Gone are the days when Open Source software (OSS) was only being used in educational institutions like universities, research organizations etc. Today most organizations use open source for a variety of reasons such as accelerating time-to-Market, reducing cost of development, dynamic integration etc. There are many software development organizations that work closely with their customers to determine open source strategy before making them a part of product / application development. By 2016, OSS is expected to be a part of all mission-critical software portfolios in 99% of Global 2000 enterprises, up from 75% in 2010. (Source: Gartner, “Predicts 2011: Open-Source Software, the Power behind the Throne” – 23 Nov 2010).

But there are some serious concerns around the usage of open source in commercial environments. It is imperative to keep in mind the following possibilities if you are considering going the open source way.

Intellectual Property (IP) Infringement:The licensing aspect of open source code poses some unique challenges. Some of the licenses are permissive, while the others are restrictive. If you are unaware of this, you face the possibility of being subject to a “breach of agreement” on one hand or being subjected to claims of copyright infringement on the other hand. In fact, there have been several instances where organizations were asked to stop the commercial distribution of product shipments and product recalls. Recently Oracle sued Google (GOOG), alleging patent and copyright infringement of Java-related intellectual property in the development of Android mobile operating system software.

In some cases, organizations have been asked to make the source code available, leading to potential loss of Intellectual Property, loss of competitive advantage and/or possible financial obligations because they were using code from the most viral OSS licenses.

(Read more: NIST and Application Security – Is Your Organization Really Considering All of the Risks in the Enterprise?)

 

Open Source Software can be susceptible to security vulnerabilities: At the end of the day, open source software is nothing but source code and like any other source code, it is susceptible to security vulnerabilities. If the source code is not tested rigorously before moving it to production, it leaves the door open for an adversary to compromise the application running in production. For example, recently, there was a major vulnerability discovered in Apache Tomcat which could lead to denial of service if not patched appropriately

Unknown Source: Open source components can be made up of other open source components or derived from other open source components. So, whose code is it anyway? The original code might have been issued under special GPL license or commercial license forcing the organization to indirectly oblige to licensing terms specified by the original author of the code.

(Read more:  Technology/Solution Guide for Single Sign-On)

They are everywhere, yet hidden: Let us assume that the organization has a specific policy crafted for open source usage but is unable to document all the open source and/or third party components that are being used within the organization. During one of the audit engagements, we observed that the organization had visibility of only 40% of total open source components in use. So the issue is “the organization uses open source software, but it doesn’t know where they are”. Obviously this can lead to security or legal issues.

The risk of open source usage does not lie in the usage of open source itself, but on how the open source code is being managed in the organizational environment. If the organization does not keep track of the open source code it has adopted, then it is very difficult and expensive to deal with obligations and vulnerabilities that are associated with it. So, there is a definite need to create an open source compliance management program (including an assessment checklist, training programs and software tools to monitor open source software usage) which can establish a framework for due diligence to ensure both the security and legal status of resulting application or product.

Original Blog at: http://blog.aujas.com/organizations-concerned-open-source-software-compliance.html

 

 

E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

Comments

  • Another important area where Open Source Compliance could affect ITeS organizations is when they undertake application support contracts. The clients application may have open source components for which attribution may not have been given. On taking over the application for support, maintenance and enhancements, the service provider may carry the liability of non-compliance, if he has not ascertained the presence of open source components in the application code.

     

This reply was deleted.