Open source risks threaten all business users – it’s clear we must get a better understanding of open source software

Open source systems are now deeply embedded across technology stacks, from Android devices to mission-critical enterprise systems and, of course, AI. There are businesses built on open source, and organisations that have an open source first policy. And there are countless other businesses that use at least some open source, somewhere, in their operations.

Other surveys show that open source use is holding up. The 2024 State of Open Source survey from vendor OpenLogic puts the use of open source technology at 95%. Recent research from the Linux Foundation, GitHub, and the Laboratory for Innovation Science at Harvard (LISH) found that businesses invest $7.7 billion into the open source ecosystem per year.

But the sheer ubiquity of open source, though, raises its own problems. All too often, IT teams lack a complete picture of how they use open source software (OSS), and where.

They are unlikely to know all the dependencies between open source components and other parts of their infrastructure.

In some cases, they might not even know they have OSS at all, usually because they have bought software, or services, where the vendor has used open source. One estimate, from Black Duck [PDF], is that 70-90% of the code in software as service offerings is, in fact, open source.

This lack of oversight causes issues, as we saw with the Log4J vulnerability in which organizations scrambled to assess their exposure to a vulnerability in the widely-used open source library. Security is not the only concern. Licensing and support issues around open source can cause real problems for enterprises, if they lack proper visibility into how they use OSS, and where.

Taking a frank look at open source risks

Enterprises use open source software for a host of good reasons: cost, flexibility, and the ability to view the source code are just some. Adopted properly, open source solutions can be more economical, and at least as robust and secure as proprietary applications. Open source advocates argue that OSS is actually more secure and more reliable.

But that does not remove all the risks.

“Open source is both a blessing and a liability,” Tomislav Ljubas, managing director for corporate IT and cyberSecurity at Gruppe Deutsche Börse / Stoxx tells ITPro.

“It gives flexibility, but that freedom comes at a cost: trust. The fundamental issue is the accountability, whom to ring when things go wrong? With proprietary software, there’s at least a vendor on the hook… With open source, you’re often betting on a maintainer who never signed up for 24/7 incident response.”

There is a danger that a well-meaning developer used, or reused, code created by an equally well-meaning contributor to the open source community. And, as Ljubas warns, that software can end up unsupported, leading to weaknesses and vulnerabilities in systems that depend on it.

“Risk isn’t just about security vulnerabilities. It’s about operational resilience and legislation such as DORA,” he says. “A critical dependency can disappear overnight due to burnout, license shifts, or outright hostility; see recent incidents where maintainers intentionally sabotaged projects. Do you have a plan for that?”

“Open source is like all software,” says Matt Middleton-Leal, managing director for EMEA North at security vendor Qualys. “It is not the software itself that is problematic, but how it is kept up to date and managed.

“Open source software is often used within larger enterprise software deployments, whether those are from commercial suppliers or for internally developed applications, and those tools should be kept up to date to protect against issues or potential vulnerabilities.

“Where this falls down is when those tools are either overlooked, or ignored - this is where vulnerabilities creep in, and then can lead to potential attacks. The biggest example of this is Log4J - this tool was used widely across applications, but it contained a vulnerability. Fixing that issue was a huge issue for some companies.”

Using OSS safely

Better awareness among CIOs and software development teams was one result of Log4J, as experts worked to better manage open source software in order to reduce risk. Changes within the open source community itself have also reduced some of its core risks.

As Amanda Brock, CEO of open source industry group OpenUK points out, “forking” open source projects have removed some of the risks around OSS, including those from licence changes. Forking is hard work, but it maintains the open nature of code, Brock tells ITPro. But users still need to be on their guard.

“Despite the power of the fork, a wise user will check out the contributing community of a project to ensure that it is not employee-only, and become familiar with the health of a project, before it becomes dependent on that project,” Brock says. “This kind of process is increasingly a part of the ‘curation’ of open source by corporate users.”

Integrating open source into projects needs that extra effort, if enterprises are to keep their systems robust and secure. Tools such as software bills of materials (SBOMs) help with traceability and visibility but developer teams need to keep monitoring their code as well. Using software from an open source foundation, such as Cloud Native Computing Foundation (CNCF) or Apache, provides additional assurance.

“Adopting open source software should be taken as seriously as adopting proprietary code,” says Matt Barker, VP at Venafi. “Just because the open source code is ‘free’ you need to understand the motivations of the people behind the code and work out if you trust them.

“This applies just as much to the security of the code as well as the commercial considerations, and if they may end up ‘pulling the rug’ with a license change or some other change in business model. If you adopt open source, you have to accept it is not just one and done.”

It’s clear IT leaders will need to establish clear guidelines for open source within their organization, if they are to avoid future pain.

“Open source is powerful – but power without control is a risk,” adds Ljubas. “If you don’t have a structured approach to managing OSS in your supply chain, you’re not mitigating risk. You’re accumulating technical debt with an unpredictable interest rate.”