Here we go again. We are knee-deep in Q4 of 2019. What is it they say? “Don’t blink.” Blink and it will already be January—or if you’re a slow starter, February—and like so many you may start asking the question, “What will this year mean for open source?” or, “What did we learn from 2019?”
There are two emerging trends to take note of now. First, there’s an increased importance around open source software license compliance and security due to specific industry regulatory changes and requirements. For example, this year the PCI Security Standards Council introduced a new standard of making electronic payments more secure. The standard requires software companies to continuously identify and assess weaknesses in software applications, including the entire software supply chain; key word here being “continuously.” Prior to the implementation of this standard, companies were advised to monitor their use of open source software with no emphasis on ongoing scanning and management.
Other regulatory changes in the recent past include the General Data Protection Regulation (GDPR) requiring Data Processors to implement measures to ensure the appropriate levels of security related to the processing of personal data. Likewise, in late 2018 the FDA added a requirement that pre-market medical devices will need to include a software bill of materials.
These three specific examples of regulatory compliance are in response to the fact that it appears the number of security breaches are not slowing down.
The second emerging trend is there seems to be an increased level of sophistication in companies regarding both license compliance and vulnerability risk management related to open source software use. However, developers are missing specific knowledge related to open source licenses and secure coding practices. It’s a gap in training with higher level educational institutions and across the industry. Who should own filling that gap knowing that breaches are still happening, and companies know it and don’t want to be tomorrow’s headline? That’s probably a broader blog topic, but one solution that will help is at least developing the internal policies with cross-functional team buy-in. Get your legal, development, security, IT, and executive teams on the same page. Open Source Review Boards (OSRBs) are good place to start. The OSRB should help set policies, respond to license compliance, IP, and security events, and provide the right level of training pertaining to open source use and management.
This begins to scratch the surface on trends. I’ll cover more in the coming months. What is critical is that you are set up for open source success and empowered to put it to use for competitive advantage in 2020 and beyond.