new vulnerabilities are discovered in existing releases, sometimes years after the software shipped. The software that was vulnerability-free yesterday may have critical vulnerabilities today. Knowing what was built is part of the answer, but knowing what is deployed to which environment is critical to rapidly responding to new threats.
How Kusari can help
The challenge in software supply chain security isn’t a lack of information. In fact, the problem is often too much information. It’s challenging to separate signal from noise when you’re awash in unconnected data about software vulnerabilities. Kusari provides a comprehensive solution for addressing risk in your open source dependencies.
Kusari Inspector provides developers feedback in their existing workflow. It analyzes pull requests to detect vulnerabilities, unmaintained projects, and other issues in your dependencies. It also finds misconfigured workflows, embedded credentials and other secrets, and insecure code practices. Plus, it can automatically generate SBOMs, solving a challenge that the UK report identified:
We appreciate that creating an SBOM can be a time-consuming and resource-intensive process. We suggest organisations look to integrate an SBOM into their development and deployment processes, that is generated automatically, to alleviate the resource burden.
Kusari Platform provides developers, security teams, and executives with a security-focused dashboard. It continuously updates data to alert your team about newly-discovered vulnerabilities. Kusari Platform analyzes not just your direct dependencies, but your transitive dependencies — the dependencies of your dependencies. As the UK report notes:
Modern software is a complex web of dependencies, with updates and patches released regularly. It is important to continuously monitor the software supply chain for vulnerabilities, licensing issues, and new versions of OSS components.
When vulnerabilities appear in the software portfolio, Kusari Platform can tell you where — not just which applications, but where the applications are running. Kusari Platform can detect if vulnerable code paths are called, helping you know which vulnerabilities are actually affecting you. With the Kusari Score and Effort to Fix calculations, you can quickly prioritize vulnerabilities in your specific context.
With upcoming requirements from the CRA, for medical devices, and other regulations, now is the time to manage your open source dependencies. To learn how Kusari can help you, book a demo.
Like what you read? Share it with others.
.webp)
.webp)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.jpg)
Previous
No older posts
Next
No newer posts
Want to learn more about Kusari?