Legal and security risks for businesses unaware of open source implications

Whether your organisation uses open source intentionally or via commercial vendors, understanding how the software is updated by its developers is key to governance.

Software based on open source code is prevalent in many industries today, whether it is adopted in its native form or as part of commercial software that includes an open source codebase. 

In a typical modern application, it is common to find custom or proprietary code alongside open source components, API (application programming interface) usage and application behavior and configuration.

So, it may not be surprising that 99% of the 1,253 codebases that Synopsys audited in 2019 contained open source components. In nine of the 17 industries studied, which included the manufacturing, cybersecurity, and financial services industries, 100% of the codebases contained open source.

One appeal of open source has been the transparency and openness that it promises. When a community is able to take apart a piece of software and analyse it, it is able to better find ways to improve its performance and plug any loopholes.

That's the theory, at least. Today, the complexity of many software tools used by businesses to run their websites or manage their Internet of Things (IoT) devices means that it is often difficult to get the visibility that one expects.

The other issue is how the efforts of the open source community get translated into benefits for businesses that use the code. They still have to ensure that their software is up to date.

Unfortunately, they do not, according to Synopsys' 2020 Open Source Security and Risk Analysis Report. Eighty-two per cent of the open source components found in the audit were out of date.

The open source community usually issues small updates at a much faster pace than the average commercial software vendor. But because open source updates need to be "pulled" by users, an alarming number of businesses consuming open source components don't apply the patches they need.

According to Synopsys' study, 82% of codebases had components more than four years out of date. In addition, 88% per cent of the codebases had components with no development activity in the last two years.

As with any software that is not patched and kept up to date, this raises the risk of cyber attacks and exposes applications to potential exploits.

Unsurprisingly, the Synopsys study also found that 75% of the codebases audited contained at least one vulnerability. 49% of the codebases audited contained high-risk vulnerabilities.

One of these vulnerabilities impacts Lodash, a Javascript functionality library used by more than 6.8 million GitHub repositories. It has caused multiple instances of prototype pollution in earlier versions of Lodash.

In the webinar below, Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center, walks through the Synopsys study and offers guidance on how to mitigate the open source security and legal risks that many organizations face.

Open source licensing risks

Yet another worrying finding from the Synopsys study is the lack of understanding of the licences involved in open source software. Many businesses are not aware that their software applications may have licensing issues.

Much of the commercial software that businesses use comes with open source componentry and that is one area that many are unaware of. 

Indeed, 33 per cent of codebases audited contained unlicensed software, while 67 per cent of the codebases had license conflicts, Synopsys found. And the issue is going to be more complex.

As open source becomes more ubiquitous, it has also become increasingly affected by societal issues, including both ethical and political issues. 2019 was a particularly volatile year in the world of open source licensing.

In June 2019, CockroachDB -- which provides open source software to store copies of data in multiple locations -- adopted the Business Source License (BSL). It restricted cloud providers from offering a commercial version of CockroachDB as a service without buying a licence from the company.

Redis Labs, providers of an open source database management system, introduced a hybrid Apache v2.0 license modified with the Commons Clause to limit the use of its product by cloud service providers.

After confusion and controversy over the hybrid licence, Redis created the Redis Source Available License (RSAL) in March 2019 for certain modules running on Redis, specifically restricting their use by database products.

A different approach needed

The sobering reality is that compliance is not keeping up with usage of open source codebases. In view of this, businesses have to consider the impact of open source software in their operations as they move forward in a digitally connected world.

Whether they are developing a product using open source components or involved in mergers and acquisitions activity, they have to conduct due diligence on the security and legal risks involved.

One approach that has been proposed is to have a Bill of Materials (BOM) for software. Just like BOM used commonly by manufacturers of hardware, such as smartphones, a BOM for software will list the components and dependencies for each application and offer more visibility.

In particular, a BOM generated by an independent software composition analysis (SCA) will offer advanced understanding for businesses seeking to understand the foundation on which they are building so many of their applications.

Awareness is key to improvement. For starters, businesses cannot patch what they don't know they have. Patches must match source, so they know their code's origin.

Open source is not only about source, either. It is about shared re-use. While binary repositories simplify coding, they also exacerbate security.

What businesses have to do is create a robust corporate strategy to benefit fro open source. Train development and operations teams to identify critical component usage. Understand that open source software must be managed differently from commercial software.

To improve governance, developers must also be trained to understand license implications. They have to define how the open source software is patched and also have an inventory of the software for open source usage, and not just the source code.

Finally, it also helps to engage the relevant open source communities, since they are the ones who will support the software instead of a vendor.

Shared ownership is important here, says Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center.

With this engagement, development and operations teams in a business will also find a way to solve interesting problems in the community and gain recognition beyond their regular day jobs, he explains, in a webinar on Synopsys' latest report.

The engagement with the community will also extend collaboration skills that can make the teams more agile, an ability especially important during the disruption facing many businesses today, he adds.

For more details on the Synopsys' 2020 Open Source Security and Risk Analysis Report, find out more here