Every modern enterprise shares a common story with open source: alert fatigue.
In a large-scale team, thousands of new third-party components are added and removed every day by developers, automated build processes and more. Each one of these components can bring in dozens of licensing, quality or security alerts that quickly overwhelm users.
The effectiveness of an open source team is predicated on how well they can prioritize and manage these signals to improve the quality of software.
Previously, the only approach to ensuring high triage performance was to hire senior talent to process, manage and assign the issue pipeline. Today at FOSSA, we’re launching a new set of tools to help all of our enterprise customers manage large-scale alerts.
Global Issues Dashboard
The first piece of this feature is a dashboard that provides tools for managing issue alerts and component data across a large organization:
- An aggregated feed of all components that are currently flagged across your repositories
- An auto-prioritized inbox that groups similar issues into “threads” to be triaged and resolved together
- Detailed reports on components, advisories, relationships and relevant data for triage
- Inline tools to add custom component data when resolving issues
With all of these features packed into a single workflow, users can tackle alerts, software quality and component inventory across their entire organization at once.
Intelligent Issue Confirmation
When looking at an alert, one of the most expensive parts of the triage process is answering the golden question:
“Is this alert real?”
Unfortunately, this task is deceptively hard. Build systems are complicated, and open source components can be included or related to your software in a mind-boggling number of ways. Simply confirming an alert can require digging into code, terminals and build logs — quickly adding up to be the most tedious part of the triage process.
Applying filters to these alerts is dangerous — no matter what parameters you choose, you will inevitably hide critical alerts. However, without finely-tuned filters, tools spit out meaningless noise.
FOSSA’s approach is to avoid a hard reliance on automated filters. Instead, we make it easy for users to filter and confirm alerts through data and advanced visual aids.
When viewing an issue thread, FOSSA generates a report that describes a relationship between the issues and its affected applications:
Based off how FOSSA discovered the issue / component / code, we have all sorts of unique metadata to inform the inbox’s sort key as well as the user on how likely triaging this issue will yield value.
With this approach, we can effectively automate the most expensive part of the triage process while still fully expressing alerts that matter.
Read more about confirmation levels on our docs.
Automated Triage Value
Beyond the confirmation of an issue, there are plenty of parameters that signal the importance of an alert. Surprisingly, the important signals we care about at FOSSA are often unrelated to criticality.
Great teams can quickly prioritize which alerts to tackle first, but that is often drawn from years of experience in “getting stuff done”. While alerts are triggered by quantitative criteria, the factors that humans use to prioritize are very qualitative.
Historically, senior talent was required to filter and prioritize the alerts that came from tooling. Without them, the difference in triage performance between junior and senior teams can range by over 3x.
At FOSSA, we try to make it easy for anyone to prioritize. We tackle the triage performance problem in 3 ways:
- Automatic signal detection
When we analyze code, we collect data — a lot of it. After analyzing millions of components and thousands of customer codebases, we’ve discovered valuable new parameters that can help your team prioritize. These range from how widely a component is used in your organization to its risk exposure given your risk profile to how easy the issue is to fix. We roll all of our “signals” into a single metric called Triage Value. - Prefer sorting over filtering
With a meaningful understanding of Triage Value, we have a global priority score to sort against for every alert at your organization. That way, we can avoid false negatives by preferring sorting over filtering. In addition, users can tune sort preferences by previewing how the entire alert list is affected. - Make it easy on humans
No automated system will ever be perfect, and a human will always be needed to have the final say in legal decisions. Instead of trying to build more esoteric “automated alert magic”, we invest heavily in UI, data and reporting features to make life easier for humans.
Finally, the Issue Dashboard gives our team a surface to automate how alerts are routed, organized and represented in your inbox — over time, our inbox will continually get smarter as we gather more data from the thousands of teams that use FOSSA.
We encourage you to give this feature a shot, and we’d love to hear your feedback. Contact your account manager and check out our documentation to get started.
Stay in touch with us on Twitter.
P.S. We’re hiring for software engineers and customer success people in San Francisco! If you care about great tooling for enterprises and developers, visit our careers page: http://fossa.io/careers