So... its been a while... (just been sort of busy) - but todays focus is open-source and why we should be interested from a tech resilience perspective..... With the increasingly complex management of Open-Source software and associated dangers / complexities of using open source – the regulators are becoming more and more interested in ensuring that opensource is managed well within the enterprise.
Just look at the interest that DORA / FCA / PRA are starting to take in open-source software / functionality…
This short blog article really just covers some of the risks associated with Opensource software management, why it is of concern from an operational resilience lens, some of the operational challenges we need to think about and some of the mitigating approaches that maybe considered to allow us to safely and resiliently use Open-Source software
Firstly, before we get into some of the detail – we need to be really clear about what we mean by opensource software and where it may exist…. This is important – as you need to get this stuff under management!!!
It could be a deployable package / function that is downloaded / distributed
It could be sub-component of a commercially available piece of software that happens to utilise some opensource code
It could be lines of open-source code that may have been enhanced / changed to provide a enhanced outcomes
It could be a source / set of libraries that are called as part of a own-authored eco-system
Let’s start with why the interest in Open-source software / code…..
Open-source software has revolutionised software development, offering freely available, collaborative code with numerous benefits. However, alongside its advantages, it as some worries
But for sure - opens-source is here to stay!!!
Open-source software comes with inherent risks that threaten your resilience stance - users should be aware of these!
This document outlines some key considerations when using open-source software.
Security Vulnerabilities:
Publicly Known Code: Open-source code is readily available for anyone to examine, including malicious actors. Exploitable vulnerabilities can remain undetected for longer periods compared to proprietary software.
Dependency Risks: Open-source projects often rely on other open-source components. Vulnerabilities in these dependencies can create a chain reaction, impacting the overall security of the final software.
Unmaintained Projects: Some open-source projects lack active development or maintenance. This means critical security patches may not be available promptly, leaving users exposed.
Licensing Issues:
Incompatible Licenses: Open-source projects come with various licenses that dictate how the code can be used and distributed. Mixing incompatible licenses within a project can lead to legal complications.
Unclear Ownership: In some cases, open-source code ownership might be unclear, leading to potential copyright infringement issues.
Shift-Left licensing: You may take a bit of open-source code and enhance it, modify it etc… As part of this, there are potential benefits back to the original author / licensing model that state that you should publish your newly created open-source
Operational Challenges:
Limited Support: Unlike proprietary software with dedicated support channels, open-source projects often rely on community forums for assistance. Troubleshooting complex issues can be time-consuming.
Documentation Gaps: Open-source projects may have limited or outdated documentation, making it difficult for users to understand and implement the software effectively.
Incompatibility Issues: Integrating open-source components with existing systems can lead to compatibility challenges, requiring additional development effort.
Mitigating the Risks:
Register of your open-source software: Ensure that you understand all of the open-source software that is ingested into your estate and it is logged against an owner and the function / service that it provides. All too often opensource “skulks” into the ecosystem and before you know it, exists everywhere with either licensing implications, vulnerability issues or (and this has been seen many times) a vendor buys the rights of an open-source piece of software/package – and out of the blue a vendor forces a right to audit and hits you with a hefty bill that you were not expecting!
Watchlists: Ensure that you have watchlists of emerging “problem issues” in the opensource arena and the data to match where these may exist in your estate so you can identify risk and exist / mitigate at the earliest opportunity
Careful Selection: Choose well-established open-source projects with a large and active developer community.
Get it under vendor management processes: Tie open-source into your 3rd party / vendor management regimes to ensure that it is managed as a “proper product” and not just a “free thing we use”.
Build it into your engineering cycles: Standards and excellent engineering are how you are going to avoid pitfalls and best outcomes. Ensure that solutions that consume open-source are well engineered, tested and managed.
Vulnerability Management: Regularly scan open-source components for known vulnerabilities and apply patches promptly.
Scanning: Scan your code and your opensource regularly… Threat actors are using open-source in lots of supply-chain attacks!
License Compliance: Thoroughly understand the license terms of the open-source software you use to ensure compliance.
Consider Support: For critical projects, explore commercially supported versions of open-source software that offer professional support channels.
Internal Expertise: Develop internal expertise in managing open-source software to navigate potential challenges.
Conclusion:
Open-source software remains a valuable resource for businesses and accelerate outcomes for and with developers however it's crucial that you:
Manage & register appropriately
Ingest opensource through assured paths you’re your organisation
Track the “problem opensource children”
Understand the associated risks outlined above.
Put an appropriate governance / oversight function in place that can manage your opensource estate effectively
Automate registration! Open-source software is so prevalent in the ecosystem – you need to work in smart ways to track
By carefully selecting the right open-source projects, keeping registration, appropriate assurance, great engineering implementing proper security practices, and mitigating potential issues, organisations can leverage the benefits of open-source software while minimizing the drawbacks and not impact their resilience!
Comments