“[I]t has been reported that up to 80 percent of custom software code created today is assembled from open-source components. Upon closer examination, we see a software supply chain that lacks visibility and control and carries with it some glaring risks. While the industry has been quick to embrace open source for its rapid innovation and its undisputed acquisition cost benefits, it has largely ignored a fundamental problem: there is no update notification infrastructure for open-source components.”
If you are a member of a ISACA, you can read this article in the current issue (Volume 2, 2012) of the Journal. In the full article Gold defines the challenges and risks associated with unmanaged OSS consumption and then defines a series of recommended steps you can take to mitigate these risks.
ISACA is the Information Systems Audit and Control Association a nearly 100,000 member, international organization that publishes trade journals. ISACA is also responsible for two important certifications: Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM). If you work in an critical industry like banking, government, or defense, it is likely that you’ve had some interaction with ISACA or ISACA qualified personnel.
Gold’s article raises awareness of application-level security within the context of OSS-consumption. Here are two interesting excerpts from the article. The first talks about the disconnect between US-CERT security vulnerabilities and the consumption of artifacts from Central:
“Even when security warnings are posted and easily accessible, they are often overlooked. In March 2009, the US Computer Emergency Readiness Team (US-CERT) and the US National Figure 2—Transitive Dependencies Make It Difficult to Govern Component Usage Institute of Standards and Technology (NIST) issued a warning that the Legion of the Bouncy Castle Java Cryptography API artifact was extremely vulnerable to remote attacks. In January 2011, almost two years later, 1,651 different organizations downloaded the vulnerable version of the artifact from the Central Repository within a single month.”
And, the second addresses the problem of assessing exposure to OSS licenses:
“cutting through the complexity of acquiring and evaluating external components and the associated legal obligations can be difficult and time-consuming. There are multiple types of open-source licenses, each with different terms and conditions that must be met.”
If you are consuming OSS without paying attention to some of the critical issues outlined in this article, you can start today by downloading a trial of Nexus Professional. With Nexus Professional’s Repository Health Check you can keep track of your exposure to both security vulnerabilities and OSS licenses.