“My mate Ruth told me a joke the other day… Superman walks into a pub…” That wasn’t difficult. I’ve provided attribution for the joke. “Credit where credit is due” as the saying goes.
Terms and conditions also sometimes come with a joke. I accept that nobody says “This joke may be used only in a jovial, positive social setting in company where no offense will be caused by the words. The joke may be elaborated upon and the identity of the superhero may be adapted for the audience”. But commonly, you will hear “don’t tell this to your mother…”.
Even with something as simple as a joke, we innately understand the concepts of attribution and terms of use. (It is interesting that our attribution is almost a moral obligation!).
However, according to Back Duck’s Open Source Security and Risk Analysis 2017 study, 96% of applications ship with Open Source components and 53% shipped with “unknown licenses”. That’s a joke! (Sorry, excuse the pun).
So, here is my simple case that you, yes you, as the company’s asset manager should be making this part of your remit.
Components are Software Assets!
It feels so obvious that maybe further elaboration is not required. By components I mean useful objects which are used in code like a networking module or a search box. They might exist at a different layer of the OSI model, but they are still assets your company is using as part of a solution. They can still hide vulnerabilities and might need patching, so they need to be discovered, recorded and managed. Agreed? We are all doing that… right?
Get ahead of the game
My crystal ball is no better than anyone else’s (or I would know the punchlines before the joke ends). But there is a simple direction of travel:
• the commercial world is transforming through a digital revolution – Uber, AirBnB etc and that means more code
• I’ve said it before but repeating for emphasis - 96% of apps contain components
• Organisations are failing to manage components and are being hit hard for it and will be hit harder post GDPR e.g. Equifax, Gloucester Council
I cant imagine “whose job is it to manage this stuff?” was absent from the mind of the Equifax CEO.
It is a positive thing to do
I am well aware this is the weakest of my arguments. But as Asset Managers we spend a lot of time with bad news to bear and hassling people for information. This is positive stuff! Ok, you do need to get access to the code and you might need to argue with the head of development. But you will reach the day with your applications published with a morally correct set of attributions (take a look at the attributions in Chrome) and that will make you feel professional. You will also have a nice shiny Bill of Materials which helps the development teams and helps the security people and that will feel good. Then, when you get in front of the issue and identify that your organisation is one of the 400,000 instances of OpenSSL v1.01 still vulnerable to Heartbleed, you are going to feel heroic.
And feeling heroic is a good thing, because we all know… “Superman walks into a pub…”
© Source Code Control Limited 2017
Author: Paul McAdam
This work is made available under the Creative Commons Attribution-ShareAlike 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/4.0/
In summary, you are free to:
- Share — copy and redistribute the material in any medium or format
- Adapt — remix, transform, and build upon the material for any purpose, even commercially.
Under the following terms:
Attribution — You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use.
ShareAlike — If you remix, transform, or build upon the material, you must distribute your contributions under the same license as the original.
- No additional restrictions — You may not apply legal terms or technological measures that legally restrict others from doing anything the license permits.
You do not have to comply with the license for elements of the material in the public domain or where your use is permitted by an applicable exception or limitation.
No warranties are given. The license may not give you all of the permissions necessary for your intended use. For example, other rights such as publicity, privacy, or moral rights may limit how you use the material