An anonymous reader shares a report: Open source code helps software suppliers to be nimble and build products faster, but a new report reveals hidden software supply chain risks of open source that all software suppliers and IoT manufacturers should know about. The recent Equifax breach for example exploited a vulnerability in a widely used open source web framework, Apache Struts, and the study by software monetization specialist Flexera points out that as much as 50 percent of code in commercial and IoT software products is open source. "We can't lose sight that open source is indeed a clear win. Ready-to-go code gets products out the door faster, which is important given the lightning pace of the software space," says Jeff Luszcz, vice president of product management at Flexera. "However, most software engineers don't track open source use, and most software executives don't realize there's a gap and a security/compliance risk." Flexera surveyed 400 software suppliers, Internet of Things manufacturers and in-house development teams. It finds only 37 percent of respondents to the survey have an open source acquisition or usage policy, while 63 percent say either their companies either don't have a policy, or they don't know if one exists. Worryingly, of the 63 percent who say their companies don't have an open source acquisition or usage policy, 43 percent say they contribute to open source projects. There is an issue over who takes charge of open source software too. No one within their company is responsible for open source compliance, or they don't know who is, according to 39 percent of respondents.
How is it any different for closed source software? What if that proprietary software haven't been updated in years? Surely if there is no update, there is no security risk, right?
Yup. Here's how it works everywhere:
We need to do X. How can we do X and how much will it cost?
We could buy A, it's costs $$$$$ to start / set up and ????? every year after. It'll do 80% of what we need and it says "secure" on the product page.
How is it any different for closed source software?
If you run your own business, then OSS is better since it is free and likely more secure.
If you are a middle manager, the situation is different. Your goal is not to minimize failure, but to protect your career. Proprietary software gives you someone else to blame.
The Apache Foundation pointed out that Equifax was using unpatched software with a known vulnerability. How much louder would a commercial software company say that in public?
Dear Middle Manager: Using proprietary software in order to "blame the vendor"
How is it any different for closed source software?
Presumably the difference is mainly between FREE software (usually open-source) which it's easy to incorporate without any kind of tracking other than what's written in your build system.
Versus COMMERCIAL software (usually closed-source) where you definitely have tracking -- purchases, sign-offs, ongoing commercial relationships, and just lots of business process. When you bought it you probably had a sales-droid from the selling company assigned to your account, and they'll be sending you emails and remind
Explain how closed source is better again?
You have someone to blame when it all goes pear shaped... A wise man once said, "nobody was ever fired for buying IBM"...
Of course, a number of folks went broke paying them..
When I got ransonwared, Microsoft pad the ransom, because Windows was fully updated, and I maintained good security practices...
Pics or it didn't happen.
Modern development stacks using NuGet, NPM, Bower, etc. tend to make it exceedingly easy to insert someone else's code into your project without paying attention to licensing or vetting their code. And because of how easy it is to put your own stuff on these package managers, they're full of one-off projects that don't have the reliability or long-term maintenance of the major open-source projects.
As opposed to closed source? (Score:2)
Considering that there was a post a short while ago about how Microsoft got pwned half a decade ago and never make it public, putting everyone at risk? How is Equifax's refusal to patch their software in any way relevant to the fact that Struts is OSS? How many of these same companies were asked if they had closed source compliance teams?
The whole article smells like so much bullshit I'm having to lean away from my computer.
This is about third party software, not esp. OSS (Score:2)
Slashvertisement (Score:2)
Check out the primary source: Flexera. They are definitely not supporters of open source software.
Their business relies on closed source.
"software monetization specialist Flexera..." (Score:2)
I am going to go all out and say it... (Score:2)
Computer systems, both hardware and software, have simply become too complicated for the average PHB and for the average company.
