Open source software (OSS) has gone from something used mainly by startups and hobbyists to a resource that at this point is very much mainstream. This article examines OSS and how it impacts IT due diligence.
What is Open Source?
Generally speaking, “open source software” refers to programs and projects that are developed by a company or an organized group of online programmers, and are made available with source code for free. The software may be modified or redistributed by those who download it, subject to various open source license terms.
There is nothing inherently wrong with OSS or its use in commercial environments. In a 2014 survey, Forrester research determined that approximately 80% of software developers utilize OSS.
Well-known examples of OSS include:
- Apache (web server)
- Linux (Unix-like operating system)
- MySQL (database software)
- PHP (website scripting language)
- WordPress (blogging software)
Today, OSS is used by companies of all sizes. While it’s often favored by startups due to its low cost, companies like Google and Amazon run significant portions of their operations with open source tools.
While OSS is available at no cost, it is not always “free.” There are often optional packaging and support costs. However, in almost all areas of technology, including operating systems, databases, web servers and software development tools, very capable open source alternatives to commercial software are thriving.
Open Source Security
Traditionally, one major concern regarding OSS has been security. There are some valid points on each side of the argument.
Those who believe OSS to be less secure focus on the fact that, since the source code is available for anyone to see, a skilled hacker might be able to identify a vulnerability and exploit it.
Those who feel OSS is more secure than commercial products also point to the availability of source code, but their argument is that since many eyes are viewing the code, any security weaknesses introduced should be quickly identified. Large, well organized open source efforts can sometimes issue security updates more quickly than a commercial software company.
Open Source Licensing
OSS is made available under many standard licenses. A list of common open source licenses and their terms can be found here:
http://opensource.org/licenses
Some licenses are very liberal, allowing the open source tool to be used in any way desired by an end user, including modification, redistribution and even resale. At the other end of the spectrum, some licenses require that any redistribution includes the release of any supplemental or modified source code.
Some companies have completed an acquisition only to later find that certain software assets just purchased were based on open source projects with a very restrictive license. In that case, the options are to release the source code, redesign an application to eliminate the open source component or to pull the product from the market. Obviously, none of these are good outcomes.
Practical Due Diligence for Open Source
Given the concerns around security and licensing, there are a number of areas to explore during IT due diligence.
First, a list of open source projects utilized by the target company should be requested. This should include the name and version of the project, the license under which the project is distributed and whether the open source component is used for internal or external purposes.
If open source is utilized only for an internal development or administrative utility, there is usually little if any concern, as it’s normally the external distribution of any enhancements that may trigger some of the more restrictive license terms.
The target’s response to this request should be examined to understand the requirements of the relevant licenses in conjunction with a detailed review of how the open source component is used. This will allow the acquiring company to begin to understand whether there are any concerns.
Due diligence should determine the target’s process for deciding whether to use OSS. Is a formal review of the open source license performed before a component is accepted for use? Who makes the final decision? Is this a senior staff member, with a thorough understanding of the related risks, or can an individual programmer make the decision in a vacuum?
The security concerns outlined earlier can be mitigated by the size of the open source community for a component and how active it is. Large open source developer communities ensure that a project continues to be enhanced and supported.
Due diligence should examine, for key open source components used by the target, the process used by that open source project for reporting and responding to bug reports, especially as related to security issues. Some of the largest open source projects have dedicated security response teams and a specific infrastructure related to security issues, but not all do.
Does the target closely track the updates to any open source components utilized? Too often, companies bundle an open source component with a proprietary product, but don’t update the open source portion as that component is enhanced. This can lead to the inclusion of outdated and potentially insecure OSS in the target’s own product.
Unfortunately, as the use of open source has increased in corporate environments, proper security practices have not kept pace. In its 10th Annual Future of Open Source Survey, Black Duck Software found that "50 percent of companies have no formal policy for selecting and approving open source code."
Audits
The terms and requirements in some restrictive open source licenses cascade to downstream use. For example, it’s possible that the acquisition target uses a commercial software component in its product or service that in turn utilizes an open source component. The target may not have any idea that the open source component is indirectly included in its own software.
Audit tools and services exist to identify open source components and their related dependencies in software. Audit firms track the source code from thousands of projects and versions and can automatically identify this code in the target’s own source code or object code.
Black Duck Software is a leader in this space, and has even released a free tool that identifies known open source security vulnerabilities in an uploaded code archive file.
Reference
Everything you’d ever want to know about the history of the open source movement, license terms, etc. can be found here:
Conclusion
There is nothing fundamentally wrong with the use of open source software by startups and other commercial enterprises. However, during IT due diligence it’s important to determine whether the target is using any open source components intelligently and responsibly.