Companies Overlook Risks in Open Source Software, Survey Finds

An anonymous reader shares a report: Open source code helps software suppliers to be nimble and build products faster, but a new report reveals hidden software supply chain risks of open source that all software suppliers and IoT manufacturers should know about. The recent Equifax breach for example exploited a vulnerability in a widely used open source web framework, Apache Struts, and the study by software monetization specialist Flexera points out that as much as 50 percent of code in commercial and IoT software products is open source. "We can't lose sight that open source is indeed a clear win. Ready-to-go code gets products out the door faster, which is important given the lightning pace of the software space," says Jeff Luszcz, vice president of product management at Flexera. "However, most software engineers don't track open source use, and most software executives don't realize there's a gap and a security/compliance risk." Flexera surveyed 400 software suppliers, Internet of Things manufacturers and in-house development teams. It finds only 37 percent of respondents to the survey have an open source acquisition or usage policy, while 63 percent say either their companies either don't have a policy, or they don't know if one exists. Worryingly, of the 63 percent who say their companies don't have an open source acquisition or usage policy, 43 percent say they contribute to open source projects. There is an issue over who takes charge of open source software too. No one within their company is responsible for open source compliance, or they don't know who is, according to 39 percent of respondents.

How is it different for closed source software?

[fred6666]

How is it any different for closed source software? What if that proprietary software haven't been updated in years? Surely if there is no update, there is no security risk, right?

Re:How is it different for closed source software?

[sexconker]

Yup. Here's how it works everywhere:

We need to do X. How can we do X and how much will it cost?

We could buy A, it's costs $$$$$ to start / set up and ????? every year after. It'll do 80% of what we need and it says "secure" on the product page.

We could build it ourself. It'll take ??? months to do it, with a team of ?? people, and it'll do what we want and we'll be able to incorporate any changes needed later. It'll be unpolished, unreliable, and deployed too soon, but we'll add maintaining it to an existing employee's duties at no additional cost to us. Oh, other operating costs will be 0 because we'll tell the other department they have to run it since they run the current somewhat-related system that this will never fully replace.

There's this open source thing that does a piece of what we need. We can wrap some crap around that and shit it out the door next month and never touch it again until it all falls apart.

Re:How is it different for closed source software?

[ShanghaiBill]

How is it any different for closed source software?

If you run your own business, then OSS is better since it is free and likely more secure.

If you are a middle manager, the situation is different. Your goal is not to minimize failure, but to protect your career. Proprietary software gives you someone else to blame.

Re:How is it different for closed source software?

[DickBreath]

If Equifax had used a proprietary server, not updated it in years, even though there was a published vulnerability, and then blamed the vendor, I bet that middle manager would be surprised at what would happen if they simply try to "blame the vendor".

The Apache Foundation pointed out that Equifax was using unpatched software with a known vulnerability. How much louder would a commercial software company say that in public?

Dear Middle Manager: Using proprietary software in order to "blame the vendor" may actually hurt your career worse than using open source software. The real thing that hurts your career is being incompetent and not doing basic things like patching software. Especially when you know that you are handling highly confidential private data that is a high value target to steal.

Re:How is it different for closed source software?

[bws111]

Did you read the article? Or even the summary? They are not claiming that open source is riskier than closed source. They are saying that companies that have no policy on the use of open-source software may be running (or distributing) software they are not even aware of. So when someone in charge of security sees that XYZ has a vulnerability, he may not know that they are affected. On the other hand, closed-source software generally requires approvals, money, licenses, etc, so the company is at least aware of the use of the software.

Re:How is it different for closed source software?

[UnknowingFool]

Especially the example they cite is flawed. Equifax did not install a patch to Apache Struts that was six months old by the time the breach was announced. With closed software, Equifax may never have known that their software had a patch until after the vendor may have acknowledged it.

Re:How is it different for closed source software?

[Altrag]

Its not. The point is that people forget that fact and just assume OSS is better because that's what they've been told over and over again, even though in the vast majority of cases with OSS, its simply not true. All software has bugs and potential security risks no matter what philosophy the developers happen to follow.

And I'm not talking about Linux vs Windows or Apache vs IIS -- all four of those are enormous products with an enormous amount of effort put into developing and testing them.

I'm talking about the tiny one-offs that some dude slapped together 3 years ago and decided to release and has barely looked at since. People look at that and all they see is "OSS is secure cause eyeballs right!?" They fail to think about the fact that just because reading the code is possible, doesn't mean anyone's actually bothered doing it (or that the author has bothered applying any fixes/patches they were sent.)

Re:How is it different for closed source software?

[bws111]

THAT IS THE WHOLE POINT. Companies do NOT have policies regarding open source, so in fact they DON'T have a way of checking for issues. The article is not saying using open source is risky, or anything like that (which is how many here read it), but that you must have a POLICY regarding open source so you can remain in control of your systems. You can't just have people (admins or not) installing anything they want willy-nilly and stay in control.

Re:How is it different for closed source software?

[Altrag]

Because:
1) It usually costs more. A third party selling a product is splitting the development costs among multiple customers. You building it yourself means eating 100% of the cost yourself. This is the main reason pretty much in all cases. But even when it isn't,

2) You're probably going to do it worse. A third party selling a product is dedicated to that product and knows what they're doing usually pretty good. If you try to build it yourself, sure you can tailor it to your business needs better but at the cost of doing its primary job worse. Think of all of the TDWTF posts that relate to date handling because people don't know about, or can't be bothered using, one of the standard (and usually built-in in modern languages) set of date handling routines.

Of course there's plenty of examples of companies going way too far and trying to jackhammer third party software into their business flow in a way it really was never meant to be used.. those situations are when they should be considering option 2.

Re:How is it different for closed source software?

[Ichijo]

A third party selling a product is splitting the development costs among multiple customers. You building it yourself means eating 100% of the cost yourself.

Unless, of course, you split the development costs among multiple customers!

*sigh*

Re:How is it different for closed source software?

[fred6666]

OK so now you admit that this has nothing to do with the code being open vs closed source.

The next step is to realize it has nothing to do with free vs paid either. If you buy a software once, you may not update it, even if there is a new version, especially if the new version requires paying again.

The problem is not lack of policy towards OSS. The problem is lack of policy towards security updates. The security update was available for Equifax. They didn't get the updated software. It has nothing to do with OSS.

This article is an advertisement for Flexera

[QuietLagoon]

Has /. really stooped this low?

Re:Closed Source is Better

[bobbied]

Explain how closed source is better again?

You have someone to blame when it all goes pear shaped... A wise man once said, "nobody was ever fired for buying IBM"...

Of course, a number of folks went broke paying them..

It's easy to forget

[PhrostyMcByte]

Modern development stacks using NuGet, NPM, Bower, etc. tend to make it exceedingly easy to insert someone else's code into your project without paying attention to licensing or vetting their code. And because of how easy it is to put your own stuff on these package managers, they're full of one-off projects that don't have the reliability or long-term maintenance of the major open-source projects.

I'd fully expect to see a ton of small companies (small enough to not have strict process) with horrible dependencies.

Slashvertisement

[whoever57]

Check out the primary source: Flexera. They are definitely not supporters of open source software.

Their business relies on closed source.

"software monetization specialist Flexera..."

[ToTheStars]

These guys make license management software for big closed-source software packages (CAD, simulation, etc.). I've been fortunate enough that their software has always done its job and gotten out of the way (at my organization), but their end-user documentation is awful. Take their commentary on open-source software with a big pile of salt.

Re:Closed Source is Better

[Narcocide]

When I got ransonwared, Microsoft pad the ransom, because Windows was fully updated, and I maintained good security practices...

Pics or it didn't happen.

Re:Closed Source is Better

[bugs2squash]

Actually their helpful Engineers even called me before I knew I had a problem.

monetization specialist

[Curunir_wolf]

'nuff said

Re:Myths about open source are the problem here.

[UnknownSoldier]

Yeah, I know, DFTT

> People use closed source software knowing full well that the product may be discontinued, or it may go unmaintained at some point. The risks are well known and understood.

The software being open or closed is irrelevant to the discussion.

> All we need to do is look at GitHub, SourceForge, or Apache to see that most open source projects do in fact end up dead. Of course, open source advocates don't admit to this.

[[Citation]]

The _difference_ is when Vendor A goes out of business you are _completely_ fucked for future updates. Good lucking fixing bugs in a closed source program.

When an OSS project stops being maintained the source is _still_ there. You have the _option_ of hiring a competent programmer to fix bugs in it -- with closed source there is no option.

The _real_ problem is that you picked an OSS project that wasn't popular enough. What The Fuck were you doing when you _evaluated_ the software in the first place??? The _first_ thing you do when picking ANY software from a business POV regardless if it is closed, or open, is to evaluate:

a) the _community,_
b) _support_, and
c) a BACKUP plan. That is, what was your _migration strategy_ for WHEN "this software is no longer available?" What's that? You didn't _think_ of THAT scenario? Blaming OSS for your own short-sighted stupidity is a moronic attempt at trying to pass the buck for your incompetence.

> myth is probably that open source software is somehow "better".
> Open source products are just as buggy as closed source software products are.

As opposed to the FACTs that closed source is buggy-as-shit ???

In fact, the most recent report (2013) found open source software written in C and C++ to have a lower defect density than proprietary code. The average defect density across projects of all sizes was 0.59 for open source, and 0.72 for proprietary software.

It is hard the get an accurate bug count with closed source because closed source is too embarrassed to tell the truth but here are some stats:

* Windows 2000 had 63,000 bugs,
* Windows 7 had 2,000 bugs,
* Windows 10 1,300 bugs

No one pretends OSS is some silver bullet. But it has numerous advantages that closed source will NEVER have (by definition.) Every disadvantage that OSS has is _also_ the exact same closed source.

You can't put a price on freedom.

Mod parent -1 troll.