Appropriate handling of Open Source is an ongoing discussion with my cyber, technology/development, and TPRM teams.
What level of tracking is relevant for TPRM? Is that relevance different for cyber (breach vulnerability), technology/development (support concerns) ?
Should TPRM inventory include Open Source tools/utilities, Open Source solutions, Open Source components, use of Open Source in commercial software solutions (Nth party - is Nth party even possible), where do GitHub/GitLab fit in, etc. ?
Interested in seeing other opinions on this topic.
Thanks.
Original Message:
Sent: 06-22-2022 09:02 AM
From: Miranda Thurmond
Subject: Open Source Software relationships
Does anyone have any considerations around open source software relationships with vendors?
Should we create a new tier for these kind of relationships since there will more than likely be very little due diligence needed?