Industry research shows that 95% of organizations use Open Source Software (OSS) in their mission critical applications. There are a number of reasons for this, including being able to develop applications faster and with higher quality. And, hey, its free, right? Last year (2016), there were 79 billion (with a ‘B’) downloads of OSS components!
At the same time, most organizations have no idea how much open source code they are actually using. In fact, the data says that organizations typically are aware of less than 10% of the open source software they are using.
For enterprises that are developing applications for internal use, OSS represents a potential security risk—there are software vulnerabilities in many OSS components. Well known OSS exploits include Heartbleed, Ghost and Shellshock. How many of those 79 billion downloads had more than 1 software vulnerability? 1 out of every 16. That’s more than 4.9 billion OSS components.
What can you do about this?
Many companies do the following to manage open source software use:
- They have an Open Source Review Board that—reviews and approves all OSS use, checks components for security risks, and creates a standard set of approved OSS components
- They have an OSS policy that they enforce
- They use tools to have an automated OSS Request / Approval process, keep a History of OSS use, and have a Repository for OSS components
- They scan their code to check for OSS and third party components, and vulnerability risk
There is also license compliance risk when using OSS, particularly for companies that are developing applications for sale or use outside of their own organization. Depending on the open source license being used for a given OSS component, there are different requirements, including, in some cases, the requirement to release your source code to the public. This is the case for the GPL v2 and GPL v3 licenses, for example.
Here is a handy field guide to OSS licensing:
We have also put together a checklist for open source software license compliance:
You can download a copy of this field guide and compliance checklist here.
To learn more about Flexera’s FlexNet Code Insight product, please visit our website.
You might also be interested in our on-demand Webinar: The State of Open Source Software (OSS): 2016 Year in Review.