SBOM Starter Kit: Get Your Copy

UiPath: Open Source Management That Keeps Pace with Speedy Software Development

Today, managing open source software — and the license compliance, security, and SBOM considerations that come with it — is all about prioritization and efficiency. 

Innovative companies like robotic process automation (RPA) leader UiPath put a premium on not only maintaining software transparency and reducing risk, but doing so in a way that doesn’t slow development velocity or burden engineering teams. 

This includes:

  • Using SCA (software composition analysis) tooling that’s easy to implement and put into daily use across numerous repos and teams
  • Prioritizing CVE remediation by vulnerability exploitability, not just CVSS score
  • Automating license compliance policies so legal teams don’t have to approve every new open source library
  • Leveraging SBOMs (software bill of materials) for supply chain security 

As Valentina Ditoiu, UiPath’s Senior Security Program Manager and longtime open source leader, sees it, FOSSA is a big reason why UiPath has achieved these objectives. The company’s legal, security, and engineering teams all use FOSSA to efficiently manage open source-related risks and activities.

“FOSSA is a really good blend of licensing and security,” Valentina says. “Typically, you see vendors do one or the other better. FOSSA does both of them quite well. FOSSA has been great at helping us stay ahead as there’s been a shift toward automation, efficiency, and better vulnerability prioritization.”

“With FOSSA, all of our departments win.” 

-Valentina Ditoiu, UiPath Senior Security Program Manager

UiPath’s Open Source License Compliance Evolution

Before implementing FOSSA, UiPath utilized a manual and labor-intensive process for managing open source license compliance. The company’s CTO maintained a list of direct dependencies (and licenses) that was updated after every release. 

As UiPath grew, however, the organization determined that it would benefit from a more automated approach.

“Our CTO encouraged us to get FOSSA because he understood FOSSA would be able to provide information beyond what we had in that short list of dependencies,” Valentina recalled.

The decision to implement FOSSA has paid major dividends.

“FOSSA is the only tool that we use in UiPath for license management, and I think that says a lot,” Valentina says. “We’ve tested others, but FOSSA keeps delivering.”

A big reason why UiPath has embraced FOSSA is that the tool works well for a broad range of license compliance stakeholders, not just legal teams.  

“FOSSA is well integrated within our build and CI/CD pipelines,” Valentina says. “Engineering can see when licenses are flagged, and they come to me or to our legal team for further review if there’s an issue that requires it.” (FOSSA’s license compliance automation works so that the majority of licenses are either automatically approved or denied, but some edge cases are flagged for further review.) 

FOSSA also provides important contextual information to help UiPath resolve license compliance issues.

“FOSSA enables engineering to see the path of a certain dependency,” Valentina says. “They know where to go to really understand that dependency’s use case, which helps us understand if that dependency can be removed, or if it should be updated, and so on.”

Meanwhile, UiPath’s legal team appreciates that FOSSA keeps its expansive licensing database (which contains license types like source-available and shareware in addition to open source) as up-to-date as possible.

“FOSSA has always been extremely responsive in adding new licenses,” Valentina says. “The fact that they cover license types beyond open source is also a great benefit. As a company that uses a lot of .NET, we’ve particularly appreciated having coverage of freeware and shareware licenses.” 

This accurate and comprehensive inventory of dependencies and licenses also serves as a strong foundation for UiPath’s licensing reports. These come in handy during due diligence exercises and when fielding customer requests.

“Reporting is one of the core functionalities that we’ve used from FOSSA,” Valentina says. “We issue reports for customers, partners, investors, or whatever stakeholders ask during due diligence exercises. We issue reports, and we trust them.”

“Plus, we can adjust the granularity of the information in a report, which is great — some customers prefer a more detailed report, while some are OK with just a high-level summary.”

Reducing Vulnerability Management Noise

Historically, open source vulnerability management programs have been largely based on CVSS scores: the higher the score, the more urgent the remediation.

Over the years, however, it’s become increasingly apparent that CVSS scores aren’t the be-all, end-all. That’s because a lot of vulnerabilities — even severe vulnerabilities — aren’t likely to actually be exploited. 

“It’s clearer now than it was before that there’s a revolution in terms of relying on CVSS scoring that everyone in the industry is talking about — there are better ways to assess risk,” Valentina says. 

As a result, UiPath has made vulnerability prioritization a significant strategic focus. And, the company has made major gains in enabling engineering to focus on the most pressing issues first. 

FOSSA’s Vulnerability Management product has a variety of capabilities and filters, including EPSS (Exploit Prediction Scoring System) scores, to help UiPath achieve its prioritization objectives.

“FOSSA has helped us a lot with the addition of EPSS scoring,” Valentina says. “FOSSA has also given us a lot of functionality in terms of additional scoring and being able to triage the CVEs that we discover with scans. That additional information is super useful in helping UiPath keep up with new trends in the security space.”

Managing SBOMs and Supply Chain Transparency

Just as open source vulnerability management has evolved over the years, so too has the focus on software supply chain transparency. New government regulations have made SBOMs (software bill of materials) mandatory for businesses in certain industries, while supply chain attacks like Log4Shell have placed a premium on maintaining visibility into open source dependencies.  

FOSSA plays a central role in these initiatives for UiPath.

“FOSSA has a package observability and search feature that is super useful when customers are inquiring about a specific package or CVE,” Valentina says. “It’s really easy for our security team to use FOSSA to search for a specific CVE or package and get a very quick answer before going into the technical nitty-gritty of the CVE.”

UiPath leverages the SBOM functionality to help internal teams quickly triage where package dependencies are sourced. In the future, the company is looking to expand this usage to align with industry trends.

UiPath and FOSSA: The Bottom Line

It’s been a half-decade since UiPath first brought FOSSA on board to automate open source license compliance. In the years since, UiPath has expanded its use of FOSSA to include security and SBOM management. 

Today, UiPath’s legal, security, and engineering teams all use FOSSA. And, as UiPath continues to innovate in areas like vulnerability prioritization and license compliance management, FOSSA is there to help UiPath make it all more efficient, effective, and developer-friendly. 

“It’s the best-case scenario when an SCA tool is so integrated and provides value in a seamless way,” Valentina says. “You can see the end-to-end process working from integration to issue remediation, and that’s what we see with FOSSA. It’s been really useful.”

-Valentina Ditoiu, UiPath Senior Security Program Manager

UiPath logo is ©2024 UiPath, Inc., UiPath SRL. Used with permission.