As VP and General Counsel at Black Duck Software, I live and breathe open source legal issues day in and day out. While license compliance remains a top priority for most general counsels (GCs), I’ve seen a growing concern for the potential security risks related to companies’ increasing use of open source.
Looking Beyond Open Source License Compliance Risk
As general counsels, our fundamental responsibility is to mitigate the overall risk and exposure of the companies we serve. Just as the roles of CIOs and CTOs have needed to rapidly evolve along with the pace of technology, it is now becoming critically important for lawyers to understand emerging software security challenges.
Open source has become pervasive throughout most companies’ software development processes. Sixty-six percent of today’s companies create software for customers built on open source. Yet, sixty-seven percent fail to monitor open source code for security vulnerabilities. With over four thousand open source vulnerabilities reported each year, that’s a more security exposure than most companies can handle.
It is clear the role GCs play in helping companies deploy processes and methods for managing open source code must now be broadened to also include the identification and tracking of related security vulnerabilities.
Averting Open Source Security Liabilities
General counsels must begin to better equip themselves to help their companies avoid significant security as well as compliance risks by understanding the following important security challenges and issues:
- Most companies lack visibility into and control over the open source software in their code base(s)
- Open source security vulnerabilities go undetected by most security testing tools
- The great impact hidden vulnerabilities can have on a company’s reputation, supply chain, data security, and bottom-line
- The growing need for automated, dynamic tools to identify, mitigate, and continually monitor known vulnerabilities
Without a systematic process for identifying and tracking an organization’s open source use, it can be nearly impossible to know what open source it is using and where and how it is deployed throughout a code base. This lack of visibility hampers compliance with applicable open source licenses and, can often lead to the selection and deployment of open source components without proper legal and engineering vetting – ultimately causing important licensing, code quality, and security issues to be overlooked.
General counsels can and should be important partners to security and development teams in proactively engaging in risk management and prevention to help their companies avert costly and damaging legal difficulties and critical security issues as they arise.
Read this paper, “What General Counsel Needs to Know About Open Source Software” to learn more about how general counsels can help protect their companies from the legal and financial ramifications of open source software security threats.