Many software developers and enterprise users have been lax or oblivious to the need to properly manage open source software, suggest survey results Flexera released Tuesday.
Companies are not mindful of open source components and fail to monitor security implications, according to the report, which highlights the consequences of failure to establish open source acquisition and usage policies, and to follow best practices.
Flexera polled more than 400 commercial software suppliers and in-house software development teams within enterprises about their open source practices.
More than half of the software products currently in use contain open source components, based on the survey’s findings.
Open source software allows companies to be nimble in their development, but the risks and security implications are grossly overlooked and not adequately managed, according to Flexera’s research team.
“We did this study to put some numbers behind what we have been seeing with open source developers over the last decade,” said Jeff Luszcz, vice president of product management at Flexera.
What still is surprising in the 2017 process is how little process and control there is around the use of open source and commercial code in software development, he told LinuxInsider.
Among those who responded to Flexera’s survey were software suppliers, Internet of Things manufacturers and members of in-house development teams. Their responses formed the basis of Flexera’s report, “Open Source Risk — Fact or Fiction.”
A clear benefit of open source software is that it helps software suppliers to be nimble and build products faster, according to Flexera. The report reveals hidden software supply chain risks that all software suppliers and IoT manufacturers should know about.
- Only 37 percent of respondents had an open source acquisition or usage policy.
- Sixty-three percent said either that their companies did not have an open source acquisition or usage policy, or they did not know if one existed.
- Thirty-nine percent of respondents said that either no one within their company was responsible for open source compliance, or they did not know who was.
- Thirty-three percent of respondents said their companies contributed to open source projects.
- Of the 63 percent who said their companies did not have an open source acquisition or usage policy, 43 percent said they contributed to open source projects.
Open Source is a clear win. Ready-to-go code gets products out the door faster, which is important given the lightning pace of software development, said Flexera’s Luszcz.
“However, most software engineers do not track open source use, and most software executives do not realize there is a gap and a security/compliance risk,” he added.
The key lesson the report teaches software and IoT companies is that their processes for managing open source security and licensing have not kept pace with open source’s rapid adoption. That is putting the companies and their customers at risk.
No Safety Zone
A debate still rages over which type of software is safer to use — open source or proprietary. No scenario exists in which proprietary software is safer than open source, argued Mike Baker, managing partner atMosaic451.
“Security through obscurity does not work. It has never worked,” he told LinuxInsider.
A clear and obvious structural conflict of interest exists for a privately held company to acknowledge that its core product — its software — would terrible risks in the event it was hacked. Private companies do not acknowledge these things unless they are forced to do so.
The benefits of exposing code and allowing interested groups and individuals to look at your core infrastructure is that bugs are exposed quickly and publicly, and can be resolved swiftly, Baker said.
Maintaining software security is a cyclical, never-ending process, and the need for constant vigilance contributes in large part to security failures, whether in open source or commercial applications, observed Terry Cox, vice president of content at Linux Academy.
“At least with open source, I can immediately start pulling it apart without NDA or other copyright limitations preventing me from understanding and mitigating my security exposures,” he told LinuxInsider.
Unchecked Code Problematic
Unchecked use of open source is a growing problem in software development and enterprise applications, noted Francis Dinha, CEO of OpenVPN.
Careless use of open source software presents a huge liability to companies, those who choose to use it need to do their research first, he cautioned.
“Use open source software that is mature, developed and supported by a real business,” Dinha told LinuxInsider.
Still, most open source software is more secure than proprietary software, and many proprietary software vendors are much slower to fix bugs since they are tied into their release cycle, said Mark Radcliffe, a partner atDLA Piper.
“Companies should adopt a robust OSS Use Policy and enforce it. Part of the policy should include having engineers regularly check project sites for security and other updates,” he told LinuxInsider. “They should integrate the management of OSS into their development methodology, and treat the process similar to enterprise resource planning-implemented procedures.”
A compelling driver for open source software adoption is the need for solutions to technical problems when developing a software application, noted Flexera’s Luszcz. Nobody is misusing or poorly using open source code for malicious purposes.
Developers want to solve the technical problems they encounter. They use high-quality open source code that solves application problems. However, they don’t have a mandate to follow the licensing and pursue the patching, he explained.
“For a typical company, the time to do that is not on the road map. If you do not have it in your process, then it does not get done. This creeps up on management,” Luszcz said. “This is not an open source problem. Open source is great. Its components are high quality, and it is driving innovation. It is really a management issue.”
Workflow Issues at Fault
Open source is part of today’s engineering landscape, noted Howard Green, vice president of marketing at Azul Systems, and responsibility for following best practices starts with development teams and the architects who work with them.
“Companies that fail to follow best practices will have issues whether they are embracing open source or not,” he told LinuxInsider.
There’s no apparent increase in carelessness or failure to review code before it goes into production, maintained Green.
Some organizations may stumble quite visibly in this regard, he acknowledged, but “they cannot be characterized as anything but outliers. Senior operations and line-of-business executives need to understand and actively manage the technologies that drive their business.”
Isn’t the question that large companies use lots of software without properly updating it (both commercial and open source). Just as an example, Oracle waits a long time before it releases security patches for its various software. Thus, many vulnerabilities are announced and not patched for some time. It’s also too simple to generalize about open source software. "Open Source" varies from commercially supported software, to publishing a pet project for your friends. Certainly we could make a case that responsibly published and maintained software is easy to keep up to date. If you can get the latest code with "apt update / apt upgrade" (or it’s equivalent), and you don’t… the license of the code isn’t your problem.
Why SHOULD the majority of companies (small, uderfunded; low-quality, in general) care ANYTHING about the security risks of using FOSS? FOSS lends itself to being considered as nothing more than a ‘free ride’ by these entities who would have never considered developing a product and offering it for sale, had the development of that product included a healthy licensing fee for the (of-dubious-benefit, and contributing nothing, anyway) software…regardless of the "customer-security" claims and protestations of a major Operating System supplier.
What do we think is the reason for the cancer on our society known as ‘the Internet of Things’? Major clue: we blame them–rightly so–for a lot of things, but it ain’t Microsoft.
I know that your main thrust is software these days, but I was wondering if you would, given your impressive Linux background, consider a review of what appears to be an excellent non-Microsoft laptop by a premier manufacturer: the HP 15.6" ZBook 15u, which runs the FreeDOS 2.0 operating system, and which could probably be made into a Linux machine as a ‘no-brainer’ (I really don’t know, but would deeply appreciate the advice of an expert).