We use the solution for the security compliance and licensing of open-source components.
CEO at SeQuenX BV
A fairly priced product for managing security compliance and licensing
Pros and Cons
- "I am impressed with the tool’s seamless integration and quick results."
- "I want the product to include binary scanning which is missing at the moment. Binary scanning includes code and component matching through dependency management. It also includes the actual scanning and reverse engineering of the boundaries and finding out what is inside."
What is our primary use case?
What is most valuable?
I am impressed with the tool’s seamless integration and quick results.
What needs improvement?
I want the product to include binary scanning which is missing at the moment. Binary scanning includes code and component matching through dependency management. It also includes the actual scanning and reverse engineering of the boundaries and finding out what is inside.
For how long have I used the solution?
We have been using the solution for four years. We are using the solution since its introduction.
Buyer's Guide
FOSSA
November 2024
Learn what your peers think about FOSSA. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,406 professionals have used our research since 2012.
What do I think about the stability of the solution?
The tool is very stable. I have never had a problem with it.
What do I think about the scalability of the solution?
The solution has around 300 users in our company.
How are customer service and support?
I haven’t contacted tech support yet since I know the sales director and the whole sales team personally.
How was the initial setup?
The solution’s setup is very easy.
What's my experience with pricing, setup cost, and licensing?
FOSSA is a fairly priced product. It is not either cheaper or expensive. The pricing lies somewhere in the middle. The solution is worth the money that we are spending to use it.
What other advice do I have?
I would rate the solution an eight out of ten. I highly recommend the tool to users because its user interface lets us know what we are doing.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Program Manager at a consumer goods company with 10,001+ employees
Improves productivity by saving a lot of time for our software developers
Pros and Cons
- "The support team has just been amazing, and it helps us to have a great support team from FOSSA. They are there to triage and answer all our questions which come up by using their product."
- "I would like more customized categories because our company is so big. This is doable for them. They are still in the stages of trying to figure this out since we are one of their biggest companies that they support."
What is our primary use case?
We use it to scan all of our open source projects, including all of our internal projects that people use.
We are about to roll it out to the whole company. Currently, we're only using it for open source projects, making sure people are scanning before they get the project approved.
How has it helped my organization?
FOSSA's compatibility with the wide range of developer ecosystem tools is great. It definitely saves us a lot of time and helps us figure out what security vulnerabilities are going on. Since we can't do it ourselves, we need FOSSA.
The solution provides contextualized, actionable intelligence that alerts us to compliance issues. The intelligence provides help with triage and remediation. The solution reacts really quickly to triage every question or anything going on that needs help.
What is most valuable?
It cuts the software engineers work a lot. Because if it is already approved and scanned, then they don't have to do it again.
The solution is holistic. Our legal teams and DevOps work hand in hand with it. For example, we have a legal team who is part of the setup for FOSSA.
What needs improvement?
I would like more customized categories because our company is so big. This is doable for them. They are still in the stages of trying to figure this out since we are one of their biggest companies that they support. I do feel like we are being heard and they are working on trying to give us what we asked for.
For how long have I used the solution?
I have been using it for two years.
What do I think about the stability of the solution?
FOSSA has been pretty stable. There haven't been websites down, etc. We are still building on top of it, which is great. We are adding more features which we didn't know that we needed. We are still getting feedback from developers at the company on what they need and what the solution can do for them.
My team of two does the maintenance for FOSSA.
What do I think about the scalability of the solution?
The scalability has been pretty perfect.
The majority of the user roles are software engineers. We have about 3,000 to 4,000 software engineers who will be using it. Currently, I think we have about 1,000 employees who probably have used it, or maybe a little less. We are about to roll it out to the whole company, so that will be hitting the majority of all our engineers.
Right now, it's already in the system. We just haven't yet announced that it is in the system for use.
FOSSA enables us to deploy software at scale.
How are customer service and technical support?
The technical support is really good. They are very persistent and support what we need by answering all of our questions. They answer right away.
Which solution did I use previously and why did I switch?
We did not use another solution previously.
How was the initial setup?
The initial setup was straightforward. It was very easy in order to have their platform installed into our company-wide platform for internal users. They gave us what they needed, and we gave them what they needed.
Our deployment took about a week.
For our implementation strategy, we had to figure out what was needed in order for FOSSA to be on our platform along with the needs to onboard an external platform into our system.
What about the implementation team?
The deployment required three or four people: the IT team, the FOSSA team. and myself. My experience with the FOSSA team with great. The deployment went smoothly. They were there for 100 percent life support. Anything that was needed was found and triaged.
What was our ROI?
It takes probably a week to get everything scanned and approved before you can use it. Therefore, we are probably seeing about a couple of days or weeks of times saving per code or project for this solution. This is because it would take some time to scan, have it looked at, reviewed, and get approval.
It improves productivity, saving a lot of time for our software developers.
What other advice do I have?
If this is the type of product that you're looking for, they are one of the best products that you can use. The support team has just been amazing, and it helps us to have a great support team from FOSSA. They are there to triage and answer all our questions which come up by using their product.
I am not a daily user. I do more of the program management side of setting it up for everyone. I don't actually use it on a day-to-day type of basis.
I would rate the solution a 10 out of 10.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Buyer's Guide
FOSSA
November 2024
Learn what your peers think about FOSSA. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,406 professionals have used our research since 2012.
Data Privacy Officer at a healthcare company with 51-200 employees
Reduces our costs and timeline and allows us to go very granular and automate the scanning of licenses
Pros and Cons
- "One of the things that I really like about FOSSA is that it allows you to go very granular. For example, if there's a package that's been flagged because it's subject to a license that may be conflicts with or raises a concern with one of the policies that I've set, then FOSSA enables you to go really granular into that package to see which aspects of the package are subject to which licenses. We can ultimately determine with our engineering teams if we really need this part of the package or not. If it's raising this flag, we can make really actionable decisions at a very micro level to enable the build to keep pushing forward."
- "One thing that can sometimes be difficult with FOSSA is understanding all that it can do. One of the ways that I've been able to unlock some of those more advanced features is through conversations with the absolutely awesome customer success team at FOSSA, but it has been a little bit difficult to find some of that information separately on my own through FAQs and other information channels that FOSSA has. The improvement is less about the product itself and more about empowering FOSSA customers to know and understand how to unlock its full potential."
What is our primary use case?
I lead the legal team at my organization, and we use FOSSA largely in partnership with our engineering teams. We use FOSSA for open-source software licensing scans and diligence.
We are using its latest enterprise version.
How has it helped my organization?
It has reduced the time that we used to take to go through the internal review and the diligence of a build and then push that build to be live on production. It has not only reduced the time; it has also reduced some of the pain points to make us more operationally efficient. It has allowed us to scale up our engineering efforts in a way that enabled us to push multiple builds for different product features and create more agency for those teams. From a timeline perspective, we've had it for two years, and our baseline prior to that was very narrow, but it has significantly reduced the time taken for a more complex build with diligence reviews from maybe two or three weeks to almost instantaneously. Of course, the second component to the timeline reduction is that we also don't need to staff someone to conduct those reviews. They are automated through FOSSA.
Its actionable intelligence helps with triage. It doesn't do recommendations, but it highlights those issues so that I and my team can move them on very quickly and ultimately unblock those issues for our engineering teams. It doesn't make recommendations per se, as far as I know.
It contextualizes the specific license that maybe has an issue or that is approved or rejected in a package. It contextualizes that within the package and the other licenses that are in play. So, it allows us to isolate that portion of the package and make a decision if the license was rejected or flagged. It allows us to make the decision on the package to say, "This piece of it, do we need it or do we not?" We can then move forward.
I do find the license solution of FOSSA very holistic in terms of collaboration between the legal teams and DevOps. We don't use the security solution of FOSSA, so I can't speak to that, but I would agree wholeheartedly that it's a very holistic tool for both teams. It has enabled us to build out a process that removes some of the typical pain points between an R&D team and the legal team when it comes to third-party license scanning. One of the pain points is often timing and how long it takes to typically do these reviews manually. FOSSA does them near instantaneously. The second pain point is around isolating issues. I can't even imagine how long a manual review of a package would take, and fortunately, we haven't had to do that manually because FOSSA does that for us. From a relationship standpoint, it has removed some of such pain points between the legal and engineering teams to allow us to work faster and smarter and ultimately push new features and projects to production in a more efficient way.
It 1000% enables us to deploy software at scale. Our engineering teams are constantly working on new builds. They're scaling those builds out and upwards, but the legal team is fixed. So, we leverage technology like FOSSA to be able to scale up our legal operations, meet the engineering teams' needs, and keep track with them without having to bring in an additional FTE to manually do some of the work, which would be required if we didn't have FOSSA. It helps us reduce our costs, and it also reduces the timeline to better support the engineering teams.
It has absolutely decreased the time that our staff spends on troubleshooting. It is difficult to know how much time it has decreased because it has been so long since we've had FOSSA, and it is hard to remember those baselines. If I were to estimate based on the number of projects that we have in play from the engineering teams, it has reduced our demands on the team by probably 80 hours on a quarter by quarter basis, if not more.
Because of being on the legal side, I'm less familiar with its compatibility with the wide range of developer ecosystem tools, but our engineering teams use FOSSA for their builds and for pushing them out to production. So, from my understanding after many conversations with them, FOSSA makes it much easier and more efficient for them to make their builds and then ultimately get to the production phase.
What is most valuable?
FOSSA has a feature that allows you to automate the scanning of licenses. You can do that by setting up different policies that are custom-tailored for your organization, which in my case are legal policies or intellectual property policies. These policies are used to scan the open-source licenses and flag them, approve them, or reject them based on your company's preferences. One of the things that I really love about FOSSA is the way we can take what would manually require probably hundreds of hours of individual review and automate that through this platform.
In terms of ease of use and accuracy of its out-of-the-box policy engine, it is certainly very easy to use. It is also very accurate. There were some things that we custom-tailored based on our risk appetite and our internal policies related to intellectual property. The out-of-the-box policies were great, but we just slightly tailored them for what we needed for our use case. The majority did not need tailoring, and across the board, all of the policies that were out of the box were consistent with the decisions that I would have made in the absence of internal policies that I had to be mindful of.
One of the things that I really like about FOSSA is that it allows you to go very granular. For example, if there's a package that's been flagged because it's subject to a license that may be conflicts with or raises a concern with one of the policies that I've set, then FOSSA enables you to go really granular into that package to see which aspects of the package are subject to which licenses. We can ultimately determine with our engineering teams if we really need this part of the package or not. If it's raising this flag, we can make really actionable decisions at a very micro level to enable the build to keep pushing forward.
What needs improvement?
One thing that can sometimes be difficult with FOSSA is understanding all that it can do. One of the ways that I've been able to unlock some of those more advanced features is through conversations with the absolutely awesome customer success team at FOSSA, but it has been a little bit difficult to find some of that information separately on my own through FAQs and other information channels that FOSSA has.
The improvement is less about the product itself and more about empowering FOSSA customers to know and understand how to unlock its full potential. More training would be helpful. When we first purchased FOSSA, there was no real onboarding that I was a part of. That could just be because FOSSA did an onboarding with someone else on the team, and I inherited that after the fact, but onboarding would be very helpful. Another thing that would be really helpful is building out more documentation for more advanced use cases of FOSSA. One, in particular, would be for the use case where FOSSA can help you really drill down on a specific package and what licenses are flagged or rejected in that package, and how to resolve those within the system. This was something about which I couldn't find documentation on the FOSSA website, and I had to have the CS team walk me through that.
For how long have I used the solution?
I have been using this solution for about two years.
What do I think about the stability of the solution?
It is very stable. We have not experienced any downtime.
What do I think about the scalability of the solution?
It scales very well. One of the things that I love is that the engineering teams have been able to load more and more projects into FOSSA and build out their pipelines. FOSSA also has integrations with Slack, and these integrations enable FOSSA to notify and push notifications on Slack after a scan has been completed and the issues have been identified. That's very helpful from my perspective and from a team's perspective because it creates visibility. It also enables me to not spend all day every day in the FOSSA platform. Instead, I only need to go in when I receive a notification.
In terms of its usage, it is adopted a hundred percent in our company. In terms of users, there are two people from the legal team who use FOSSA. Largely, the entire engineering org uses FOSSA in one way or another, and its users range from the Chief Technology Officer, who oversees the engineering team, to director-level people in the engineering team. One in particular who uses FOSSA a lot and with whom I partner is the director of platform and security at my organization. There are others as well, such as individual engineers, engineering managers, and our security manager.
How are customer service and technical support?
When I couldn't find the answer to a question that I had, I was able to turn to our customer success manager who then was able to connect me. We jumped on a Zoom call with probably one of their platform engineers. Three of us were then able to recreate the issue and work through it together. On top of that, they were able to help me anticipate future issues on that point and how to navigate them. It was a near-term troubleshooting solution and a long-term way to work more efficiently. They're responsive and knowledgeable.
Which solution did I use previously and why did I switch?
We didn't use any solution previously.
How was the initial setup?
I don't know if its initial setup was complex or straightforward. I was a part of the initial setup, but I wasn't the primary owner of the initial setup. I was a stakeholder who was consulted and ultimately would become the primary owner, but I wasn't a part of the actual setup piece. Eventually, the setup was transitioned over to me where I took full ownership.
I don't have a whole lot of visibility on the number of hours per se, but I remember from the time of purchase to the time we stood it up, it was relatively quick and brief.
What was our ROI?
FOSSA is well worth the investment. It is an opportunity to scale your operations, especially for a legal team to maintain pace with your technical teams, especially your engineering teams, in a cost-efficient way. Instead of using a platform like FOSSA, the alternative might be to hire one or two FTEs where their full-time role is to manually scan the open-source licenses. If you were to do that, you have an additional cost, additional overhead, and additional risk. With something like FOSSA, you have something that's easily auditable, easy to roll out of the box, and easy to scale. It's a no-brainer.
The auditability is critical. There have been a handful of conversations that I've had with Enterprise customers at my company where they've requested reports related to open-source compliance and dependencies. If you were to pull this data manually, it would probably take months to track down the data, verify it, and generate the report for a single build, whereas FOSSA does that almost instantaneously through the platform. It produces an auditable record that you can then share with customers and investors as you're going through a diligence exercise.
What's my experience with pricing, setup cost, and licensing?
Its price is reasonable as compared to the market. It is competitively priced in comparison to other similar solutions on the market.
It is also quite affordable in terms of the value that it delivers as compared to its alternative of hiring a team.
Which other solutions did I evaluate?
We did explore and had demos of other solutions. One of the solutions was WhiteSource. I wasn't involved in the ultimate decision-making process. I was, sort of, consulted, but I was not ultimately involved. I think it came down to the platform itself in terms of usability and the support for our use cases. That was the tipping point.
What other advice do I have?
I would rate FOSSA a nine out of 10 in terms of efficiency, scaling, and speed. I would rate it a 10 if the documentation to really get into advanced features was more widely available.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Attorney at a legal firm with 11-50 employees
The data provided makes it really easy and effective to determine the source of the license or security concern
Pros and Cons
- "The most valuable feature is definitely the ease and speed of integrating into build pipelines, like a Jenkins pipeline or something along those lines. The ease of a new development team coming on board and integrating FOSSA with a new project, or even an existing project, can be done so quickly that it's invaluable and it's easy to ask the developers to use a tool like this. Those developers greatly value the very quick feedback they get on any licensing or security vulnerability issues."
- "We have seen some inaccuracies or incompleteness with the distribution acknowledgments for an application, so there's certainly some room for improvement there. Another big feature that's missing that should be introduced is snippet matching, meaning, not just matching an entire component, but matching a snippet of code that had been for another project and put in different files that one of our developers may have created."
What is our primary use case?
Our use cases are for handling incoming open-source software for high speed or agile development that our teams are doing. We also use it for looking at security vulnerabilities in real-time as they're doing their daily builds. It helps to compile distribution acknowledgments or the open-source acknowledgments that need to go out with any distributions.
How has it helped my organization?
Although it's a little too early for any metrics or data, it has improved my organization through its ability to apply legal and security policies in an automated fashion to a very large volume of open-source components. All of its associate transitive dependencies are invaluable and alleviate so many legal resources to work on higher risk or higher-profile issues that need guidance.
FOSSA absolutely provides contextualized actionable intelligence that alerts us to compliance issues.
The user interface is incredibly straightforward and the communication that's provided to the developers or the project managers and legal team is clear and concise and allows either an attorney, a developer or a manager to take a look at their project and see where the security vulnerability and licensing issues come from. You can quickly identify the source of those issues, verify whether or not that is an accurate determination by the tool, and then either as a manager or attorney, provide feedback to that team on how to remediate the concern.
It helps with triage and remediation. The data provided makes it really easy and effective to determine the source of the license or security concern. And because it's easy to identify where that's coming from, it makes it very straightforward to provide remediation guidance to the development team.
What is most valuable?
The most valuable feature is definitely the ease and speed of integrating into build pipelines, like a Jenkins pipeline or something along those lines. The ease of a new development team coming on board and integrating FOSSA with a new project, or even an existing project, can be done so quickly that it's invaluable and it's easy to ask the developers to use a tool like this. Those developers greatly value the very quick feedback they get on any licensing or security vulnerability issues.
The out-of-the-box legal policies are very good but I think that they lack thoroughness of some of the unclassified licenses. The accuracy was good, I don't think I had to make any major changes. I would only have to make changes if I were a risk-averse or an incredibly risk-tolerant company. But if you're middle of the road, the out-of-the-box legal policies are pretty acceptable. It probably just needs to classify more of the unclassified licenses in one of the three categories for disposition to get a better starting point for new companies adopting the out-of-the-box policies.
We use the security vulnerability management features. I give the developers a heads up that there might be some published vulnerabilities that they might be unaware of. It's good because it gives them really quick feedback, so if they're doing a nightly build they'd get feedback the next day, or if they're building it right away they might get near-immediate feedback. But we don't have any enforced policies regarding security vulnerabilities, especially for internal or hosted applications.
The background and information these features provide on security workflows is just integration to the national vulnerability database, so it's limited to the data that's contained in the NVD, which of course is standard industry-accepted vulnerability data. There's definitely room for growth there and actually doing analysis of the proprietary code, but looking at the NVD information as a baseline is certainly useful.
In terms of the compatibility with a wide range of developer ecosystem tools, the interoperability with different developer ecosystems is excellent, and that's actually one of the reasons we chose FOSSA as our enterprise solution. Even if they didn't have out-of-the-box compatibility with a certain build environment or a build pipeline, they were able to get it working with one of them or any of the new environments very quickly. It definitely has industry-leading interoperability for different build environments, which is really valuable to us.
This affects our open-source management operations by allowing for a much greater deal of efficiency. As part of the legal team, having to look at an incredibly large volume of open-source components coming into the company, it was immensely time-consuming and it took away attorney's resources from more mission-critical or more complex responsibilities, such as embedded software or any software being distributed outside of the company. Having it as a resource to very quickly triage incredibly high volumes of open-source coming into the company through agile development programs was invaluable.
It is holistic and helps us work with both legal teams and DevOps. It's a great way to help legal and development teams work together by automating a lot of the guidance that gets provided in the more straightforward scenarios like internal development or projects that aren't externally distributed. It's a great resource for having a centralized place for all of the outstanding issues to provide automated, legal, and security guidance to those development teams.
My team is purely legal, but I would say that there's definitely a lot less person power required to address any license concerns as the majority of license questions are resolved in an automated fashion by us populating the license policies in the tool as completely as possible. So the more completely we populate those license policies, the more of that work is offloaded to the tool from my legal team, which is excellent for making more available time where it's more valuably used.
It has decreased the time our staff spends on troubleshooting by 10 to 20 hours per week where an attorney could have that time then reallocated to something more important.
What needs improvement?
We have seen some inaccuracies or incompleteness with the distribution acknowledgments for an application, so there's certainly some room for improvement there. Another big feature that's missing that should be introduced is snippet matching, meaning, not just matching an entire component, but matching a snippet of code that had been for another project and put in different files that one of our developers may have created. A snippet matching is important as well and something that should be included soon. Those are the two big improvements that should be implemented.
For how long have I used the solution?
I have been using FOSSA for just under a year.
What do I think about the stability of the solution?
So far there have not been stability issues, so the stability is very good.
What do I think about the scalability of the solution?
It's definitely scalable although there's definitely some room for improvement when it comes to supporting an enterprise with thousands or tens of thousands of projects. There's a lot of room for improvement developing a bit more detail in groups and teams and being able to filter the projects that have been scanned on the home landing page. But it definitely supports a very large number of teams and projects.
There is a wide range of users who use this solution, including developers, attorneys, security experts, project managers, and just general managers who all have access and look at some of the outputs of the tool.
We're still somewhat early in the rollout being just under a year for being a very large enterprise so the number of projects we've used it for is in the range of a few hundred. For our company, the expected number of projects will be well in excess of probably 10,000 maybe even 20,000.
We definitely intend to increase usage. The adoption rate across the company is 5%.
How are customer service and technical support?
The support has always been excellent. They communicate in many different ways, be it Slack, email, or on the phone, and they're always able to help us.
How was the initial setup?
The setup process was very straightforward. It was mostly the complexities of our own internal enterprise software policies and data privacy policies that made the implementation a little bit more challenging, but in no way was that FOSSA's responsibility or fault. That were our own internal policies that were relatively strict. But otherwise, I found the deployment in a containerized environment be very fast. It took around one to two months.
We had a three-phase approach for rolling out FOSSA inside of the company. The first one was to bring on the team that was helping us early on throughout the proof of concept stage with FOSSA and some other competitors. Because they were already familiar with it, it was easy to bring them onboard into our newly provisioned FOSSA environment. They already knew what they were familiar with and could provide us immediate feedback if something didn't seem to be working properly. They were development teams at the company that had been doing some POC work with us with FOSSA.
Then phase two was bringing on leaders around the company in different development languages. They may not have been familiar with FOSSA, but they were very competent developers in their respective languages and environments. Bringing them on was phase two. And then phase three was the larger enterprise rollout where anyone who wanted to leverage the tool was welcome.
What was our ROI?
It's still too early to tell for ROI.
What's my experience with pricing, setup cost, and licensing?
Pricing is competitive with some of the other bigger companies, but probably overall middle of the road.
We haven't encountered additional costs.
Which other solutions did I evaluate?
We also evaluated Black Duck as well as Flexera. The biggest pros for FOSSA was the interoperability with different development environments. Being able to support a very wide range of development environments, including older ones, was very important to us as a very large enterprise. We have an incredibly diverse range of build environments, build pipelines, development environments, IEs, all of those things, so having something that supports nearly everything that we had internally was incredibly important. It was also a cheaper alternative. Not cheap necessarily, but it is a more affordable alternative to some of the other solutions out there.
What other advice do I have?
With the rapid growth of the consumption of open-source in development, it was no longer feasible for attorneys to manually review every incoming component on an individual case by case basis. Having a tool to automate the review, both from a legal, but also a security perspective, and provide near-immediate feedback to the developer was critical to have.
My advice would be that if you have a very large volume of open-source that you can apply clear and consistent policies to or you currently do that in a manual process, that something like this is absolutely worth every dollar to be able to keep your teams moving quickly and efficiently. Implementing something like this is definitely worthwhile if someone is on the fence with respect to spending the money to look at the open-source components, both from a license and security perspective in a fast and efficient manner.
The biggest lesson I learned from this solution is that there's a much larger volume of open-source components that might be in your environment that you may not be aware of given the comprehensiveness of FOSSA's scanning of both top-level components and transitive dependencies. You'll learn that there's an incredibly large number of components in your applications.
I would rate it an eight out of ten.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Private
Reduces the duration and the effort for identifying open-source licensing issues
Pros and Cons
- "Policies and identification of open-source licensing issues are the most valuable features. It reduces the time needed to identify open-source software licensing issues."
- "For open-source management, FOSSA's out-of-the-box policy engine is easy to use, but the list of licenses is not as complete as we would like it to be. They should add more open-source licenses to the selection."
What is our primary use case?
We are using it to identify licensing issues in open-source software. It is a SaaS offering.
I am an attorney. So, I don't use the front end of the product. I don't manage, model, or measure it.
How has it helped my organization?
It reduced the duration and the effort required to identify open-source licensing issues.
It provides contextualized and actionable intelligence that alerts us to licensing issues. I work with licensing issue alerts, and I receive an email that directs me back to the licensing issue in FOSSA.
It provides help to triage or remediate a licensing issue. It identifies the licensing issue and the software involved.
What is most valuable?
Policies and identification of open-source licensing issues are the most valuable features. It reduces the time needed to identify open-source software licensing issues.
It is holistic in terms of collaboration between the legal teams and DevOps. I'm legal, and I work with DevOps. It identifies licensing issues in DevOps projects that legal can review.
What needs improvement?
For open-source management, FOSSA's out-of-the-box policy engine is easy to use, but the list of licenses is not as complete as we would like it to be. They should add more open-source licenses to the selection.
They should also reduce the number of false-positive identifications.
For how long have I used the solution?
I have been using this solution for one year.
What do I think about the stability of the solution?
It seems stable. It is there when I go to access it.
What do I think about the scalability of the solution?
It meets the needs of our organization. I'm an attorney, and I know that developers use it, but I don't know how many developers use it.
How are customer service and technical support?
I have used their technical support, and they've resolved any issues that I've identified. They do a good job.
Which solution did I use previously and why did I switch?
We used a different solution. The decision to switch was made before I arrived.
What other advice do I have?
The marketing material that they have is adequate for explaining the product.
We are not using FOSSA for security or vulnerability management.
I would rate FOSSA an eight out of 10. It works.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Principal Release Engineer at Puppet
Does a good job showing us if we're using open source licenses that conflict with our closed source components
Pros and Cons
- "What I really need from FOSSA, and it does a really good job of this, is to flag me when there are particular open source licenses that cause me or our legal department concern. It points out where a particular issue is, where it comes from, and the chain that brought it in, which is the most important part to me."
- "I would like the FOSSA API to be broader. I would like not to have to interact with the GUI at all, to do the work that I want to do. I would like them to do API-first development, rather than a focus on the GUI."
What is our primary use case?
Our major use case is to do open source license compliance. Puppet Enterprise consists of about 90 open source packages under constant development. And it also has some components which are not open source. When we release Puppet Enterprise, we have to make sure that anything that we're relying on is something that we are allowed to use, in an open source sense.
It does do security scanning, which is something that we're interested in and want to do, but we've only been using FOSSA casually for that.
I am the only person really running the FOSSA jobs. I have a FOSSA job that runs daily, that scans all of our important repositories and reports back to me and the release engineering team about what it found. When we go to do a release, we run a report from FOSSA which contains all of the open source licenses in our product and we do a rescan of that to make sure that there aren't any flagged licenses inside of our product. That's our use case.
None of the actual engineers are worried about it. Only when something gets flagged do I contact them and say, "Hey, this license isn't working for us, so we need to find something else."
FOSSA is a cloud project and it contains a CLI component that's open source.
How has it helped my organization?
What we don't want to do is publish our closed source stuff under GPLv3, so we need to make sure we're not using any GPLv3 inside of our product. FOSSA does a good job of showing us if we're using licenses from the open source world that conflict with our needs for our closed source components.
Prior to a Puppet Enterprise release, it would take approximately two to three weeks of dedicated engineering time by a single release engineer to go through license compliance. We just did a release in late July or early August, and with FOSSA our license compliance review took five to ten minutes. That is an enormous difference. It has helped to decrease the time that we spend on troubleshooting by huge amounts.
What I really need from FOSSA—and it does a really good job of this—is to flag me when there are particular open source licenses that cause me or our legal department concern. It points out where a particular issue is, where it comes from, and the chain that brought it in, which is the most important part to me. Because there's a chain of dependencies, it's hard to find fourth- and fifth-level dependencies inside that chain, and FOSSA does a really good job finding that stuff and reporting how it got there.
That intelligence provides help with triage and remediation, in a sense. That is, the triage and the remediation on this stuff is to just not use that stuff. With the licensing it just says, "Hey, there's a license here that you might be concerned with." And from there, the remediation is to not use that particular package.
What is most valuable?
The most valuable part is the open source license compliance.
The solution’s out-of-the-box policy engine's ease of use is very high. It works extremely well. That's easy to quantify. Its accuracy seems really good, but I have not diligently measured it. When we have checked what it is doing, it has all come out great. We're extremely happy with the results, but I can't say that it is an accurate product.
The solution’s compatibility with developer ecosystem tools is pretty good. There is some stuff within the C++ world that we haven't been able to get it to work very well with, but that's a really small amount of what we do. Most of our stuff is in Clojure and in Ruby and all the things that we want FOSSA to do there are great. It's not like we have a wide scope of developers who are using it. I'm effectively the only person actually using FOSSA. I just gather up all the information and all the repos from all the other parts of the company and run scans on them daily. I'm the major customer here.
What needs improvement?
I would like the FOSSA API to be broader. I would like not to have to interact with the GUI at all, to do the work that I want to do. I would like them to do API-first development, rather than a focus on the GUI.
There were also some reporting things that I thought could be better. I talked to FOSSA about this. A lot of times when they were reporting, their labels did not match. Classically, there hadn't been a way to get well labeled output. It was just in HTML or PDF or CSV. They put out a JSON version of things that is certainly helpful. So that part's fine.
For how long have I used the solution?
I have been using FOSSA for about eight months.
What do I think about the stability of the solution?
Any stability issues I have found were from things I did. I've had some chats with FOSSA about it, and we've talked about what could be some gray areas between me and them, but I haven't had time to investigate. So I'm not going to blame FOSSA for any stability issues at the moment. I think most of them have been on me, and there haven't been that many.
What I've got at the moment are some scans that slap on a fairly regular basis and I don't know why yet. It looks like it's something to do with the way that I'm doing scans rather than anything that is on the FOSSA side.
What do I think about the scalability of the solution?
I haven't measured the scalability. It just does its thing. I don't think I'm taxing it in the least bit. But I haven't seen any limitations at all on the Fossa side. None.
It's doing the one task that we bought it for, and it's doing it quite well. I would like to expand the use into the vulnerability scanning part, but that's not my department. But it is doing precisely the job that I want it to do and I'm quite happy with it. I don't plan on changing much with it right now.
How are customer service and technical support?
My experience with their technical support has really been quite good. There have been times where things have languished in the support queue for a little while before they got to them, but that's been the outlying stuff, most of the time. I've had direct access both to my account rep and to the engineering folks there, and we've had some really good conversations over time. So I'm really pleased.
Which solution did I use previously and why did I switch?
Prior to using FOSSA, we didn't have any other tool in place for license scanning. We came to the realization that we needed a tool like this for open source management because none of the engineers who had to do the two weeks of manual license review work wanted to be doing it. We all hated it. So if there was a tool to take care of it, we were all saying, "Yes, let's get that."
How was the initial setup?
The initial setup was extremely straightforward: sign in to the GUI and download the CLI. I did have to write some shell scripts to do the daily scan, but that was on me. I just wanted to do it my way.
From licensing it until bringing it into production on a day-to-day basis, it took about a day and a half. I got reviews of it by other engineers, but I was the one who was doing it.
What was our ROI?
I haven't done any calculations. I'm just glad that I have a tool to replace a bunch of manual drudgery.
Which other solutions did I evaluate?
For vulnerability scanning we're using JFrog Xray. We're using both FOSSA and JFrog Xray at the moment, and most of our production folks are relying on Xray.
Xray and FOSSA, in vulnerability scanning, approach the problem in two very different ways. We have some inertia over JFrog at the moment. People who have looked at the solutions, within our company, like both for different reasons.
What other advice do I have?
There is a temptation to try to insert FOSSA into continuous integration. That was certainly my temptation. To me, that is more work than it ought to be. Sequestering FOSSA into its own job worked out better than trying to insert it into continuous integration. It does not need to be run into a continuous integration. It's not something you need on every commit. That would be an overuse of the tool. Being able to do it as a side project keeps unnecessary failures from happening and it keeps a lot of other things, like unnecessary noise, from happening.
However, that's my use case for my particular setup. I can imagine other use cases where having it inside continuous integration would be useful. But for my use case, while that was my first temptation, that was an incorrect approach. Having it as a side job that stands on a schedule, rather than part of the continuous integration, was much more successful.
In terms of FOSSA's security and vulnerability management features, I am familiar with them. Our security team uses other tools for those needs at the moment. They've been stuck on them and it has mostly been inertia that has stopped us from changing to or adopting FOSSA more widely. In my opinion, there are some use cases inside of FOSSA, for the security aspect, which are better than our tools. But it is up to the security team to decide if they want to do it. There's been some poking at it over the months, but no serious migration, as of yet. Those parts of FOSSA could be used by us in future, but not at the moment.
As for the background and information the solution’s security/vulnerability management features provide on security workflows, it's basically CVE scanning, often before the CVEs get published. So whenever there is a security alert of some sort, it will publish whatever is known based upon all the ongoing, conflicting databases of security scans. It's a helpful "Hey, this bit of software that you're using is known to contain these particular vulnerabilities."
The reporting on security and vulnerabilities is pretty good. As I said, I've only used it casually, so I can't really say anything of great value. I haven't looked at it for a while. But I found the reporting, like all their reporting, to be quite clear, understandable, and straightforward. But my exposure to it isn't enough that I can't be more than vague.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Application Security Specialist at a computer software company with 10,001+ employees
Gets us a list of all licenses for compliance and easy to use with a wide range of developer tools
Pros and Cons
- "Being able to know the licenses of the libraries is most valuable because we sell products, and we need to provide to the customers the licenses that we are using."
- "On the dashboard, there should be an option to increase the column width so that we can see the complete name of the GitHub repository. Currently, on the dashboard, we see the list of projects, but to see the complete name, you have to hover your mouse over an item, which is annoying."
What is our primary use case?
I am on the security side, and I help developers in implementing this solution. We use this solution to know the licenses of the libraries for the legal part.
In terms of deployment, I go to the website, so it is a SaaS version.
How has it helped my organization?
When we sell products to the customer, we need to give them a file with different licenses. FOSSA enables us to do that. It is useful for licensing compliance.
FOSSA provides contextualized and actionable intelligence that alerts you to compliance issues. I do receive alerts, but I am not the one who is managing this part.
What is most valuable?
Being able to know the licenses of the libraries is most valuable because we sell products, and we need to provide to the customers the licenses that we are using.
It is easy to use with a wide range of developer ecosystem tools, and I would rate it a 10 out of 10 from this perspective.
It is holistic in terms of collaboration between the legal teams and DevOps. As a security specialist, I'm just helping developers to set up their repositories. It is the legal team that takes a case up with the Dev team.
What needs improvement?
On the dashboard, there should be an option to increase the column width so that we can see the complete name of the GitHub repository. Currently, on the dashboard, we see the list of projects, but to see the complete name, you have to hover your mouse over an item, which is annoying.
We can rename a GitHub report, but the problem is that if legal changes the name and says, "Okay, this repository is part of the solution with a specific name," I lose the specific URL of the GitHub repository. I no longer know which one it is. They should make this information available.
For how long have I used the solution?
I have been using FOSSA for one year.
What do I think about the stability of the solution?
It looks great to me in terms of stability.
What do I think about the scalability of the solution?
Currently, only four people are directly using FOSSA in the browser. Its users include the legal team and me. I'm helping developers with the setup, but they are not directly using FOSSA in the browser.
Its usage is 100% for the applications with which we are using it.
How are customer service and technical support?
Their support is great. I would rate them a 10 out of 10. Generally, I talk to my customer success contact. He is really responsive, and he always finds a solution. He is also always available for our call.
Which solution did I use previously and why did I switch?
We were using another solution. We switched because FOSSA was easier to set up. It was also the right one for the licenses for the libraries.
How was the initial setup?
I was involved in the initial setup of FOSSA, and it was straightforward. It was really easy to set up, and our customer success contact was really helpful. For all the projects, it took two months.
In terms of the deployment strategy, we start with some projects, and when we know that we want to sign up with FOSSA, we evaluate it for other projects.
What about the implementation team?
I did it myself. In terms of maintenance, it doesn't require any maintenance from our side.
Which other solutions did I evaluate?
We didn't evaluate other solutions. This was the only one because my legal team colleagues wanted to try it.
What other advice do I have?
It was easy to set up. You can easily set it up by looking at the documentation.
I would rate FOSSA a 10 out of 10.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Buyer's Guide
Download our free FOSSA Report and get advice and tips from experienced pros
sharing their opinions.
Updated: November 2024
Product Categories
Software Composition Analysis (SCA)Popular Comparisons
Veracode
GitLab
Snyk
Black Duck
Mend.io
Sonatype Lifecycle
JFrog Xray
Checkmarx Software Composition Analysis
FlexNet Code Insight
Buyer's Guide
Download our free FOSSA Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What tools do you rely on for building a DevSecOps pipeline?
- What alternatives are there for Fortify WebInspect and Fortify SCA?
- What is the best way to track open-source license compatibility?
- Why is Software Composition Analysis (SCA) important for companies?
- Differences between Black Duck & Veracode
- What SCA solution do you recommend?
- Is there an SCA solution that finds and fixes vulnerabilities?
- Can I get SCA in my IDE?
- How long does SCA scanning take?
- When evaluating Software Composition Analysis, what aspect do you think is the most important to look for?