Open source is a bedrock of modern enterprise software. But support for various components is all over the place. The ecosystem doesn’t have the right incentives in place, leading to end-of-life security issues many organizations aren’t ready to address. When community support for open-source components dries up over time, what is your recourse?
In this episode, Aaron Frost, founder and CEO, HeroDevs, discusses how HeroDevs is addressing this problem by providing secure, drop-in replacements to give enterprises the time they need to safely transition to supported software. Aaron is joined by our panelists, DJ Schleen, head of security, Boats Group, and Russ Ayres, deputy CISO & head of cyber, Equifax.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, HeroDevs
Full Transcript
[Voiceover] Connecting security solutions with security leaders. Security You Should Know starts now.
[Rich Stroffolino] Welcome to Security You Should Know, the show that connects security solutions with security leaders. Today, we’re talking about HeroDevs and what they are doing in software supply chain security. The problem they’re addressing is a classic one, end-of-life open-source software. Helping us get answers to these questions are AppSec legend, DJ Schleen, and Russ Ayres, deputy CISO and head of cyber at Equifax.
So, let’s get started with this problem here. You know, open source is a mainstay of modern IT. So, Russ, why is support for end-of-life open-source software still a problem?
[Russ Ayres] You would think that we’ve progressed in trying to get as many of the vulnerabilities that are available on the market reduced as quickly as possible, given all the success that we’ve had of zero days and the rest. The reality is some of these open-source packages are maintained by a group of people and they may not be paid to maintain it.
And so, it sort of falls into disrepair, or a new technology’s invented. There could be a hundred reasons why it falls into that state. But since the basic premise is that it’s not monetized, nobody really has an incentive to keep that going. And so, I see this on a daily basis in my space. You’ve been using something for several months, several years, [Laughter] in some cases, decades.
And when it falls out of end of service, there’s not really a recourse. You don’t have the options available to you that you would in a traditional software sense.
[Rich Stroffolino] And DJ, let me throw this to you. Why is this still a problem?
[DJ Schleen] I 100% agree with Russ. It shouldn’t be, but unfortunately it is. And I think we’re in this place in the industry where we’re developing software, we’re utilizing open-source components, most of our software that we build is created from applications and code that wasn’t built by our teams, built by somebody else.
So, as soon as we get into that kind of relationship as a business, we’re really leaning on that community to support these packages for us. And if they’re not there anymore, if they’re not responsive, if there’s no security vulnerabilities fixed, that risk gets passed on to us as developers of software.
[Rich Stroffolino] All right. Well, today we’re going to be talking to Aaron Frost, founder and CEO at HeroDevs, and we’re going to start out to get some answers with three essential questions. We’re going to get these preliminaries. So, Aaron, how do I explain the value of HeroDevs to my CEO? What does your solution do and what does it not do?
And what is the pricing model?
[Aaron Frost] Yeah, so a lot of the listeners, they’ll have a giant project that their company’s built for the last 10, 15 years, and it works amazingly, 75-plus percent of that project is open-source components. Now, when those reach end-of-life, you’re expected to migrate away and stop your full roadmap in order to migrate away.
HeroDevs allows you to stay on these older versions of open source, and we ship you drop-in replacements for those older versions, and we keep them secure. We do not add new features. We do not make them smaller or faster. We keep them secure, and we keep them running where they run today, allowing you the time you need to eventually migrate to the solution that allows you to continue forward for another 10 or 15 years.
That is what we do. We price per project. We price per developer on that project. And then how many pieces of open source are you using that have reached end-of-life is another consideration we look at. That’s essentially the value prop.
[Rich Stroffolino] All right. Well, thank you for giving us those preliminaries, giving us a little snapshot of what you guys are doing. So, CISOs, we’ve gotten a taste of this solution, but I’m sure you have a lot of questions. So, DJ, I’m going to start with you. What other questions do you have about HeroDevs?
[DJ Schleen] I would love to hear how, from a developer perspective – you know, we got the business value defined – how easy is it for a company to come and say, “Hey, we’re going to start using your packages to continue on with these other packages that are no longer supported”? How easy is it to make that migration?
[Aaron Frost] Yeah, so it’s about a five-minute crossover once you signed up. You configure your system to, next time you do an install of these dependencies, you’re installing the versions that we ship you instead of the versions that are available on Maven or NPM or Nougat or whatever landscape that you’re shipping code from.
[Rich Stroffolino] All right, and Russ, what questions do you have for HeroDevs?
[Russ Ayres] Yeah, so you’re finding a list of vulnerabilities. How do you identify those vulnerabilities? How do you scope these to common problems that you see in other packages or reproduce things that you see in other packages, you know, identify zero days? Any of the methods that you go through to determine those would be interesting to me.
[Aaron Frost] Yeah, we actually have got a huge proprietary tool chain that we use for this. A lot of what we get comes from our over 800 existing customers. They’re doing their own scans and their own research. So, we take what they report to us, we reproduce it, and then we fix it, ship it, and report to CVE subsequently.
We also have some ethical hacker programs we run through the communities that we work in, but also with like HackerOne, you may have seen us on HackerOne, trying to encourage ethical hacking to keep these end-of-life versions secure. Another thing that just happens, and it’s not my favorite part of open source is, open-source teams will not report new CVEs in older, unsupported versions, even though they are affected.
So, a lot of what we do is we watch the current main trunks of those projects. We look for CVEs in the currently supported versions, and then we test to see if they did. They also affect the old end-of-life versions. And if that’s the case, we then cherry pick those fixes back and we patch our version, ship it to our customers, and then we work to get the CVEs updated.
So, there’s actually more that goes into it than that, there’s some AI play, but that’s essentially how we do this.
[DJ Schleen] So, what kind of feedback loops do developers have when they’re building or releasing software? Is there a component that integrates with the release process where we can see, okay, these vulnerabilities have been fixed based on the vulnerabilities that are found that we know about versus what we’re patching?
There’s a zero day that comes out. We’re looking for log4j, for example, just taking the library out of the air. How do I know as a company who’s using HeroDevs that I’m protected, that I don’t have to worry about creating an incident or a security event, looking for things, that I know things are patched?
Is there some kind of information that comes back that way?
[Aaron Frost] Yeah, so once you set your project up to install our drop-in replacements, from then on forward, anytime we ship an update, your project will download that next time you set it up on your system. So, next time you do a pull request or release to production, you’ll get our latest version as secure.
So, it’s really pretty seamless. There’s a lot of communication going on on our side to let everyone know, “Hey, we’re shipping to you an update, and we haven’t reported this CVE officially yet. So, I don’t know if it’s a critical or a low. I can give you my estimate. But generally, we’re shipping you the update before the CVE even exists.
So, you’re getting ample time to get it in place and shipped to prod before the CVE gets even reported out to the world. So, that’s one of the advantages is we’re keeping you secure before the CVE generally is being announced. So, just typically a pretty seamless integration, DJ, once you set up that initial method to install our dependencies.
[DJ Schleen] So, you’re getting the binary compatibility with the existing method signatures, that kind of thing. How do you determine the cost-benefit analysis? Do you work with the customers to say, “Hey, we’re using this old version of whatever library. If we upgrade to it, we’re going to get to this kind of functionality.
It’s going to add this, this, and this.” Do you work with the customers and work with your developers to figure out what that line is? Do we upgrade? Do we not?
[Aaron Frost] Yeah, you know, we have our architect hat on first. We encourage everyone to upgrade where they can. And the reality of the scenario is a lot of these customers can’t, whether it’s because they legally are required to keep something old going or because they’re not going to get the CRO to allow them to not ship new features for eight months while they migrate.
So, there’s a lot of reasons why they cannot migrate, and they need the runway for their older versions to be extended for three, four, or five years. So, that’s typically where they’re coming to us saying, “Please, HeroDevs, tell me you offer a longer runway so that I don’t have to stop shipping new features for my sales team.” And that’s where we walk up, and we become a great partner.
Our cost is like a 20th of the cost to do a migration to the current versions that would keep you supported. And so, the value prop of what they’re trying to decide, it’s a very easy decision for them to know we are migrating, or the opportunity cost of not migrating is too high, so let’s keep the Hero Devs versions in place for now.
[Russ Ayres] Whenever you’re running into a supported situation or one of your clients says, “Hey, I upgraded to the version that you gave me. It fixed this CVE, but now it’s broken.” I certainly don’t want to negotiate against myself. So, if you’re offering this, continue to offer it, but how do you differentiate some of the code that you just implemented to fix the CVE is causing a problem versus this is just an inherent problem in the source code of this open-source package?
And now you’ve suddenly gotten roped into being the support person for this log4J in the case that you’re talking about there or a PDF conversion or something.
[Aaron Frost] Yeah, so this is a great question, Russ. We look a lot like an open-source team, except for you get an SLA with us and you don’t get that from open source. There’s no guarantee that an update won’t have a backwards breaking issue. From us, you do get that. We’ll guarantee that it continues to support backwards compatibility.
So, you would get support from us. However, let me just add, the type of engineers that could do this type of security patching and not risk breaking anything is a special type of engineer. And if y’all waved a magic wand and you could make appear the perfect team, my team would appear. We’ve hired the original team members from some of the biggest open-source projects in the world like Spring and Node and many others to help us do this exact, very precise, and very important that we don’t have any breaking changes, get this work done effectively.
So, that’s how we ensure that we don’t do that.
[Russ Ayres] Along those lines, any particular languages that you don’t support or package spaces that you don’t support? I mean, I’m sure there’s an onboarding process if you pick up a new language that you didn’t know about, but what does that look like?
[Aaron Frost] Yeah, so 2025 for us is a year of expansion into new technologies that we don’t currently support. So, 2025 for us, we’re stepping into .NET and there’s a partnership coming hopefully with Microsoft. We’re stepping into Python, as well as NumPy and Django have some end-of-life, big end-of-lifes coming in 2026.
And we’re also expanding down into some databases. By the end of 2025, we’ll have four different databases that we’re supporting. In 2025, we’ll get down into some operating system support. So, the roadmap is really aggressive. If you look at where we started three years ago, we expanded into three new technologies in 2024, and 2025 is us expanding into like 20 more technologies.
So, really widening the breadth of what we do this year.
[Russ Ayres] I have a joke to fit in there somewhere like, hey, you headed down to Cisco Equipment anytime soon? Where’s the networking equipment? [Laughter] Where are you bringing in the hardware?
[Aaron Frost] Yeah, IoT and hardware and firmware support, as long as it’s got open-source components, which they do, those are coming in 2026 and 2027. They’re on our roadmap. Russ, effectively what we did is we farmed out and we harvested end-of-life dates that are upcoming in open source, and then we’ve laid it out onto a calendar, and we filtered out things that don’t affect enterprise.
So, now we’re just staring at enterprise components. And we prioritize that in a rank, “Hey, is it a technology we already support like something that’s Apache heavy or Java heavy?” We’ll take those down first, then we’ll move into other things. IoT, firmware, hardware, those are coming 2026, 2027. Great question.
[Rich Stroffolino] All right, well, before we get out of here, Aaron, what was one thing we didn’t ask about that we need to know?
[Aaron Frost] Yeah, so HeroDevs, we take pride in providing this type of never-ending support for open-source packages that people need, and we feel like we’re addressing two of the biggest problems in open source, one for the consumers and one for the authors. We are extending the runway and keeping it secure for massive enterprises and governments that need the runway to stay safe and to be longer, but we also contribute a very large portion of our top line back to these open-source projects.
In 2024, HeroDevs donated over $2 million back to the open-source projects that we’re currently supporting and keeping going, and that number’s definitely growing in 2025 and beyond. So, we feel like by supporting these old versions and keeping them secure for big enterprise, we’re also funding the future of these projects that we support, which is a huge service, we feel, for both the consumer as well as the author of open-source software.
[Rich Stroffolino] Well, that’s about all the time we have for this episode of Security You Should Know. If you want to learn more about HeroDevs, head on over to herodevs.com. I want to take a moment and thank our panelists for today, DJ Schleen and Russ Ayres, for helping us learn more about this solution.
And a big thank you to Aaron Frost and HeroDevs for their time and all of the great answers provided. And thank you for listening to Security You Should Know.
[Voiceover] That wraps up another episode of Security You Should Know. If you like this program, please subscribe, tell your friends, and leave us a review. All companies showcased on this program are sponsors of CISO Series. If your company would like to be spotlighted and interviewed by our security leaders, go to our contact page on CISOseries.com or just email us at info@ciso-dev.davidspark.dcgws.com.
Thank you for listening to Security You Should Know, connecting security solutions with security leaders.