General Counsels Must Understand Open Source Security Threats

Why General Counsels Need To Understand Open Source Security Threats

As VP and General Counsel at Black Duck Software, I live and breathe open source legal issues day in and day out. While license compliance remains a top priority for most general counsels (GCs), I’ve seen a growing concern for the potential security risks related to companies’ increasing use of open source.

Looking Beyond Open Source License Compliance Risk

As general counsels, our fundamental responsibility is to mitigate the overall risk and exposure of the companies we serve. Just as the roles of CIOs and CTOs have needed to rapidly evolve along with the pace of technology, it is now becoming critically important for lawyers to understand emerging software security challenges.

Open source has become pervasive throughout most companies’ software development processes. Sixty-six percent of today’s companies create software for customers built on open source. Yet, sixty-seven percent fail to monitor open source code for security vulnerabilities. With over four thousand open source vulnerabilities reported each year, that’s a more security exposure than most companies can handle.

It is clear the role GCs play in helping companies deploy processes and methods for managing open source code must now be broadened to also include the identification and tracking of related security vulnerabilities.

Averting Open Source Security Liabilities

General counsels must begin to better equip themselves to help their companies avoid significant security as well as compliance risks by understanding the following important security challenges and issues:

Without a systematic process for identifying and tracking an organization’s open source use, it can be nearly impossible to know what open source it is using and where and how it is deployed throughout a code base. This lack of visibility hampers compliance with applicable open source licenses and, can often lead to the selection and deployment of open source components without proper legal and engineering vetting – ultimately causing important licensing, code quality, and security issues to be overlooked.

General counsels can and should be important partners to security and development teams in proactively engaging in risk management and prevention to help their companies avert costly and damaging legal difficulties and critical security issues as they arise. 

Read this paper, “What General Counsel Needs to Know About Open Source Software” to learn more about how general counsels can help protect their companies from the legal and financial ramifications of open source software security threats.

The General Counsels' Guide to Open Source Software

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Dramatic Shifts in Open Source License Enforcement

| May 12, 2017

In February I wrote a post exploring dual licensing. Part of my message was to call out that open source license enforcement is steadily going through a dramatic shift. Historically, open source licenses such as the GNU General Public License were enforced primarily by groups such as the Free

| MORE >

Software Licensing Decisions: Consider Dual Licensing

| Feb 23, 2017

This post was co-authored by Benjamin Rosen. Selecting the optimal model for licensing software is a fundamental determination that, if successful, may drive business, encourage innovation, and provide safeguards for valuable intellectual property rights. As a copyright holder, the owner of a

| MORE >

How to Create an Open Source Management Policy

| Nov 7, 2016

Creating an open source software policy is a strategic imperative for organizations in the software industry. But what does a strategic policy include, and how can you implement one? What is an Open Source Software Management Policy? Let’s start by defining an open source management policy. It is

| MORE >