Open source software is everywhere (which is not a bad thing in itself). However, many buyers don’t have inventory of open source components included in software products they are buying. Business even fail in keeping tack of open source components used in internally developed applications. As a result, vulnerability management programs have blind spots.
Take an inventory of open source software (standalone and libraries) and make it part of your vulnerability management program.
Why it matters:
- Use of open source software is not bad in itself. Everyone uses open source software. The biggest examples are Linux and Apache server.
- Many commercial software vendors use open source components but don’t properly and adequately disclose all open source components included in the commercial products.
- Recent vulnerabilities (e.g. log4j) have far reaching impact.
- Software applications developed in-house also include open source components. As these applications age and the initial developers move on to new jobs, older and vulnerable open source components may still stay in the applications unnoticed for long time.
What to do:
- It is crucial to have an up-to-date inventory of all open source software, whether used as standalone products or embedded as a library inside a product. We can’t manage if we don’t know its existence.
- Require your software vendors to provide you with a list of all open source libraries and their versions embedded into their products.
- Make this list part of the vulnerability management program. Monitor release of new vulnerabilities and patches for your inventory of open source software components.
When building a bill of material for open source components, it is imperative to not only contact your software vendors but also review all software applications developed in-house. In some cases you may use source code scanning tools to build inventory of these components.