Just as lockdowns started to sweep the globe in March, Bill Gates tweeted about an open source software platform called Nextstrain. The open source application helps track the spread of viruses – notably COVID-19 — with visualizations that map mutations in their genetic code, according to an article in Wired. For instance, if two people in different places are infected and the COVID strains share the same mutations, those two cases are likely related to one another even if those people don’t know each other, according to article.
It’s one of many examples of how open source software is proving to be a crucial partner in combating the pandemic. This extends from the type of detailed genetic sequencing and code sharing enabled by Nextstrain, to the COVID maps everyone is all too familiar with now. The data collected and displayed, for instance, through the well-known John Hopkins COVID map is made freely available through a GitHub repository, along with the feature layers of the dashboard.
But on the flip side of that equation is that the more ubiquitous open source software becomes, the greater potential it has to bring hidden risk to organizations because of open source dependencies and their security vulnerabilities, as well as improper licensing. Those risks are the subject a new IDC report, “Addressing the Hidden Costs of Embedding Open Source Software.”*
The OSS vulnerability risks presented by open source dependencies are real, but your organization isn’t powerless to prevent them with a Software Composition Analysis (SCA) strategy. Having an SCA strategy is so crucial, in fact, that IDC recommends that every organization use or consider the use of an SCA solution. SCA tools allow organizations to scan code and track direct and indirect components by means of a Software Bill of Materials (SBOM). IDC says this brings several benefits:
- It allows organization to detect a vulnerability and determine its severity, scope of exposure, as well as provide guidance on the updated OSS artifacts to fix it.
- They allow organizations to identify outdated OSS components by providing a list of known vulnerabilities included in embedded OSS components.
- The tools can find transitive dependencies by means of building a dependency graph showing the transitive OSS artifacts and at what tier they are included in the SBOM
- They generate license reports, allowing the organization to determine the license compliance of the OSS components that make up the application. This reduces legal exposure from expired, missing or incompatible code and copyleft The latter requires that any software product embedding the OSS component make its entire source code available, as well as the rights to modify and distribute it.
Microsoft’s now CEO Satya Nadella said during its quarterly earnings in April that “We have seen two years’ worth of digital transformation in two months.” Open source software is undoubtedly driving this transformation. IDC researchers found that nearly 43% of the 160 respondents to its 2020 U.S. DevOps Survey said their usage of OSS will be considered “strategic” by 2022.
Being proactive about properly securing and licensing open source software through a Software Composition Analysis strategy builds confidence in its use and ensures it can continue to safely deliver benefits that are becoming essential to organizations and their end users.
*IDC Analyst Brief, Sponsored by Revenera, “Addressing the Hidden Cost of Embedding Open Source Software,” #US46977220, November 2020