Open source code helps software suppliers to be nimble and build products faster, but a new report reveals hidden software supply chain risks of open source that all software suppliers and IoT manufacturers should know about.
“We can’t lose sight that open source is indeed a clear win. Ready-to-go code gets products out the door faster, which is important given the lightning pace of the software space,” says Jeff Luszcz, vice president of product management at Flexera. “However, most software engineers don’t track open source use, and most software executives don’t realize there’s a gap and a security/compliance risk.”
Flexera surveyed 400 software suppliers, Internet of Things manufacturers and in-house development teams. It finds only 37 percent of respondents to the survey have an open source acquisition or usage policy, while 63 percent say either their companies either don’t have a policy, or they don’t know if one exists. Worryingly, of the 63 percent who say their companies don’t have an open source acquisition or usage policy, 43 percent say they contribute to open source projects.
There is an issue over who takes charge of open source software too. No one within their company is responsible for open source compliance, or they don’t know who is, according to 39 percent of respondents.
“Open source processes protect products and brand reputation. But, most software and IoT vendors don’t realize there is a problem, so they’re not protecting themselves and their customers,” adds Luszcz. “This endangers the entire software supply chain – for the vendors whose products are exposed to compliance and vulnerability risk. And also for their customers who most likely don’t even know they’re running open source and other third-party software, or that it may contain software vulnerabilities.”
It’s long beyond time the FOSS community grows up and understands the necessity of compliance to professional corporations. Likewise, these corporations should understand that FOSS is subject to the same compliance and security update policies as their commercial software.