Open Source Management

Today's apps are continuous, third-party integrations

Virtually all contemporary apps are compilations of numerous, third-party open source software (“OSS”) packages presenting potential security and licensing risk to organizations regardless of whether they themselves develop software. It follows that as apps increasingly rely on OSS, organizations should incorporate analysis for both security and licensing risk.

We don’t compete with open source management vendors; we work with them.

Many teams do manage their OSS, ideally leveraging vendor tooling, the vast majority of which feature both OSS vulnerability and license analysis. For organizations exploring options, we help navigate and tailor evaluation, selection, and practice recommendations specific to and best for your and only your business. We’re deeply connected with the OSS analysis market and maximize this asset for your benefit with no recommendation incentive other than the best fit for what makes your OSS management requirements unique.

We don’t compete with OSS security vulnerability and license analysis and program managment vendors; we work with them and their products.

Security Vulnerabilities

OSS usage absent vulnerability review significantly increases risk of successful cyber attacks for organizations either developing or not developing software. Exceptionally costly compromises for especially advanced and evolving threats, namely ransomware, nearly uniformly rely on software vulnerabilities to accomplish their objective, a topic covered under our services’ Cybersecurity overview.

Whether or not your organization develops software (and, if so, regardless of the reason), the odds of your applications containing OSS is nearly 100%, and the newer an app or its current version, the higher volume of OSS. The “inherent security risk” of OSS vs. non-OSS is an intractable debate not worth addressing; all that is relevant is (1) software contains flaws, (2) some provide attackers an advantage, and (3) OSS’s usage over especially the past decade has and continues to become exponentially prevalent. It follows that app security analysis should cast the widest net.

However, organizations are positioned to reduce risk by reviewing and reducing their OSS security risk (and, subject to specifics, non-OSS). We elaborate in The Hitchhiker’s Guide to SCA and SAST and briefly outline here the two predominant and established methods.

Open Source Software Composition Analysis (“Open Source SCA”)
Open Source SCA relies on vendor tools to break down an application (i.e., reveal its composition), identify OSS, reference databases for any known security vulnerabilities, and, if available, offer remediation options.

It is essentially that straightforward, may be used to evaluate an entire software portfolio, a single app, or even one component. Plus, the core technique also drives OSS license composition analysis with both increasingly culminating in SBOM output options (see SBOM vs. OSS Compliance).

Static Testing
Static testing’s concern is different than but equally important as composition analysis. Whereas the latter identifies an app’s OSS components (and proceeds from there), the former examines an application’s actual code, regardless of whether it’s open source, for potential, inherent coding vulnerabilities regardless of who or what is responsible. The difference may not be immediately clear, but consider this quick reference:

Composition Analysis
Identifies existing, publicly-available OSS components and reports any confirmed security vulnerabilities and patch options.

Static Testing
Examines the code itself for insecure code, reports findings, and may offer corrective guidance.

While static testing is (and should be) leveraged more by code-authoring organizations, it is not limited to them. Specifics are highly dependent on context, but any organization conducting static security testing on a particular app in too many cases may be the first one to do so, and detecting and fixing security vulnerabilities deprives attackers considerable advantage.

 

License Composition and Compliance

OSS usage without license review risks problems ranging from incompatible licenses to license non-compliance and more. But security breaches make headlines, not licensing, so where is the risk? Consider, for example:

  • SBOM (“software bill of materials”) requirements
  • Jeopardizing funding, M&A, or vendor selection/retention
  • Internal or external non-compliance
  • Potential litigation.

We bring both comprehensive open source legal and development expertise to identify risk and work with counsel, compliance, and technical teams for licensing issues and remediation options. Additionally, analysis varies; for example, left-shifted, single component review is much different than deep composition analysis of a large inventory with thousands of components, dependencies, and other factors.

Fortunately, and even for large analysis efforts, license issue remediation is nearly always non-techincal, topics addressed with simple, non-legal terms in our Learning Center’s Top OSS License Issues: Part 1 and revisted in Top OSS License Issues: Part 2.

Let’s mitigate these potential liabilities.

Tying These Together: An OSS Management Program

Our extensive OSS experience uniquely suits us to suit you uniquely.

Sector 7G places OSS vulnerability risk mitigation first when working on a comprehensive, tailored, yet manageable OSS program including vendor evaluation and selection, security, compliance, inventorying and archiving, and other matters subject to organization specifics. Equally important, we understand that any organization likely wishes to avoid additional program and asset management overhead, but our extensive OSS technical, security, and legal experience uniquely suits us to suit you uniquely.

DISCLAIMER
Sector 7G Consulting LLC (“Sector 7G”) does not provide, nor should anything from Sector 7G be construed as, legal advice nor the establishment of legal representation or attorney-client privilege. Additionally, Sector 7G strongly encourages review of all licensing with legal counsel.