Gartner: The Crucial Role of OSS License Compliance

Gartner’s report, Technology Insight for Software Composition Analysis, makes four recommendations to improve software security. The first is to ensure a software bill of materials (or SBOM) exists for every software application; an SBOM illuminates all component parts and assists with rapid remediation, when necessary. The second recommendation is to “harden” the software supply chain; in other words, reinforce all internal and external code so that the entire system is more resilient.

Gartner’s third recommendation elevates governance of open source software (OSS) licensing. Open source software (OSS) licensing is an important governance consideration; its management is central to secure development. Operating without license compliance, intentionally or not, invites peril.

DevOps Connect:DevSecOps @ RSAC 2022

Governing Open Source Licenses

Virtually all contemporary, proprietary software incorporates OSS components. Most open source components include licenses. (OSS without an explicit license should never be used because the authority to do so is unclear.) So how could these licenses be overlooked, ignored, or dismissed? It starts with the sheer volume of OSS in a typical application. Writes Gartner:

“One vendor-conducted study revealed 96% of codebases examined contained at least some open source, and 40% of those packages contained at least one high-risk vulnerability. In most modern DevOps development projects, the majority of code used in an application is made up of open source — with the remaining code largely serving as “glue” to assemble and invoke the various functions.” Emphasis added.

Screen Shot 2019-12-12 at 12.36.46 PM

Only 12% of Gartner respondents selected licensing issues as their number one concern. Yet, the dangers of ignoring or misusing licenses are more insidious than they appear at first glance.

Risks Associated with Not Understanding OSS Licenses

An OSS license grants others permission to modify, use, and distribute software under certain conditions. However, every component is released with a different license, and a (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Katie McCaskey. Read the original post at: