Hidden Risks in Softwraesystems

18.11.2021

Dr. Andreas Kotulla

Open Source

Open source software (OSS) is everywhere and has become indispensable for modern software development. In addition to its enormous distribution, open source software is characterized by the special way in which it is created. Much of it is developed through the collaboration of experts, sometimes from all over the world, and made available on the Internet.

Companies hope that this special possibility of distributed crowd development will above all bring cost advantages in the creation of their own IT applications. But beware! The seemingly “public domain” work of the community is subject to copyright. And as the author, each developer defines precisely the conditions under which their software may be used. This is usually regulated by license agreements included with the code. These can be structured very differently. It is therefore important to familiarize yourself with the conditions. They may conflict with your own strategy – for example through the obligation to publish the modified code freely again.

However, it is not only legal pitfalls that need to be considered when using OSS. As with all software, security vulnerabilities are regularly discovered in OSS components. These are usually quickly fixed by the community and published in databases such as the National Vulnerability Database (NVD). It is therefore important to know which components are used in your own software so that they can be “patched” quickly in the event of security vulnerabilities. If OSS is not continuously monitored, application security can be jeopardized. Despite these risks, many companies state that they do not have formal processes in place to track and manage their OSS usage. When the code is then analyzed, many teams find that their applications contain many more open source components with corresponding risk potential than originally thought.

This fact is illustrated by analyses of the knowledge of the use of OSS components in companies. The adjacent chart from our partner Revenera shows the extent to which companies are aware of their own use of OSS (gray bars), and compares this with what they actually use (red bars). A clear trend has been observable for some years now: The number of open source packages in use is increasing rapidly, but users are less and less aware of this. This increases the risk of unnoticed exposure to the above-mentioned risks. There are many reasons for the increasing use: For example, package managers are increasingly being used, which automatically pull in other dependent OSS.

At the same time, however, the processes for managing open source in development teams have barely improved in the last 10 years.

Bar chart in pink and gray

Number of known vs. used OSS components

(Source: Revenera Professional Services Audit Data 2012 – 2020)

Conclusion: Companies that rely on open source components are exposed to increasing risks due to ever-growing security gaps and the danger of compliance violations, often without them being aware of it. For these reasons, it is strongly recommended that companies set up their own open source offices, or at least appoint an “OSS” contact person for the development departments who knows how to deal with the new risks.

Bitsea identifies hidden risks in software systems and assists with technical due diligence and IT compliance. We advise clients on the use and management of open source software. Our clients include well-known companies from the automotive, telecommunications, logistics and aerospace industries. Bitsea is a partner of the OpenChain project.