It is now commonplace for software to be made up of Open Source software, so prevalent that nearly 80-90% of modern software is made up of Open Source software. Open Source software can be found in everything from smartphone operating systems to cloud computing, self-driving cars, the Internet of Things and critical infrastructure such as the electricity grid.

There are many benefits to Open Source software. It is cost-effective, provides more transparency, there is no lock-in, increased security, reliability, and free access to the code, which means a faster time to market. However, benefits such as reliability and increased security are only realised if the Open Source software has a thriving community that supports and improves it.

Along with the benefits, there are several areas of concern as well. Too often, the focus on any software development is getting it to work. With so many development projects going awry, a successful implementation brings such euphoria that most companies get on with business and only revisit the software when something goes wrong. When Open Source code is used to develop the software, there are other reasons to be concerned.

Why you should be concerned

According to the 2020 OSSRA Report, 99% of codebases audited in 2019 contained Open Source components. Of these codebases:

  • 79% contained vulnerabilities.
  • 49% contained high-risk vulnerabilities.
  • 33% contained unlicensed software.
  • 67% had license conflicts.
  • 82% had components more than four years out of date.
  • 88% had components with no development activity in the last two years.

The OSSRA Report highlighted that some components were over ten years old, with the oldest being 22 years old.

What you should do about it

  • Software bill of materials (BOM) – your developer should provide you with a software build of materials that identifies all the components used in the development. Software Composition Analysis tools can provide the information required in a BOM for software that has already been developed.
  • Processes and Policies – you will need to have policies in place to identify and patch known issues. Unlike proprietary software where developers push patches and fixes to you, the same cannot be said for Open Source software. With Open Source, the community issues minor updates faster, which companies will need to monitor and decide whether to update.
  • Understand Open Source licence risks – is doesn’t mean that just because Open Source is free will not have restrictions or limitations in its licence. Do not assume that your software developer has checked to ensure that licence conditions are met. There is also the possibility that some Open Source components might have no licence rights attached at all, which will raise other issues as to the extent of use. Lastly, developers sometimes create custom licences or add additional clauses to existing licence types. For example, the OSSRA Report notes that some Open Source developers add clauses related to political and ethical issues to existing Open Source licence types.

Conclusion

Open Source code that developers use to develop software is only a benefit if supported and updated. It is important that companies monitor updates to Open Source components and implement patches and updates especially those related to security flaws as some of the biggest security breaches such as Heartbleed for example, have resulted from flaws in Open Source components. It is also crucial to ensure that licence conditions are reviewed and their impacts assessed, especially if companies intend to commercialise their software, as non-standard licence conditions could impact the valuation of the software.

  • Obtain an Open Source software bill of materials either from the developer during development or through an SCA tool by way of an audit.
  • Review all Open Source licences
  • Have policies in place to manage, evaluate and mitigate security and legal risks
  • Have processes in place to monitor vulnerabilities and updates and upgrades

Orbital Law has extensive experience reviewing and assessing legal risks related to use of Open Source software. If we can assist you in reviewing your licence terms, please get in touch.