- Open Source Health IT App Development Cuts Back Costs
“Software suppliers often find themselves out of compliance with their open source licensing obligations,” report authors explained. “Suppliers miss or ignore known vulnerabilities because they’re not tracking them or managing dependencies. The impact of not managing third party components creates security problems and legal issues that can put suppliers’ business models at risk.”
The report surveyed over 400 commercial software suppliers and in-house software development teams. Researchers found that 43 percent of respondents did not have open source acquisition or usage policies in place and 19 percent did not know if they had any open source policies in place.
Open source risk can only be reduced if policies are enforced. Organizations without acquisition or usage policies can find themselves at a higher risk of open source security vulnerabilities.
“Open source processes protect products and brand reputation. But, most software and IoT vendors don’t realize there is a problem, so they’re not protecting themselves and their customers,” Flexera Vice President of Product Management Jeff Luszcz said in a statement. “This endangers the entire software supply chain – for the vendors whose products are exposed to compliance and vulnerability risk. And also for their customers who most likely don’t even know they’re running open source and other third-party software, or that it may contain software vulnerabilities.”
The report also shines a light on the confusion many organizations have when it comes to who is responsible for open source security and compliance.
Twenty-eight percent of respondents said that responsibility lies with the engineering team while 18 percent said that no one within their organization was responsible. Twenty-one percent said they didn’t know who was in fact responsible, with only 12 percent reporting that they have an open source review board.
Conflicting or unknown responses to who is responsible for open source security and compliance can seriously jeopardize PHI.
Open source is too important to the future of technological development to be left by the wayside in favor of technology that’s considered more secure. The contribution organizations make to open source code allows other entities to adopt new technology faster to improve workflow and increase patient experience.
“In the coming years, open source will unlock new technologies in the Cloud and IoT space – creating billions in value. The need of the hour is visibility and compliance without burden,” said report authors. “Discovering issues earlier in the DevOps cycle means less impact on development and meeting business deadlines.”
“Equate finding licensing irregularities or potential security vulnerabilities to finding a bug in a software application. The earlier it’s discovered, the less expensive and impactful it is to correct.”
The report advised organizations to take steps to ensure that open source risk is managed to prevent potential security breaches. Researchers suggested that entities educate all IT staff on the basics of open source compliance management.
The report also recommended that organizations set up an Open Source Review Board to set specific policies, keep track of licensing and security events, and provide advise IT staff on their training and knowledge.
Processes and policies also need to be implemented to emphasize compliance with all open source licenses being used. Those processes and policies also need to focus on designing and executing a way to discover new vulnerabilities that need to be patched when the software is updated.