Open source software (OSS) is software for which the original authors have granted express copyright and usage permissions to allow all users to access, view, and modify the source code of these programs however they see fit and without the need to pay royalties.
This is in contrast to proprietary, closed source software, which typically requires a paid license and cannot be added to, modified, or distributed by anyone except the owner of the rights to the software.
The cost efficiency of using open source software has proven to be irresistible. Today, open source components often account for 80% or more of the code base of new applications. Virtually zero products are free from OSS somewhere along the supply chain.
OSS has a rich history and a colorful community who dedicate their time—often unpaid—to provide millions of useful libraries and programs to all for free.
Before “open source software” was a thing, there was just “free software”, and you can’t talk about the history of free software without talking about the daddy of free software himself, Richard Stallman. Eccentric founder of the Free Software Foundation (FSF) and author of the GNU Public License, known for its use of copyright law to enforce freedoms in a “viral” fashion, Stallman has been a strong advocate for free software since the 1980s. He still heads the FSF and writes on the topic of free software to this day.
Most of us think of free software as software that doesn’t necessitate an exchange of money to obtain, but “think free as in free speech, not free beer” is the mantra of free software advocates. Stallman sees a distinction between “open source” and “free” software. Though the Venn diagram of free and open source applications is basically a circle, he believes the two terms emphasize different philosophies. The FSF’s four essential freedoms are the pillars of the free software movement—and they’re not particularly interested in how much freedom free software gives businesses.
Enter the Open Source Initiative (OSI). Founded in 1998 by Bruce Perens and Eric Raymond, OSI took a more practical view of free software. For Perens and Raymond, using the term “open source” took away the political baggage clinging to “free software” and invited businesses to use and contribute to the growing number of libraries and applications that were freely available to all. OSI may be friendlier to corporate participation in OSS, but it is still undergirded by a libertarian philosophy. Many of Stallman’s four freedoms are reflected in their 10-point definition of OSS. As things usually go with politics, most developers don’t have strong feelings one way or another about “free” versus “open source” software. You might see the more neutral acronym “FOSS” which stands for “Free and Open Source Software”, or even “FLOSS”, which stands for “Free Libre and Open Source Software”, where the “free” is back to the common meaning of “costing zero dollars”.
Prior to the early 2000s, many companies were skeptical or even downright hostile towards their developers using OSS, but the cost savings of using readily available open source components instead of using developer time to reinvent the wheel became too high to ignore.
An open source license details the terms and conditions for using or modifying a software component. The text of the license will be included in an open source project’s distribution, either in the comments of a source code file or in a separate README file.
There are over 200 open source licenses out there in the world, but many are redundant. The OSI only recognizes about 80 unique and truly open source licenses. The vast majority of open source projects fall under just eight licenses. Not too bad.
Learn more about those top open source licenses.
All open source licenses fall into three broad categories:
Organizations that use open source code must take care to stay compliant with intellectual property (IP) law and to reduce their risk of breaches and attacks from malicious actors taking advantage of vulnerabilities in OSS.
IP compliance and policy comes down largely to compatibility: whether or not the licenses of open source components are compatible with each other, and whether or not the licenses are compatible with the overall business goals of the project.
Not all OSS projects are equal in terms of quality and security. Luckily, with the use of automated tools, developers can usually get a picture of how many serious vulnerabilities are present in a particular open source package before adding it to their projects. Many organizations put rules into place to stop developers from using components that have too many issues. We’ll go deeper into open source security in a later section.
OSS policies provide a team or entire organization with standards for the proper use of open source components. The goal is to maximize the benefits and impact of using these components while also addressing technical, business, and legal risks that might arise.
OSS policies begin with choosing which licenses will always be allowed, sometimes allowed (through an escalation process), or never allowed for a particular project or across all development teams.
An OSS policy will also need to contain rules for which components will be allowed or not allowed based on risk of exploitation. This is typically done by deciding the number of vulnerabilities an open source component brought onto the project can have, based on the severity of the vulnerabilities. The 100% vulnerability-free open source component is a rare bird indeed. OSS policies typically disallow any component with high or critical severity vulnerabilities, but allow for some medium and low severity vulnerabilities.
Read more about choosing a comprehensive open source compliance policy.
Using OSS instead of writing code from scratch isn’t without its drawbacks. OSS quality varies widely, and many components are buggy, insecure, and inconsistently updated. Here are some important tools and considerations for addressing open source software security.
It’s impossible to watch out for vulnerabilities in products you don’t even know you have. Software inventories and SBOMs are both important for getting a big picture of your software dependencies and for compiling a list of things that need to be monitored and updated.
Learn more about the value of SBOMs.
Proprietary software vendors usually push out updates, while open source projects do not necessarily do so. Support is limited in open source and will vary greatly depending on the size of a project’s community. As a result, organizations using open source components need to proactively monitor for vulnerabilities and updates to ensure that all components are promptly patched and remediated.
Automated dependency health tools like our open source tool, Mend Renovate, take a great deal of the stress of tracking and scheduling updates off of developers.
Software composition analysis (SCA) is an application security testing tool that helps manage open source components. SCA tools automatically scan your source code to identify open source components, licensing data, and known vulnerabilities.
SCA tools provide visibility into open source components and offer prioritization and automated remediation to help fix vulnerabilities.
Here is how it works:
Ideally, you should look for SCA tools that seamlessly integrate into your software development life cycle. Doing so helps resolve vulnerabilities during early phases when issues are more easily and cheaply fixed.
SCA is typically used during the building process of the software development life cycle. After code is deployed, vulnerability scanners like DAST and IAST are helpful to test applications for common vulnerabilities.
Here are key benefits of using binary repositories:
While the licenses and philosophies underpinning OSS have largely stayed the same since the 1990s, the proliferation of OSS and technologies covered under open source licenses has changed greatly. Here are two trends that have popped up in recent years.
To be considered true open source or free software licenses according to both OSI and Stallman, no particular use of the software or type of person using the software can be prohibited. However, that doesn’t stop developer activists from writing licenses that they call open source, but aren’t.
This is becoming especially common in licenses for AI models, where concerns about unethical use of powerful technology have moved some authors to create “responsible” licenses, but such restrictions are actually not that new. The JSON License was written in 2002 and is an MIT license with an added clause that “The Software shall be used for Good, not Evil.” This clause restricts endeavor, failing criterion 6 of the OSI OSS definition. Therefore, the JSON License is not an open source license, despite the fact that the software is available to all for free and the source code is openly available.
Within the last few years, the US government has taken notice of the prevalence and importance of open source software. President Biden’s Cybersecurity Executive Order includes guidelines to improve the software supply chain, including the creation of SBOMs, and remediation of vulnerabilities found in OSS. The CISA Open Source Software Security Roadmap details the government organization’s plans to assist the open source community.
Open source software has evolved from a community-driven initiative into an industry-standard approach to software development. The open source ecosystem offers various benefits, including flexibility, cost savings, and collective intelligence in development.
Understanding and implementing an open source policy is essential for risk management, as it sets the groundwork for compliant and secure use of open source components. Open source vulnerability scanning and software composition analysis tools are critical in identifying and remedying security risks. These practices allow organizations to reap the benefits of open source software while managing potential drawbacks effectively.
Thus, the open source model is not just about freely accessible code; it’s also about setting up frameworks for responsible use and contribution to the community. By adhering to standardized procedures for license compliance, security, and code contribution, organizations can foster a robust open source environment that advances innovation and resolves software challenges efficiently.
*** This is a Security Bloggers Network syndicated blog from Mend authored by AJ Starita. Read the original post at: https://www.mend.io/blog/a-guide-to-open-source-software/