It was recently reported that Oracle will begin enforcing commercial terms on customers who thought that they were using free Java software.
The business is running Java software audits to ensure customers are paying for usage. Many companies using Java may not even realise that they should be paying for the software in the first place. Most don’t even realise it’s not free.
The confusion lies with Java Standard Edition, available for download from Oracle’s Website. Java is a programming language and platform for running applications, created in the language.
If you only want to write a Java application, feel ‘free’. The problem arises if you install that application on hundreds of desktops, requiring Microsoft Windows Installer Enterprise JRE Installer, which is not free to use. It does not stop there. There are additional parts and editions of Java that are not free either.
Unmanaged Open Source Software
Unmanaged open source security and compliance risk is reaching epidemic proportions and threatening the very integrity of the software supply chain. As much as 50 percent of the code found in most commercial software packages is open source.
Most software engineers use open source components but do not track what they use, understand their legal obligations for using that code, or the software vulnerability risk it may contain.
Worse yet, most software executives have no idea that this is going on. Many organisations are not properly tracking and monitoring their use of OSS and third-party components and software executives are left in the dark.
Many have difficultly producing a Bill of Materials (BOM) or list of the open source they are using. For companies who do have some components on their list, it is generally a small fraction of the true list of OSS and third-party use.
Research shows that a company’s true list is on average 20 times larger than their current disclosure.
Almost all open source components are governed by a license, with obligations that a company must follow if they are distributing a product containing that component.
These obligations often include passing along the text of the license, copyright statements, and in some cases the source code of the component or complete product.
Yet most organisations are not disclosing the content as required by the licenses.
The two most common issues encountered from this are:
- Not properly managing the use of open source and fulfilling license compliance obligations
- Organisations finding themselves at risk due to vulnerabilities in the open source being used
The first issue often leads to the second. It is impossible to comply with the license requirements if a company does not know what open source and third-party components are used.
It may also mean that any current or future security vulnerabilities discovered in those software components are not tracked and handled. It is common for OSS components to have new vulnerabilities discovered after they are first shipped.
These vulnerabilities can sit silently in a product until taken advantage of by attackers.
Managing Open Source
The first element of an open source management program is education. The basics of OSS license compliance management needs to be taught at all levels of the organisation, not just at the developer level.
Senior management must be made aware of the license compliance requirements, as well as the need to periodically update products to repair vulnerable open source components.
In many companies, a small team of subject-matter experts across many disciplines can form an Open Source Review Board (OSRB). This team can include technical, legal, IT and management.
The OSRB will help set policies, respond to license compliance and security events and provide training and knowledge to the rest of the company pertaining to open source. The group can be ad-hoc or more tightly structured depending on the maturity and size of a company.
These policies can then be implemented by the development teams. First to comply with all the open source licenses they are using, as well as create a process to discover vulnerable components and release updates as needed.
Software Composition Analysis tools exist to help discover and manage the OSS and third-party content that is being used. These tools can also help automate the process of vulnerability alerting.
Achieving Successful Management
Companies that implement policy, educate employees and roll out a Software Composition Analysis management solution will start to comply with OSS licensing compliance and vulnerability management.
By setting up processes and following OSS best practices, companies can meet community expectations and reduce their exposure to OSS-related vulnerabilities to improve overall security. OSS is free of costs, not free of obligations.