Today’s modern software applications simply would not exist, or be as powerful, without the use of open source software (OSS). Developers design open source software with source code that is accessible for anyone to use, modify, and learn from, and they release the code with specific licensing rights.
OSS easily integrates with other code, enabling developers using it for their own applications to focus on their core strengths and on building innovative and creative solutions for their enterprise and its customers. But developers are often not aware of all the open source components and dependencies it adds to their own software. OSS is a key part of the software supply chain — 97% of the codebases analysed contained open source software, according to the 2022 Synopsys “Open Source Security and Risk Analysis” (OSSRA) report. With the incredible value it brings to enterprises, OSS also brings risks that can be costly if not properly managed. “With some effort, it’s entirely possible to manage these risks and realise the full benefit of OSS,” said Anthony Decicco, principal at GTC Law Group and founder of the firm’s open source software practice.
Reward versus risk
Modern applications are made up of a mix of proprietary and open source code, APIs, user interfaces, databases, operating systems, and various configurations. And the software supply chain is made up of every bit of code that touches an application or plays a role in its assembly, development, or deployment. Weakness in the code anywhere along the chain can create risk for the applications and the enterprises that use them. And since the OSSRA research shows that 81% of the codebases has at least one vulnerability, ensuring secure code is critical.
The benefits of using OSS include:
- Agility and faster development: Development teams can rapidly integrate new technologies into their software stack, in days and weeks rather than months and years.
- Lower development and maintenance costs: Open source software is free to use, making it more cost-effective than commercial software, and it enables developers to start small and scale as it becomes necessary.
- Focus on what your organisation does best: Let developers spend their time and attention on the parts of the codebase that requires their expertise.
There are risks with open source software — as there are with code from any other sources — that IT teams and developers must consider. Open source code makes its way into applications in a variety of ways, such as developers using OSS in applications they design, third-party commercial code that includes OSS, and via outsourced software development. Because it is often developed by small communities and even volunteers, open source software isn’t always up-to-date. The code may not be actively maintained or have vulnerabilities that are discovered fixed.
One of the unique challenges of using open source code is the licensing requirements. Synopsys research shows that 53% of audited codebases had license conflicts. For example, if software is used beyond the scope of the license, it can result in copyright infringement. “Depending on the applicable license and your use case, it’s possible to trigger obligations to share proprietary source code, severely impacting your business value,” according to Decicco. The time and resources required to remediate these licensing issues can take time away from the enterprise’s core mission.
Securing the software supply chain
While open source is not necessarily riskier than any other software, it is imperative to pay specific attention to securing OSS and be able to demonstrate that you are doing everything you can to protect it. The more components in an application, open source or not, the more they can be exploited by threat actors looking to hack your system. The only way to truly be secure in today’s digital environment is to understand every element of the software supply chain for the applications you use or create.
Securing the software supply chain is so critical that governments around the world are mandating cyber security procedures. In the U.S., the mandates are specifically designed to ensure that software used by the federal government and its suppliers is secure, but they quickly expand from government contractors to companies that supply government suppliers, and so on, and are likely to expand to industry generally. As such, there is a benefit for all organisations to understand these initiatives and build robust security platforms now.
The goal of these mandates and directives is to improve security and cyber resilience across the software supply chain in the increasingly interconnected world — from enterprise applications to those connect to the device or network. These government initiatives achieve this through record-keeping and information-sharing, modernising cybersecurity standards, improving vulnerability detection, requiring detailed software Bills of Materials (SBOMs) for every piece of software you develop, and maintaining accurate information on the provenance of all software components.
Software supply chain security best practices
Any issues along the software supply chain can put an organisation at risk. Step one in using open source software is ensuring that the code and any dependencies are secure. That includes vetting OSS vendors and tracking down the licenses and dependencies necessary to make the code function. Because there are tens of thousands of different open source projects, no one can keep tabs on all the different pieces of code or the developers who create them, so keeping track of the code can get very complicated very quickly.
Securing the software supply chain end-to-end requires understanding the entire software supply chain and creating a system to monitor, regularly test for vulnerabilities, and enable remediation. Open source software can help create value in many ways for an organisation, from contributing to the development of critical software applications to improving customer interactions. Protecting your organisation from the risks of open source software requires a coordinated effort that enables you to identify, monitor, and analyse what is in your code — and that means having the proper automation and tooling.