What is the business impact when open source software is not managed correctly? Where does it go wrong and how do you manage the situation?
There is no doubt that the use of open source software is pervasive in software development. The ability to re-use existing open source software components, libraries and packages means faster time to market in delivering software solutions.
With pressure on developers to deliver code quicker and with shorter release cycles, the choice of using open source is somewhat obvious.
Where Does It Go Wrong with Open Source Software?
Despite a heightened awareness of the need to address security vulnerabilities and comply with software licensing obligations in the product development cycle, many software producing organisations’ emphasis is on shorter release cycles as opposed to secure, compliant development.
What is the Business Impact?
We see a number ways failure to manage open source software can manifest itself:
Fines by regulators
In the UK in late 2017 a local government organisation was fined 100,000 GBP after a hacker downloaded 30,000 emails containing employees’ personal information. This fine was prior to the introduction of GDPR.
“…the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”
One of the biggest business impact to an organisation is a security breach. In 2017 Equifax was hit by a security breach which was the result of a failure to patch a two-month-old vulnerability in Apache Struts—an open source web application framework. The hack exposed personal financial data of 145 million Equifax customers globally.
This exploit, which had global impact, was essentially avoidable as there was a patch available to fix the vulnerability. Adopting policies, processes and software composition analysis Equifax could have been alerted to the fact they had an exploitable vulnerability. This should have triggered a process to remediate the issue in a timely manner.
With open source software being adopted by large enterprises, license compliance issues are becoming more common and more high profile. A few examples are:
- Artifex (producers of Ghostscript) v Hancom
- CoKinetic Systems $100M (U.S)
- Patrick McHardy initiated legal cases
“Vilified” by the Open Source Software community
Open source industry bodies such as the Free Software Foundation and the Software Freedom Conservancy take and support legal action to enforce the GPL license compliance. For instance, the Software Freedom Conservancy funded $50,000 legal action against VMWare.
Company value – Due Diligence/IPO/Funding
It is becoming standard practice as part of technical due diligence in a merger and acquisition or funding exercise to audit code to identify any open source risks that might impact the IP valuation of the company. If the value of a company is defined by the IP of software, if to comply with a license obligation you are required to share the source code then the value could shrink to zero. This happened to Jide and their Remix OS which had GPL license compliance issues.
How Do Organisations Control the Open Source Supply Chain?
Until recently there was little guidance or consolidated best practice for managing open source software and establishing trust in an open source software supply chain.
The Linux Foundation has created a project called OpenChain where organisations such as Toyota, Qualcomm and Siemens have collaborated to define the best practices for managing open source software. The project has three pillars:
- Specification – Set of requirements
- Conformance – Assess and recognise adherence
- Curriculum – Education
OpenChain is a blueprint of the processes that should be adopted for effective management of the open source software supply chain.
You Need a Structured Program
The benefits to using open source software to build software are proven and enable a faster time to market to deliver solutions. Those benefits are not without risk.
Implementing a structured program to manage open source software is imperative to manage those risks but also enable software producers to transparently demonstrate they are managing their software supply chain and are not passing on risk to their customers.