Open Source Risk: Plugging the Hole

Open Source Risk

The Origin 

Software development based on the sharing and collaborative improvement of software source code goes back to its origins. In the late 1990s, the term “open-source” was coined and received mainstream recognition in publications such as Forbes. The Netscape browser’s source code was made open source, which got a lot of attention.

The original open source projects were “revolutions” against the “unfair” profits that closed-source software companies were reaping. It was argued that Microsoft, Oracle, SAP and others were extracting monopoly-like “rents” for software, which the top developers of the time did not believe was world-class.

The Growth

It was originally created by developers for developers. It was embraced slowly by more and more projects, organizations and companies, and it now forms the foundation for the Internet and most of our digital assets. The code base of a typical modern application consists of 80 to 90% of open source software. Even in something as proprietary as Apple’s iPhone, the operating system consists largely of open source software. 

Currently, there are close to 1 million open-source projects globally, and this number increases by 79% a year

Open source is victorious as the last ones standing to capitulate

Apple and Google embraced open-source more than 20 years ago. The champions of proprietary software, IBM and Microsoft, resisted much longer. 

  “Once open source gets good enough,
competing with it would be insane.”

2006, Larry Ellison, the chairman of Oracle in conversation with the Financial Times

Elison was right on the mark. It looks like we reached that point a few years ago. IBM and Microsoft were the last ones standing against it, but in the end, they capitulated. IBM acquired RedHat in early 2019 for $34B, and Microsoft acquired GitHub for $7.5B in 2018.

A surprise to many executives

Many organizations where leadership does not have a strong engineering or technical background often do not fully realize yet the importance of open source and how dependent they are on it in their digital supply chain. We regularly encounter executives who are very surprised when we analyze their applications and identify many open source libraries. Awareness is the first step in managing open source risk and rewards.

Open Source Risks: Is it really free?

Open source is bringing huge rewards to businesses. However, with reward comes risks. The two main risks are legally related to the licenses and cyber risks related to vulnerabilities. 

Open source is free but can come with strings attached that do not match with your organization’s business model. Open source software is released under different licensing models. There are over 300 licensing models in use. Most open source software comes with friendly licenses, such as the licenses for Apache and BSD. However, other licensing models are not so much, such as licenses for GNU GPL and GNU Affero. The use of these licenses, even in a minor way, could force an organization to open source its entire software with a devastating impact on the IP value of the organization.  

Open-source software, like all software, can contain vulnerabilities. Generally, it is high-quality software and not intrinsically more vulnerable. Although it is widely used, the fact that it is a very attractive target for cyber adversaries means that, over time, vulnerabilities are uncovered. At the moment, there are more than 150,000 known vulnerabilities. A lot of these vulnerabilities can be exploited to breach organizations and are considered to be the cause of approximately 25% of data breaches.

One example of a major breach is the Equifax breach, which exposed 145 million client records and cost the organization more than $1.3 B to remediate. The company also lost $5B in stock market value overnight and later received a $700 M fine from the US government. 

The Best Defence: SCA / OSS

The best defence against open-source risk is using a Software Composition Analysis tool, also called Open Source Security scanner. These tools quickly analyze your applications or containers and provide insight into license and cyber risk. MergeBase goes a step further and provides solutions to quickly and easily reduce your cyber risk.

Ready to mitigate risks?

Get started for free today or contact us for a demo and find out what MergeBase can do for you!

About the Author

Oscar van der Meer

Inspiring leadership and innovative technology expertise in Digital, Payments, Finance and Artificial Intelligence.