While the emphasis at WhiteSource is primarily on tracking open-source libraries and legal issues rather than purely technical aspects of security, Sass says he thinks "there's a special exposure" that comes with open source because hackers can look at it to hook into vulnerabilities. He also notes that it's commonplace for companies to develop and sell commercial software using open-source libraries and many of those libraries become out of date but aren't monitored for that.
A common problem is that companies, both vendors and enterprise, lose track of what they're even using in terms of open-source code, Sass says. But there's now a pushback among some businesses to press vendors to disclose their open-source usage. For example, "banks and insurance companies are already introducing clauses with vendors to provide them with a full list of open-source and the indemnification."
IOActive's Berg says his firm also sees its customers frequently taking up the open-source security question.
"The advice I tend to give IOActive's customers, where we deal with this issue regularly, is that before using any new external [free or open-source] component, the company has to do an extensive analysis of the component to answer some questions. What is the quality of the code? Does the project respond to upstream bugfixes and issues quickly? Do they have dedicated security contacts?"
Depending on the analysis in any given situation and the license the component was released under, the company anticipating use of open-source code may decide "to simply fork the software and maintain a separate fork internally," says IOActive's Berg. "This gives one the benefit of not having to disclose security issues to the upstream package authors," which may be "preferable" from the company's point of view.
This, however, may well be considered "bad form" by both companies and the open-source people working on the code because open-source communities prefer companies using open source to report back on serious issues that crop up, he adds.
Use of free and open-source code for either corporate-rolled or vendor-made products does bring the risk and responsibility that "one has to keep track of outside security issues and back port them to the version of the library that the company is using," IOActive's Berg notes. "If the libraries move too far apart, this is an extra burden on the company." In any event, he says, playing "closely and openly" with the free and open-source community is needed.
Sign up for CIO Asia eNewsletters.