Business Case for Improving Open Source Software Supply Chain Security and Resilience

How to improve open source supply chain security? Find out.

Last Updated: November 30, 2022

Open source is an amazing resource that not only fosters community but drives innovation and is imperatively necessary to build modern applications. However, open source software comes with its own security threats and challenges. Donald Fischer, CEO of Tidelift, shares why and how the security and resilience of the open source supply chain must be strengthened.

Today, according to Forrester,Opens a new window more than 50 percent of Fortune 500 companies use open source software (OSS) for their development projects. By now, the value of open source is well understood in most organizations: it speeds up application development, allowing organizations to create and improve their applications much more quickly by building on top of freely available code. 

However, open source is free, like a free puppy. Initial acquisition cost is zero, but the costs of keeping it secure and well-maintained over time are often substantial. What’s more, the impact of not managing your open source supply chain effectively can be severe.

For example, one US government cabinet-level agency recently reported that it dedicated 33,000 hours remediating the recent Log4Shell vulnerabilityOpens a new window , which amounts to at least $4M in engineering time for that single agency alone.

And after Equifax failed to update a vulnerable version of the Apache Struts package, causing the exposure of millions of consumer data records, they paid $700 million to settle actionsOpens a new window by the US Federal Trade Commission, Consumer Financial Protection Bureau, and all fifty states.  

It’s no wonder that when business leaders today look at examples like these, the criticality of having a sound open source supply chain management strategy becomes clear.

Jim Mercer, vice president DevOps and DevSecOps Solutions at IDC, recommends Opens a new window organizations proactively build a plan for managing open source so they can stay safe while maximizing the benefits of using open source:

Because of the constantly evolving threat landscape, organizations need a plan for managing the health and security of their OSS supply chain. The strategy must be socialized across technical and business stakeholders to get buy-in and should include organizational guidelines for OSS consumption, participation in the OSS community, and standards for security due diligence.”

An effective open source supply chain management plan must address both internal security and maintenance challenges as well as external software supply chain resilience challenges. 

See More: 5 Steps for Proactively Managing Open Source Software

Addressing Internal Open Source Security and Maintenance Challenges

Many organizations already recognize the challenges with keeping the open source components they use secure and updated. To address these issues, organizations should have a plan in place to comprehensively answer questions like those below and then broadly socialize the answers across the organization. Many of these questions are extremely difficult for individual developers to answer on their own. 

  • How does the organization decide who is responsible for ensuring open source components are secure and up-to-date and who is responsible for fixes?
  • Does the organization have a system in place to determine which components are approved for use, and how can developers find those answers?
  • If a developer wants to bring in a component that is not already approved for use, how do they do it, and who needs to be involved?
  • Who evaluates the security and maintenance practices of a component being pulled in to ensure they meet the organization’s own standards? And who within the organization sets and maintains those standards?

Thankfully, there are now emerging industry best practices for addressing these sorts of issues. Organizations create a catalog of vetted and approved components available to developers across the organization and centrally managed. This catalog can continue to increase in size over time as more components are approved, giving developers access to even more and more components they don’t have to research themselves. This makes developers more productive and decreases organizational risk.

Addressing Supply Chain Resilience Challenges

While the internal security and maintenance challenges with managing open source have been well documented, a less-noticed but even more pernicious issue with open source is the increasing threat to the health and security of the upstream open source components themselves.

Log4Shell is an excellent example of this and has been highlighted in a report by the US Government Cyber Security Review Board (CSRB), with CSRB remarking that the open source community is not currently robust enough to ensure that code is meeting enterprise standards and government guidelines.

But realistically, when volunteers are maintaining the majority of open source components, organizations should be asking a crucial question: who is going to take on the work of validating that open source packages meet these standards? 

The obvious answer is that maintainers would be the ones to do this work, but expecting them to take on additional responsibilities “out of the goodness of their heart” and without process and tooling support should not be assumed and is dangerous for any organization.

Proactively Addressing Both Security and Maintenance and Supply Chain Resilience Challenges

It should be a critical part of any organization’s open source management plan to proactively engage with the maintainers of the open source projects they use at scale and with directly aligned financial incentives. Open source maintainers have the knowledge and access to secure their projects. It is in the best interests of the organizations that benefit from their work to ensure they are fairly compensated for it.

At the same time, application development leaders should identify tooling that can help them make sense of the emerging industry standards for open source software supply chain security and proactively evaluate open source packages against these standards while building a growing catalog of pre-vetted and approved open source components over time.

Open source usage in most organizations will inevitably continue to increase, and software supply chain attacks like Log4Shell are becoming more frequent. Against this backdrop, all organizations using open source should evaluate whether or not they have a sound open source software supply chain management strategy in place that can address the security, maintenance and resilience challenges that come with using open source.

What steps are you taking to strengthen your open source security? Share with us on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window .

MORE ON OPEN SOURCE: 

Image Source: Shutterstock

Donald Fischer
Donald Fischer, co-Founder and CEO at Tidelift. Donald Fischer is co-founder and CEO of Tidelift. Previously he was a venture partner at General Catalyst, a member of the investment team at Greylock Partners, and an executive at Typesafe (now Lightbend) and Red Hat. He holds a BS in economics and computer science from Yale University, an MS in computer science from Stanford University, and an MBA from Columbia Business School.
Take me to Community
Do you still have questions? Head over to the Spiceworks Community to find answers.