Open Source Risk: Plugging the Hole

Open source refers to a type of software whose source code is made available to the public for use, modification, and distribution, introducing certain open-source risks. This source code is typically developed and maintained collaboratively by a community of contributors. However, it comes with risks, particularly around security vulnerabilities and licensing issues, which are inherent aspects of open-source risk.

This guide delves into the intricate world of open source software, tracing its origins from a niche concept to a cornerstone of modern digital infrastructure. We’ll explore the transformative journey of open source, its widespread adoption by industry giants, and the unexpected challenges it presents to today’s business leaders.

The Origin of Open Source

Software development based on the sharing and collaborative improvement of software source code goes back to its origins. In the late 1990s, the term “open-source” was coined and received mainstream recognition in publications such as Forbes. The Netscape browser’s source code was made open source, which got a lot of attention.

The original open-source projects were “revolutions” against the “unfair” profits that closed-source software companies were reaping. It was argued that Microsoft, Oracle, SAP and others were extracting monopoly-like “rents” for software, which the top developers of the time did not believe was world-class.

The Expansion of Open Source

It was originally created by developers for developers. It was embraced slowly by more and more projects, organizations and companies, and it now forms the foundation for the Internet and most of our digital assets. The code base of a typical modern application consists of 80 to 90% of open source software. Even in something as proprietary as Apple’s iPhone, the operating system consists largely of open source software. 

Currently, there are close to 1 million open-source projects globally, and this number increases by 79% a year. 

Open source is victorious as the last ones standing to capitulate

Apple and Google embraced open-source more than 20 years ago. The champions of proprietary software, IBM and Microsoft, resisted much longer. 

“Once open source gets good enough, competing with it would be insane.” 2006, Larry Ellison, the chairman of Oracle, in conversation with the Financial Times

Elison was right on the mark. It looks like we reached that point a few years ago. IBM and Microsoft were the last ones standing against it, but in the end, they capitulated. IBM acquired RedHat in early 2019 for $34B, and Microsoft acquired GitHub for $7.5B in 2018.

A surprise to many executives

Many organizations where leadership does not have a strong engineering or technical background often do not fully realize yet the importance of open source and how dependent they are on it in their digital supply chain. We regularly encounter executives who are very surprised when we analyze their applications and identify many open-source libraries. Awareness is the first step in managing open source risk and rewards.

Open Source Risks: Is it really free?

Open source is bringing huge rewards to businesses. However, with reward comes risks. The two main risks are legally related to the licenses and cyber risks related to vulnerabilities. 

Open source is free but can come with strings attached that do not match with your organization’s business model. Open source software is released under different licensing models. There are over 300 licensing models in use. Most open source software comes with friendly licenses, such as the licenses for Apache and BSD. However, other licensing models are not so much, such as licenses for GNU GPL and GNU Affero. The use of these licenses, even in a minor way, could force an organization to open source its entire software with a devastating impact on the IP value of the organization.  

Open-source software, like all software, can contain vulnerabilities. Generally, it is high-quality software and not intrinsically more vulnerable. Although it is widely used, the fact that it is a very attractive target for cyber adversaries means that, over time, vulnerabilities are uncovered. At the moment, there are more than 150,000 known vulnerabilities. A lot of these vulnerabilities can be exploited to breach organizations and are considered to be the cause of approximately 25% of data breaches.

One example of a major breach is the Equifax breach, which exposed 145 million client records and cost the organization more than $1.3 B to remediate. The company also lost $5B in stock market value overnight and later received a $700 M fine from the US government. 

The Best Defence: SCA / OSS

Understanding and managing these risks is crucial for any organization that uses or contributes to open source software. Regular security audits, license compliance checks, and engaging with the open source community are important steps in mitigating these risks.

The best defense against open-source risk is using a Software Composition Analysis tool, also called Open Source Security scanner. These tools quickly analyze your applications or containers and provide insight into license and cyber risk. Finite State goes a step further and provides solutions to quickly and easily reduce your cyber risk.

Ready to mitigate risks?

Get started for free today or contact us for a demo and find out what Finite State can do for you!

Start a Free Trial

Start a Free Trial

Essential FAQs About Open Source Risks