We have a policy for software purchases/usage where we ask the vendor about open source components, that are disclosed, to make sure they have commercial acceptable licensing, appropriate methodology, procedures in place, etc. We track our software licenses (E.g. Microsoft Office), through desktop support processes. This review is conducted by our IT Architecture SMEs. I hope that helps.
------------------------------
Jenn Wilkinson
Vice President
Strategic Vendor Management
Cenlar FSB
------------------------------
Original Message:
Sent: 07-06-2021 08:49 AM
From: Nicole O'Brien
Subject: Open Source Solutions
Many times, open source software would be out of scope for a typical vendor risk assessment because the associated risk would be managed internally. However, to figure out whether or not the would be in scope, here are a few good questions to ask:
What license does the publisher grant?
- Here's a good site that describes the common types of licenses: Licenses & Standards | Open Source Initiative.
- Most OSS licenses allow for free use, but not necessarily derivative use. Basically, you can use it as-is but you can't modify it without permission. That's important if there's a bug in the code that needs to be fixed.
Is the source code openly available?
- Again, usually yes, but sometimes, the source code isn't published openly. This is especially true for compiled libraries. For scripting libraries like Javascript, you have the source code, but it could be "minified" or obfuscated in a way that makes reading it very difficult.
- A follow-up to the source code question would be, is the source code repository open for everyone to modify code, or do they have a "pull request" or other approval process for bringing changes into the repository.
Is the OSS managed in a repository that allows for security alerts to be logged and disseminated?
- We use npm for our javascript libraries. Npm has a process for reporting security vulnerabilities. The npm tool will report on the alerts whenever or fetches the library from the repository for inclusion in Venminder. We watch for these and ensure we upgrade when we see them.
Hope this is helpful - it's a great question and I would love to hear what others in the industry have to add.
Nicole
Original Message:
Sent: 06-23-2021 11:45 AM
From: Benjamin Furlong
Subject: Open Source Solutions
Good Morning,
We are trying to make improvements to our vendor management program and we would like to better manage open source software. Would anybody be willing to share how they approach due diligence for open source software? Would anyone be willing to provide a list of standard questions they ask or items that they request from open source software vendors? How frequently are you able to get useable information back from these vendors?
Regards
Ben Furlong