Article Published in ISACA Journal: Mitigating OSS Risk

March 20, 2012 By Tim OBrien

3 minute read time

Sonatype's Charles Gold has just published an article in the ISACA Journal: "Mitigating the Risk of OSS Software". Here's an excerpt from his ISACA blog discussing the article:

"[I]t has been reported that up to 80 percent of custom software code created today is assembled from open-source components. Upon closer examination, we see a software supply chain that lacks visibility and control and carries with it some glaring risks. While the industry has been quick to embrace open source for its rapid innovation and its undisputed acquisition cost benefits, it has largely ignored a fundamental problem: there is no update notification infrastructure for open-source components."

If you are a member of a ISACA, you can read this article in the current issue (Volume 2, 2012) of the Journal. In the full article Gold defines the challenges and risks associated with unmanaged OSS consumption and then defines a series of recommended steps you can take to mitigate these risks.

 

What is ISACA?

ISACA is the Information Systems Audit and Control Association a nearly 100,000 member, international organization that publishes trade journals. ISACA is also responsible for two important certifications: Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM). If you work in an critical industry like banking, government, or defense, it is likely that you've had some interaction with ISACA or ISACA qualified personnel.

 

Gold's article raises awareness of application-level security within the context of OSS-consumption. Here are two interesting excerpts from the article. The first talks about the disconnect between US-CERT security vulnerabilities and the consumption of artifacts from Central:

"Even when security warnings are posted and easily accessible,
they are often overlooked. In March 2009, the US Computer
Emergency Readiness Team (US-CERT) and the US National
Figure 2—Transitive Dependencies Make It
Difficult to Govern Component Usage
Institute of Standards and Technology (NIST) issued
a warning that the Legion of the Bouncy Castle Java
Cryptography API artifact was extremely vulnerable to
remote attacks. In January 2011, almost two years later, 1,651
different organizations downloaded the vulnerable version
of the artifact from the Central Repository within a single
month."

And, the second addresses the problem of assessing exposure to OSS licenses:

"cutting through
the complexity of acquiring and evaluating external
components and the associated legal obligations can be
difficult and time-consuming. There are multiple types of
open-source licenses, each with different terms and conditions
that must be met."

If you are consuming OSS without paying attention to some of the critical issues outlined in this article, you can start today by downloading a trial of Nexus Professional. With Nexus Professional's Repository Health Check you can keep track of your exposure to both security vulnerabilities and OSS licenses.

Tags: Nexus Repo Reel, Sonatype Says, News, Sonatype

Written by Tim OBrien

Tim is a Software Architect with experience in all aspects of software development from project inception to developing scaleable production architectures for large-scale systems during critical, high-risk events such as Black Friday. He has helped many organizations ranging from small startups to Fortune 100 companies take a more strategic approach to adopting and evaluating technology and managing the risks associated with change.