-
Open Source
Open source software has become indispensable to almost all organisations, with estimates of over 95% of mission critical software containing open source components. This large uptake does come at a cost, however, there are hundereds of thousands of new security vulmerability advisories published related to open source software compents annually, This highlights the importance of businesses having a detailed knowledge of their open source components and following compliance guidelines.
Why build trust in your software supply chain?
Just like hardware, software has a supply chain - from the developers to the users. By building trust in this supply chain, not only are you increasing transparency, but you are also increasing the confidence that your customers and partners have in your software. Failure to manage this supply chain effectively, however, can lead to a wealth of issues, such as:
- Difficulty managing licences - single proprietary applications are often composed of multiple open source components that are released under different licence types. With the existence of over 200 licence types, managing all of these can be problematic.
- Potential infringement issues - Open Source components may introduce intellectual property infringement risks because these projects lack standard commercial control, giving means for proprietary code to make its way into open source projects. Appropriate Due Diligence into Open Source projects can flag infringement risks.
- Operational risks - failure to track open source components to update them is a primary concern that could result in operational issues
- Developer malpractice - infringement risks can arise from developer malpractice
- Security issues - business and customer security can be put at risk if source codes contain hidden malware or are not fully licenced
What is the Open Source Service from Source Code Control?
Source Code Control provide a start to finish three-step process to help you manage Open Source Software supply chain:
- Conformance Review - Assessment of the management of Open Source Software in line with the conformance requirements of the OpenChain specification, using Software Composition Analysis.
- Documentation - A fully documented overview of an organisation's management of Open Source Software will be produced, including a rating for each relevant process and proof of adherence to the OpenChain specification such as a Bill of Materials or Open Source Policies.
- Implementation - A project plan is put in place outlining the process of conformance in line with OpenChain specification requirements and targeting areas of weakness. Conformance allows organisations to display and promoted their adherence to these requirements, increasing transparency in the software supply chain
- Source Code Control have also created a bespoke training program based on this curriculum which can be used to educate a wider audience of the business or just key members
ISO/IEC 5230 — OpenChain Specification
ISO/IEC 5230:2020 — OpenChain Specification is a Linux Foundation initiative with the objective of building trust in open source software.
The OpenChain Specification identifies the key requirements of a quality open source compliance program. OpenChain Conformance allows organizations to show they meet these requirements. The OpenChain Curriculum supports this process by providing extensive reference material for effective open source training and management. The result is that open source license compliance becomes more predictable, understandable and efficient for all participants in the software supply chain.
The OpenChain Project builds trust in open source by making open source license compliance simpler and more consistent
Software Composition Analysis (SCA)
The term used to classify tools and services that helps organisations build an inventory of Open Source Software components, libraries and frameworks that developers use to build an application:
- Licencing and copyright information - What is the licence of the components and libraries used in software development?
- Security vulnerability information - Are there any known vulnerabilities in the components and libraries used in software development?
- Operational information - How well supported is the components and libraries used in software development?
- Used as part of the Open Chain conformance
Open Source Policy/Developer Guide
Documentation for risk management guidance on Open Source Software
- Having clearly defined Open Source Software Policy is fundamental to the success of a professionally managed Open Source Software problem
- The policies defined will guide organisations on decision making processes in managing risk in Open Source Software and will enable the implementation of a Continuous Compliance Program
- The policy provides guidance across all areas of the business impacted by risk in Open Source Software, such as: licencing, security vulnerability management and strategies
- An organisation can transparently demonstrate to external customers and partners the policy in order to drive customer and partner satisfaction
Continuous Compliance
We see compliance as a journey; vulnerabilities can appear that were not there before and need to be mitigated for:
- Managing risk in Open Source Software should be a continuous process not a one-off audit/remediate exercise
- Updating the policies in check with the rest of the business to make sure everyone understands
- We can provide bespoke training programmes on how to build continuous compliance within the business process