Managing open source risk is essential today, when open source use is abundant but can threaten your business. Here are three key points from our webinar.
Software finished eating the world sometime in 2016, when Marc Andreessen modified his original statement to “software is programming the world.” I think Andreessen moves closer to the mark with his new version. But I’d clarify still a bit more and say…
1. “Open source software is programming the world”
Scott Crawford, research director of information security at 451 Research, and Phil Odence, general manager of Black Duck Audits with Synopsys, noted in the Jan. 24 webinar Managing the Business Risks of Open Source that technology—and the companies using that technology—are highly dependent on open source. In fact, the Synopsys 2018 Open Source Security and Risk Analysis (OSSRA) report found that almost 30% of the 1,100 codebases audited contained more than 50% open source components. Many applications now contain more open source than proprietary code. But if you don’t know what’s in your code, you can’t manage open source risk.
2. There’s a “gotcha” to mixing open source into proprietary software
Organizations embracing open source for proprietary software development also need to embrace strategies for managing open source risk, specifically licensing and vulnerability risks. Let’s look at licensing first:
- There’s a multitude of open source licenses that may affect use of an open source component. The Open Source Initiative lists 83 that are widely used.
- In many cases, an open source component depends on subcomponents and libraries, which may have their own licenses.
- Even the definition of “free software” can be tricky unless you follow license requirements.
- During a purchase, investment, or merger and acquisition (M&A), questions about rights to software IP could become a roadblock or even a deal-breaker.
As well as risk from vulnerabilities in proprietary code, there is also risk from open source vulnerabilities:
- Seventy-eight percent of the codebases examined in the Synopsys OSSRA report contained at least one vulnerability. There were an average 64 vulnerabilities per codebase.
- The Heartbleed OpenSSL vulnerability affected 78 different products at Cisco alone.
- Some of the highest-profile security breaches during 2017–18 were due to organizations using outdated open source component versions. This enabled attackers to exploit vulnerabilities to devastating effect.
- Over 2018, there were multiple attacks on software supply chains, with hackers injecting vulnerabilities directly into open source releases.
- Verizon lowered its original offer to Yahoo! by $350 million following two massive cyber attacks at the internet company.
3. Tackle the challenge of managing open source risk through software composition analysis
After outlining the risks, Crawford and Odence detailed how software composition analysis (SCA) can help developers take a proactive stance before incorporating open source risk into their software. Specifically, SCA can help you to:
- Identify and clarify licensing issues that may be connected to your use of open source.
- Discover and track open source security issues, including distinction between software versions. (For example, v1.1 may have a known vulnerability patched in v1.2 of the same software.)
- Integrate open source risk management into your overall secure software development life cycle, essential to modern DevOps environments.
Of course, those are only some of the highlights of the 60-minute webinar. I encourage you to watch it in full at your convenience. You’ll learn more about the threats open source can pose and the ways that businesses can better evaluate and mitigate them. There’s a way to manage open source risk that fits with the central role open source plays in the fast-moving world of software innovation.
*** This is a Security Bloggers Network syndicated blog from Software Integrity Blog authored by Fred Bals. Read the original post at: https://www.synopsys.com/blogs/software-security/manage-open-source-risk/