Slashdot Mirror
Companies Overlook Risks in Open Source Software, Survey Finds (betanews.com)
An anonymous reader shares a report: Open source code helps software suppliers to be nimble and build products faster, but a new report reveals hidden software supply chain risks of open source that all software suppliers and IoT manufacturers should know about. The recent Equifax breach for example exploited a vulnerability in a widely used open source web framework, Apache Struts, and the study by software monetization specialist Flexera points out that as much as 50 percent of code in commercial and IoT software products is open source. "We can't lose sight that open source is indeed a clear win. Ready-to-go code gets products out the door faster, which is important given the lightning pace of the software space," says Jeff Luszcz, vice president of product management at Flexera. "However, most software engineers don't track open source use, and most software executives don't realize there's a gap and a security/compliance risk." Flexera surveyed 400 software suppliers, Internet of Things manufacturers and in-house development teams. It finds only 37 percent of respondents to the survey have an open source acquisition or usage policy, while 63 percent say either their companies either don't have a policy, or they don't know if one exists. Worryingly, of the 63 percent who say their companies don't have an open source acquisition or usage policy, 43 percent say they contribute to open source projects. There is an issue over who takes charge of open source software too. No one within their company is responsible for open source compliance, or they don't know who is, according to 39 percent of respondents.
Check out the primary source: Flexera. They are definitely not supporters of open source software.
Their business relies on closed source.
The real "Libtards" are the Libertarians!
These guys make license management software for big closed-source software packages (CAD, simulation, etc.). I've been fortunate enough that their software has always done its job and gotten out of the way (at my organization), but their end-user documentation is awful. Take their commentary on open-source software with a big pile of salt.
Did you read the article? Or even the summary? They are not claiming that open source is riskier than closed source. They are saying that companies that have no policy on the use of open-source software may be running (or distributing) software they are not even aware of. So when someone in charge of security sees that XYZ has a vulnerability, he may not know that they are affected. On the other hand, closed-source software generally requires approvals, money, licenses, etc, so the company is at least aware of the use of the software.