Out-Law News 2 min. read

Businesses exposed to open source software risks, says report

The extent to which businesses are exposed to risks when using open source software or software with open source components has been highlighted in a newly published report, an expert has said.

Expert in open source software James Robb of Pinsent Masons, the law firm behind Out-Law.com, said that the report, by industry specialist Black Duck, showed how ubiquitous open source software has become in business.

According to Black Duck's Open Source Security and Risk Analysis 2017, 96% of applications it audited last year contained open source components. The company analysed 1,071 applications for the report.

Black Duck said, though, that 67% of the applications featuring open source elements "had vulnerabilities in the components used", and that the average time that those vulnerabilities had been known for was four years.

The sector with the highest average number of security vulnerabilities per application was financial technology, Black Duck said, while the greatest proportion of applications containing high-risk vulnerabilities were those in use in retail and e-commerce, it said.

Beyond cybersecurity risks, the Black Duck report also highlighted the fact that many businesses using applications with open source components may be doing so in breach of licensing conditions. It said 85% of the applications it had analysed "contained components with licenses out of compliance".

The licensing risks extend to cases where the licensing terms are unknown, according to the report.

Black Duck said: "Most open source components are governed by one of about 2,500 known open source licenses, and the license obligations can be tracked and managed if the components themselves are identified. However, components with no identifiable license terms are problematic. Software that does not have a license generally means no one has permission from the creator(s) of the software to use, modify, or share the software. Creative work (which includes code), is under exclusive copyright by default."

"Unless a license specifies otherwise, nobody else can use, copy, distribute, or modify that work without being at risk of litigation. Lack of clear statements of rights and obligations leaves teams at greater risk of violation of 'hidden' terms," it said.

James Robb of Pinsent Masons said: "The Black Duck report suggests that organisations are struggling to address properly the compliance and security issues posed by open source applications."

"Due to the increasing prevalence of business applications which contain open source components, now more than ever businesses should be proactive in identifying and evaluating open source components and the associated obligations imposed by open source licences. Doing so will help businesses avoid licence clash and improve licence compliance, as well as limiting exposure to the security vulnerabilities inherent in open source software," Robb said. 

Earlier this year, Robb, and colleagues Iain Connor and Tom Hadden from Pinsent Masons, identified some of the steps businesses can take to address the legal and security risks inherent in using open source software.

Phil Odence, general manager of Black Duck On-Demand Audits, previously told Out-Law.com that the failure to manage open source software risk properly can cause delays to major corporate transactions, as well as changes to the deal terms and valuations

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.