Software development based on the sharing and collaborative improvement of software source code goes back to its very origins.
In the late 1990s, the term “open-source” was coined and received mainstream recognition in publications such as Forbes. The Netscape browser’s source code was made open source and that got a lot of attention.
The original open-source projects were “revolutions” against the “unfair” profits that closed-source software companies were reaping. Microsoft, Oracle, SAP and others, it was argued, were extracting monopoly-like “rents” for software, which the top developers of the time did not believe was world class.
Open Source Growth
Open source software was originally created by developers for developers. It was embraced slowly by more and more projects, organisations and companies and it now forms the foundation for the Internet and most of our digital assets. The code base of a typical modern application consists of 80 to 90% of open source software. Even in something as proprietary as Apple’s iPhone, the operating system consists largely of open source software.
Currently, there are close to 1 million open source projects globally and this number increases by 79% a year.
Open source victorious as last ones standing capitulate
Apple and Google embraced open source more than 20 years ago. The champions of proprietary software, IBM and Microsoft, resisted much longer.
Elison was right on the mark. It looks like we reached that point a few years ago. IBM and Microsoft were the last ones standing against open source, but in the end they capitulated. IBM acquired RedHat early 2019 for $34B and Microsoft acquired GitHub for $7.5B in 2018.
Open source use a surprise to many executives
Many organizations where leadership does not have a strong engineering or technical background often do not fully realize yet the importance of open source and how dependent they are on it in their digital supply chain. We regularly encounter executives who are very surprised when we analyze their applications and identify many open source libraries. Awareness is the first step in managing open source risk and rewards.
Open Source Risks: Is it really free?
Open source is bringing huge rewards to business. However, with reward comes open source risk. The two main risks are legal related to the licenses and cyber risk related to vulnerabilities.
Open source is free but can come with strings attached that do not match with your organization’s business model. Open source software is released under different licensing models. There are over 300 licensing models in use. Most open source software comes with friendly licenses such as the licenses for Apache and BSD. However other licensing models not so much, such as licenses for GNU GPL and GNU Affero. Use of these licenses, even in a minor way, could force an organisation to open source their entire software with devastating impact on the IP value of the organisation.
Open source software, like all software, can contain vulnerabilities. Open source software, in general, is high quality software and not intrinsically more vulnerable. However, because of its wide usage, it is a very attractive target for cyber adversaries and so, over time, vulnerabilities are uncovered. At the moment, there are more than 150,000 known vulnerabilities. A lot of these vulnerabilities can be exploited to breach organisations and are considered to be the cause of approximately 25% of data breaches.
One example of a major breach is the Equifax breach which exposed 145 million client records and cost the organisation more than $1.3 B to remediate. The company also lost $5B in stock market value overnight and later received a $700 M fine from the US government.
The best defence: SCA / OSS
The best defense against open source risk is to use a Software Composition Analysis tool, sometimes also called Open Source Security scanner. These tools quickly analyse your applications or containers and provide insight into license and cyber risk. MergeBase goes a step further and provides solutions to quickly and easily reduce your cyber risk.