The UK government has issued guidance on how organizations should manage their use of open source software (OSS) components and mitigate supply chain risks, as thousands of open source vulnerabilities leave businesses at risk.
Combining guidance from international governments, industry, and academia, the report from the Department of Science, Information, and Technology (DSIT) offers advice on the usage, production, security, and licensing of open source software.
The recommendations, which the report said were selected as the most appropriate for organizations of any size and sector, comprise four best practices it claimed constitute a ‘proportionate and reasonable approach to OSS risk management”.
Firstly, DSIT recommends that businesses should establish an internal OSS policy around managing the adoption of OSS components. Creating a software bill of materials (SBOM) is also essential for tracking OSS components and their various dependencies.
Similarly, organizations should ensure they are continuously monitoring their software supply chain using software composition analysis (SCA) tools to identify vulnerabilities in their codebase or any potential licensing issues.
The report also urged businesses to actively engage with the OSS community, which it says will “attract new talent, level the competitive playing field, foster innovation, improve reputation, and ensure high-quality OSS components and a sustainable OSS ecosystem”.
In addition, DSIT strongly recommends adopting tools to automate OSS management to alleviate time and resource constraints that may fall on smaller organizations.
DSIT report lacks detail on vulnerability management
Chris Hughes, chief security advisor at Endor Labs and cyber innovation fellow at CISA, said he was impressed by the broad and comprehensive range of guidance it has distilled from various resources.
However, he cautioned that some organizations may be overwhelmed by the measures the report suggests and advised they should start with the most basic recommendations before moving forward.
Hughes also noted that the report did not provide specific details on vulnerability management practices that firms will have to familiarize themselves with to mitigate flaws and software supply risks.
“While it touches on vulnerability management and prioritization it didn’t go into much depth in terms of key modern specifics. Examples such as reachability, known exploitation, exploitation probability and organizational context were lacking,” he explained.
“Organizations need to make these improvements to be able to sift through the noisy nature of the vulnerability landscape, especially when it comes to OSS.”
Open source security concerns linger
Open source security has become a growing risk exposing organizations to cyber attacks – and one that has traditionally been neglected by many businesses.
A recent study from Black Duck found that 86% of codebases contained open source vulnerabilities, with 81% being classified as critical risks, marking a 7% increase on last year’s figures.
The report concluded that the growth in open source vulnerabilities suggests developer organizations are unable to track the vast number of software dependencies they’re using, and not prioritizing the remediation of these flaws accordingly.
This underscores the importance of implementing SCA tools, SBOMs, and similar measures to track and identify vulnerabilities in your organization, Black Duck noted.
