Posted by on Monday, January 30, 2023
Open source software provides companies with a competitive edge but when used incorrectly, it can lead to risks in the software supply chain.
Today’s modern software applications simply would not exist, or be as powerful, without the use of open source software (OSS). Developers design open source software with source code that is accessible for anyone to use, modify, and learn from, and they release the code with specific licensing rights.
OSS easily integrates with other code, enabling developers using it for their own applications to focus on their core strengths and on building innovative and creative solutions for their enterprise and its customers. But developers are often not aware of all the open source components and dependencies it adds to their own software. OSS is a key part of the software supply chain—97% of the codebases analyzed contained open source software, according to the 2022 Synopsys “Open Source Security and Risk Analysis” (OSSRA) report. With the incredible value it brings to enterprises, OSS also brings risks that can be costly if not properly managed. “With some effort, it’s entirely possible to manage these risks and realize the full benefit of OSS,” said Anthony Decicco, principal at GTC Law Group and founder of the firm’s open source software practice.
Modern applications are made up of a mix of proprietary and open source code, APIs, user interfaces, databases, operating systems, and various configurations. And the software supply chain is made up of every bit of code that touches an application or plays a role in its assembly, development, or deployment. Weakness in the code anywhere along the chain can create risk for the applications and the enterprises that use them. And since the OSSRA research shows that 81% of the codebases has at least one vulnerability, ensuring secure code is critical.
The benefits of using OSS include
There are risks with open source software—as there are with code from any other sources—that IT teams and developers must consider. Open source code makes its way into applications in a variety of ways, such as developers using OSS in applications they design, third-party commercial code that includes OSS, and via outsourced software development. Because it is often developed by small communities and even volunteers, open source software isn’t always up-to-date. The code may not be actively maintained or have vulnerabilities that are discovered fixed.
One of the unique challenges of using open source code is the licensing requirements. Synopsys research shows that 53% of audited codebases had license conflicts. For example, if software is used beyond the scope of the license, it can result in copyright infringement. “Depending on the applicable license and your use case, it’s possible to trigger obligations to share proprietary source code, severely impacting your business value,” according to Decicco. The time and resources required to remediate these licensing issues can take time away from the enterprise’s core mission.
While open source is not necessarily riskier than any other software, it is imperative to pay specific attention to securing OSS and be able to demonstrate that you are doing everything you can to protect it. The more components in an application, open source or not, the more they can be exploited by threat actors looking to hack your system. The only way to truly be secure in today’s digital environment is to understand every element of the software supply chain for the applications you use or create.
Securing the software supply chain is so critical that governments around the world are mandating cyber security procedures. In the U.S., the mandates are specifically designed to ensure that software used by the federal government and its suppliers is secure, but they quickly expand from government contractors to companies that supply government suppliers, and so on, and are likely to expand to industry generally. As such, there is a benefit for all organizations to understand these initiatives and build robust security platforms now.
The goal of these mandates and directives is to improve security and cyber resilience across the software supply chain in the increasingly interconnected world—from enterprise applications to those connect to the device or network. These government initiatives achieve this through record-keeping and information-sharing, modernizing cybersecurity standards, improving vulnerability detection, requiring detailed software Bills of Materials (SBOMs) for every piece of software you develop, and maintaining accurate information on the provenance of all software components.
Any issues along the software supply chain can put an organization at risk. Step one in using open source software is ensuring that the code and any dependencies are secure. That includes vetting OSS vendors and tracking down the licenses and dependencies necessary to make the code function. Because there are tens of thousands of different open source projects, no one can keep tabs on all the different pieces of code or the developers who create them, so keeping track of the code can get very complicated very quickly.
Securing the software supply chain end-to-end requires understanding the entire software supply chain and creating a system to monitor, regularly test for vulnerabilities, and enable remediation. Open source software can help create value in many ways for an organization, from contributing to the development of critical software applications to improving customer interactions. Protecting your organization from the risks of open source software requires a coordinated effort that enables you to identify, monitor, and analyze what is in your code—and that means having the proper automation and tooling.