Due Diligence and Ongoing Monitoring

  • 1.  Open Source Solutions

    Posted 06-23-2021 11:45 AM
    Good Morning,

    We are trying to make improvements to our vendor management program and we would like to better manage open source software. Would anybody be willing to share how they approach due diligence for open source software? Would anyone be willing to provide a list of standard questions they ask or items that they request from open source software vendors? How frequently are you able to get useable information back from these vendors?

    Regards
    Ben Furlong


  • 2.  RE: Open Source Solutions

    Posted 07-06-2021 08:49 AM
    Many times, open source software would be out of scope for a typical vendor risk assessment because the associated risk would be managed internally. However, to figure out whether or not the would be in scope, here are a few good questions to ask:

    What license does the publisher grant?
    • Here's a good site that describes the common types of licenses: Licenses & Standards | Open Source Initiative.
    • Most OSS licenses allow for free use, but not necessarily derivative use. Basically, you can use it as-is but you can't modify it without permission. That's important if there's a bug in the code that needs to be fixed.
    Is the source code openly available?
    • Again, usually yes, but sometimes, the source code isn't published openly. This is especially true for compiled libraries. For scripting libraries like Javascript, you have the source code, but it could be "minified" or obfuscated in a way that makes reading it very difficult.
    • A follow-up to the source code question would be, is the source code repository open for everyone to modify code, or do they have a "pull request" or other approval process for bringing changes into the repository.
    Is the OSS managed in a repository that allows for security alerts to be logged and disseminated?
    • We use npm for our javascript libraries. Npm has a process for reporting security vulnerabilities. The npm tool will report on the alerts whenever or fetches the library from the repository for inclusion in Venminder. We watch for these and ensure we upgrade when we see them.
    Hope this is helpful - it's a great question and I would love to hear what others in the industry have to add.

    Nicole



  • 3.  RE: Open Source Solutions

    Posted 07-06-2021 08:58 AM
    It is a worthwhile topic to wrestle with and the recent spate of supply chain breaches reinforce its importance in the overall risk landscape!  We do not try to get too prescriptive with our third parties supplying software but in our contracts we seek a vendor's commitment to an OSS program that minimally includes: provisions for OSS inventories and audits, component and composition analysis, security and vulnerabilities, licensing and compliance, and software quality.​

    ------------------------------
    L. Beachy
    ------------------------------



  • 4.  RE: Open Source Solutions

    Posted 07-07-2021 07:37 AM

    We have a policy for software purchases/usage where we  ask the vendor about open source components, that are disclosed, to make sure they have commercial acceptable licensing, appropriate methodology, procedures in place, etc.   We track our software licenses (E.g. Microsoft Office), through desktop support processes. This review is conducted by our IT Architecture SMEs.  I hope that helps.

     



    ------------------------------
    Jenn Wilkinson
    Vice President
    Strategic Vendor Management
    Cenlar FSB
    ------------------------------