We are seeing open source software becoming more common in day-to-day business. Most applications you use have implemented open-source code to some extent so that it more effectively suits an organisation’s IT operating environment. Ready availability, functionality and low cost are key drivers for the widespread implementation. However, do boards and management teams fully understand how much is being used, whether it is being monitored effectively, and are the risks that come with it appreciated and appropriately managed?
What is open source software?
Ultimately it is freely available software that can be used, distributed and amended as an organisation sees fit. What are the benefits of using the software?
- free to use however you wish;
- free to redistribute copies;
- free to understand how it works and adapt it; and
- free to make and share improvements with anyone.
However, because it is so accessible, it presents clear risks.
In such an open environment, where any contributor can store potentially harmful code into the fully available software code library, what assurance do you have that this code is safe?
In this instance, though the library includes security considerations any developer should follow, there are methods to mitigate these risks and help ensure your organisation is protected.
Open source risk management
A key concern is that malicious code may exist within the software which then gets introduced to your organisation. How are you supposed to know it is there, and how much damage it could do?
Moreover, often risks include:
- acquisition, support and maintenance costs may outweigh those of the proprietary packages and include ‘hidden’ costs such as embedded license fees;
- weaknesses in the OSS implementation and ongoing maintenance process result in a loss to your systems confidentiality, availability and integrity; and
- an absence of a robust OSS inventory process resulting in unrecorded software in use that presents security and legal license risks.
It is therefore crucial that organisations implement and follow a focused open source control framework that includes:
- a defined open source inventory;
- clearly defined processes are in place so development teams understand what should be used and any internal sign off requirements;
- specific patch management controls; and
- linkages of opens source software to primary business functions and related business continuity arrangements.
It is critical that firms follow these simple steps at a minimum. Cybercriminals are constantly looking to exploit weaknesses in infrastructure, and largely businesses have not considered how vulnerable they are without a focused control framework.