Software finished eating the world sometime in 2016, when Marc Andreessen modified his original statement to “software is programming the world.” I think Andreessen moves closer to the mark with his new version. But I’d clarify still a bit more and say…
Scott Crawford, research director of information security at 451 Research, and Phil Odence, general manager of Black Duck Audits with Synopsys, noted in the Jan. 24 webinar Managing the Business Risks of Open Source that technology—and the companies using that technology—are highly dependent on open source. In fact, the Synopsys 2018 Open Source Security and Risk Analysis (OSSRA) report found that almost 30% of the 1,100 codebases audited contained more than 50% open source components. Many applications now contain more open source than proprietary code. But if you don't know what’s in your code, you can’t manage open source risk.
Organizations embracing open source for proprietary software development also need to embrace strategies for managing open source risk, specifically licensing and vulnerability risks. Let’s look at licensing first:
As well as risk from vulnerabilities in proprietary code, there is also risk from open source vulnerabilities:
After outlining the risks, Crawford and Odence detailed how software composition analysis (SCA) can help developers take a proactive stance before incorporating open source risk into their software. Specifically, SCA can help you to:
Of course, those are only some of the highlights of the 60-minute webinar. I encourage you to watch it in full at your convenience. You’ll learn more about the threats open source can pose and the ways that businesses can better evaluate and mitigate them. There’s a way to manage open source risk that fits with the central role open source plays in the fast-moving world of software innovation.