Fresh From Our Blog




Risks and Rewards of Open-Source for the Enterprise

by Casey Yarbrough - Posted 4 months ago


Open-Source is Widespread


n
n

The software of today is built using open
nsource. A
2020 Open Source Security and Risk Analysis
nreport
by Synopsys states that
n99 percent of 1,250 audited applications contain at least one open source
ncomponent. Some of the most popular programming languages today, including .NET
nCore and Node.js, are open source, along with Docker and Kubernetes, the two
nhottest applications for containerized applications and workloads. 


n
n

One particular “chat” application found on
nGitHub has over 1,600 OSS components. It is not uncommon to have 10 or more
ndifferent versions of the same component in various applications across the
nenterprise. Total component count can often be measured in the tens of
nthousands because OSS is cascaded inside other OSS, and what you thought was
none component may in fact be 200.


n
n

 


n
n

Open-Source Risks


n
n

The first OSS risk to understand is the use of
nvulnerable software components. Just like commercial off-the-shelf (COTS)
nsoftware, OSS can have bugs. Often, these vulnerabilities are addressed quickly
nin a newer version or release. Unfortunately, consumers of the older versions
nmay not be aware of either the vulnerability or the available update. Remediating
nvulnerabilities in your environment may introduce a whole lot of unplanned
nwork, and as a result, delivery can be delayed. With potentially thousands of
nopen-source components in use in an organization, keeping up with all the
nvulnerabilities can require a small army. 


n
n

The second risk involves OSS licensing. The chat
napplication mentioned above had over 100 different license agreements within
nits internal components. OSS license agreements can be complex, but they
ngenerally fall into one of two groups: permissive and copyleft/restrictive. If
nyou choose to distribute your software, permissive licenses allow you to
ndistribute the OSS without any substantial restrictions on licensing. Copyleft
nrequires you to offer any source code created with that component available
nunder the same licenses. Copyleft means that all the code your developers wrote
nfor your new whiz-bang application needs to be given away for free, but if you
nuse permissively licensed OSS you do not have to do this.


n
n

An additional risk arises when using abandoned
nversions of OSS. These versions create problems if they contain security and
nother vulnerabilities, and no one in the community is maintaining
nthem.  


n
n

A company needs to understand its software
nsupply chain - what all the components are and where they come from. According
nto the Sonatype's 2019
State of the Software Supply Chain Report, 79 percent of organizations not practicing
nDevOps do not have a software bill of materials. Industry best practice is to
nuse tools such as Sonatype Nexus or JFrog Artifactory to store local copies of
nthe components needed to build applications. Then, if an Internet outage occurs
nand your team is temporarily unable to get to the open-source central
nrepositories, you will have cached copies locally, which supports your business
ncontinuity/disaster recovery plans.


n
n

 


n
n

Open-Source Action Plan


n
n

    n
  1. Educate
    n your legal and contracts teams
    on risks and concerns. Agree
    n on a set of license agreements which your company is comfortable with. You
    n may consider starting with the
    MIT
    n and
    Apache 2 licenses because many of the
    n large OSS packages, including Microsoft’ use them.

  2. n
  3. Invest
    n in OSS management tools.
    Auditing and scanning for OSS
    n manually is not realistic in the enterprise, and if you have in-house
    n development teams, the landscape changes daily. Most developers do a great
    n job finding open source, but are not so great at reading licenses, often
    n just clicking “Accept” when presented with one. Acquire the tooling that
    n is the best for your needs, such as Sonatype Nexus, Synopsys BlackDuck or
    n something similar. As your teams move to continuous integration and
    n DevOps, ensure these tools are included in your DevSecOps pipelines to
    n ensure that licensing, vulnerabilities, and encryption are scanned for
    n compliance. Work with your cybersecurity, software, and
    n governance/risk/compliance teams to agree on a level of risk and stick to
    n it! Hold the development teams accountable and reject any software build
    n that exposes the company well before production.

  4. n
  5. Create an internal education program
    n to teach the IT team how to use the new tools along with reasons why. This
    n would be a similar program to the phishing education programs that
    n cybersecurity teams deliver to the enterprise.

  6. n
  7. Give back to the
    n open-source community
    .
    n Once you are sure that you have the above covered and have the tooling in
    n place, you will eventually find vulnerabilities in the OSS your teams use.
    n While many issues will already have available fixes, others you will need
    n to fix yourselves. Once you fix these, you should then share your fix back
    n to the specific open-source community who maintains the project. This is
    n about more than just being a good citizen in the open-source world though.
    n If you do not do this, you will be forever “forked” between later versions
    n coming from the open-source community and your custom version that you must
    n maintain, and which requires constant syncing. This is not sustainable
    n long-term for even one package.

  8. n
  9. Consider
    n releasing some applications or projects as open-source
    . Many times, teams create internal
    n tooling or other software that is not especially proprietary and can be
    n shared. By posting to a site such as GitHub, you can not only give back,
    n but you can see who from outside your company is contributing to your
    n projects. These contributors may be the type of talent you wish to hire.
    n These online projects establish your company as a leader, creating a
    n following of contributors. Much of the top talent wants to work with open
    n source, so recruit from your own OSS projects.

  10. n

n
n

When
ncreating value for your business partners, speed matters. Reinventing the wheel
nby not using OSS only causes delays and lost opportunity costs. Open-source
nsoftware is an accelerator.


n
n

Thomas J. Sweet is VP Cloud Services at GM Financial. Sweet is
npassionate about Digital Transformation, DevOps, Agile, Cloud, and attacking
nthe talent shortage head-on by investing in his teams. His views are his own
nand not that of his employer, GM Financial.


n
Read More @ElevateIT