In my last blog post, I reviewed top-level takeaways from Flexera’s 2020 State of Open Source License Compliance Report. This and my next few posts will take a closer look at the report’s findings and offer practical takeaways for moving your open source management program forward.
What helps you stay focused and alert during your daily commute? Coffee? Music? Whether you’re a driver in a car or a straphanger on a subway, for some, getting to the office safely (and calmly!) can be a challenge that requires focus. When you’re behind the wheel of a car, hazards become obvious. A safe commute requires navigating roads full of other sleepy, rushed, and most certainly distracted drivers. Vigilance—the process of paying close and continuous attention to possible difficulties—is absolutely necessary in order to respond quickly and easily. The resulting agility is what can help drivers navigate around risks and arrive at work without getting into a fender bender.
Just as we rely on vigilance and agility daily in our personal lives, these concepts are crucial for open source management. Software businesses are moving to more agile processes, with the goals of increasing market share and serving customers’ needs faster. With that trend comes the responsibility to be increasingly vigilant in order to ensure the safety of the open source software in use. Legal, risk, and development teams all must pay attention to the possible challenges around them in order to be certain that they’re using safe versions of open source software and that they’re minimizing any process and technology gaps.
With rapidly moving goals, teams need to be aware of rapidly developing risks. In this report’s analysis, an average of 662 issues were uncovered per audit project; one issue was discovered for every 32,600 lines of code scanned. High-severity (Priority 1) issues represented 17% of the issues uncovered; these indicate critical IP threats that should be remediated immediately. Of the scanned codebase files, 45% were attributed to open source components. Among the security vulnerabilities that the research uncovered, 45% contained a “high” Common Vulnerability Scoring System (CVSS) severity rating.
The 2020 report found that the average number of issues per project jumped by more than 80 percent over the previous year’s report (due partially to the number of Node.js packages from NPM)—a trend that’s expected to continue this year.
Look at Compliance and Security as a Competitive Advantage
Let’s consider the traits of good leaders – creativity, responsiveness, and determination. These are the characteristics that today’s leaders use to approach, harness, and respond quickly to the varied challenges they face, including security issues, license compliance considerations, and IP management needs. As the cost of exposure (in any or all of these areas) goes up, businesses can strengthen and protect themselves by implementing automated processes to identify and mitigate vulnerabilities. A comprehensive approach not only empowers teams to leverage OSS safely; it can help enable agile processes that help secure a competitive advantage.
So, what are the steps that can help your company monitor, understand, and minimize the risk associated with open source software use?
- Have clear company license and security policies. CEOs, CTOs, security officers, legal counsel, and software engineering teams can all be most effective if they know and can execute on well-defined policies.
- Establish an Open Source Review Board (OSRB). By building a team of representatives from legal, engineering, and product management, your organization can put policies and a reporting structure in place to strengthen your OSS management.
- Establish stakeholder training. Be sure that all parties involved understand corporate expectations and have a shared knowledge – and buy in – of the organizational risk spectrum.
- Enable automated software monitoring and scanning tools. Automation streamlines the process, improves results, and can reduce the headaches involved.
- Create vendor programs to better manage third-party and supply chain requirements. You’re not in this alone; strengthening your relationships can help all parties.
- When issues are found, begin remediation. Start with the highest priority, then work through remaining issues. The process is worth it—for you and for the customers who rely on your product.
Join Us to Learn More
My colleague David McLoughlin, Director of Solution Engineering, will join me on Thursday, March 19, to present a webinar that will take a deeper look at the 2020 State of Open Source License Compliance Report, with practical takeaways about evolving your compliance and security practices. Register now—either to attend the free, live event or to receive a recording of the webinar.
In the “Insights and Trends to Evolve Your Compliance and Security Practices” webinar, we’ll address ways companies are unaware of their open source use and subsequent license compliance and security issues; implications of risk (for you, your business, and customers); how to create a robust approach to preventing security challenges; and emerging trends that can help your organization succeed. And, of course, we’ll be available to address your questions. Hope to see you there!