According to the Black Duck 2015 Future of Open Source Survey, 78 percent of companies use significant amounts of open source software in their development,and that percentage is steadily rising. While license compliance continues to be top of mind for many lawyers, a related issue—the potential security implications of increased open source usage—is also now becoming clear. It’s critical for general counsels (GCs) to understand the importance of this emerging challenge, learn what it means for their companies’ bottom lines, and understand how they can help drive the conversation about open source security among their company’s senior leadership.
Acknowledging the increasing role of open source, GCs play a critical role in helping their organizations deploy systems and methods for tracking and managing the open source code introduced into their organizations. Without a systematic process for identifying and tracking an organization’s open source use, it can be nearly impossible for an organization to know what open source it is using and where and how open source software is deployed in the code base. This lack of visibility hampers compliance with applicable open source licenses and, typically, an organization’s governance policies. Often, software development groups select and deploy open source components without proper legal and engineering vetting—which can cause important licensing obligations and code quality and security issues to be overlooked.
Security: Hidden Vulnerabilities Could Mean Future Problems
The National Vulnerability Database (NVD), the Open Sourced Vulnerability Database (OSVDB), and commercial vulnerability databases such as Risk Based Security’s VulnDB, together report some 4,000 vulnerabilities in open source code emerging each year. Yet according to the 2015 Future of Open Source Survey, 67 percent of companies fail to monitor open source code for security vulnerabilities. Clearly, open source code security issues represent looming future challenges for GCs and their partners in IT.
Recent, well-publicized vulnerabilities such as Heartbleed and Shellshock provide a case in point. Heartbleed resulted from a set of bugs in the OpenSSL library used to negotiate secure communications between web servers and browsers. When Heartbleed emerged, more than 500,000 organizations across the globe were left pondering their degree of exposure. For companies lacking visibility into the open source components in their code bases, Heartbleed remediation was a logistical nightmare.
Similarly, Shellshock, a flaw in the “bash” shell and interpreter (an integral part of Linux, Unix, and Apple’s Mac OS X operating system) presented a vulnerability that was exploitable by cybercriminals to facilitate remote execution of malicious code on websites and other outward-facing servers. Since many websites run the open source Apache server, which employs bash as part of standard CGI (common gateway interfaces), the threat was particularly serious and widespread.
With both Heartbleed and Shellshock, the vulnerabilities lurked in systems for years before they were exposed—highlighting the need for ongoing visibility into the open source code in use in an organization’s code base. Worryingly, some observers argue that such exploits represent only the beginning of a coming onslaught of exploits.
Crucial Issues for Corporate Counsels
Given these realities, GCs should familiarize themselves with a number of important open source security related issues. Armed with this information, GCs will be better equipped to help their organizations avoid significant security as well as governance and compliance risks. These issues include:
Liability and its relationship to the supply/value chain.
When companies fail to view IT security as a standard part of third party due diligence, and central to their relationships with suppliers and customers, they pay a price. With increasing attention on consumer data privacy and security, for example, vendors and suppliers that put customer security first (including open source security) will benefit from an attractive and differentiated value proposition in today’s marketplace. Trying to understand your own organization’s use of open source and achieving even nominal comprehension of your internal risks is challenging enough (as the 2015 Future of Open Source Survey reveals). It’s quite another challenge to gain visibility into your suppliers’ and vendors’ use of open source. Increasingly, supply chain management is focused on understanding and evaluating open source code ingress from tool kits, software packages, and even hardware products obtained from business partners and suppliers.
Savvy customers require their vendors and suppliers to provide a comprehensive bill of materials identifying all open source components resident in their products. Only with such a list can the open source components be mapped against the vulnerability databases identified above and can potential security issues be identified and averted. Using automated tools to create an accurate and up-to-date catalogue of open source code in use is one way to streamline this process.
The importance of security policies—and why GCs need to stay in the mix.
Having a meaningful open source code security policy in place—including specific procedures for implementing, executing, and auditing that policy, is critical. Lawyers should stay plugged in to this process all the way through to code shipment and beyond. Often, legal counsels drop out of the mix after initial legal analysis is done and they deem that their (then-current) code base is open source license-compliant. But the code base in nearly every company today is in a constant state of evolution, and new security threats are always on the horizon. GCs can and should be important partners to IT in proactively engaging in risk management and prevention and mitigating security issues as they arise.
Making executive teams aware of the value of keeping an accurate code inventory.
Customers, lenders, VCs, and insurers are all increasingly concerned about software code security, licensing, and quality due diligence, so companies’ senior management teams should be equally concerned. The ability to provide an accurate and up-to-date bill of materials for open source code can head off a host of problems. Many companies today already produce open source software bills of materials for license compliance reasons, so why wouldn’t they want to also map those bills of materials against code vulnerabilities? One answer appears to be that this issue isn’t on the radar, so it simply isn’t considered. But security breaches can and do result in lawsuits, damage to company reputations, and regulatory implications.
Conclusion: What GCs Can Do to Avert Legal Fallout from Open Source Security Issues
The bottom line is that many of the breaches referenced above could easily be averted if companies know to upgrade to the remediated revision of affected open source components, or if they had known enough not to select component versions with known vulnerabilities in the first place. But all too often a lack of active management and insight into the selection, deployment, and ongoing management of open source components results in companies failing to deploy even the most basic and reasonable risk avoidance methods. As such, GCs need to engage with the rest of the senior leadership team to ensure these issues are addressed. They can, and should, play a crucial role in helping to guide the upper management discussion about software security issues, and their proactive contributions and ongoing participation in the process might just help their organizations avert costly and damaging legal difficulties.