In the process of developing software (SW), the percentage of external open-sources that enhance productivity and competitiveness is rapidly growing. Statistics show that more than 90% of companies and more than 70% of applications use open-source for development. The number of types and sizes of open-sources software is also exploding. Based on Github, the number of open-source projects exceeded 190 million in 2020 and over 10,000 open-source projects are created daily. But we can enumerate 2 risks of using open-source.
The first one being license risk. Though most companies use open-source freely, there is a duty to use it correctly. For example, when someone us es a free open-source and use it, that same person should open the modified code the same way. The mandatory clauses of open-source are even more important than royalties. The South Korean company H paid 2.5 billion won to drop the lawsuit for not disclosing the GhostScript open-source guidelines. The other one being security vulnerability risk. There are 150,000 known CVE, open-source vulnerabilities, and more than 50 new vulnerabilities are reported daily. If an open-source program is opened without security vulnerability assessment, it is likely to be exposed to multiple risks.
To prevent those risks, it is necessary to understand the current status of the use of 3rd party SW or open-source. However, most open-source SW are often used by modifying the source little by little and, as any open-source, the complexity of it makes it difficult to find the source. According to a study released by the CSSA of Korea University’s Security Research Institute, when analyzing the top 10,000 Github open-source stars, 95% of the open-source components were partially used or modified.
In the case of hardware, the manufacturer provides the bill of materials (BOM), the raw materials specifications, and accurately identifies and supplements the affected product environment when defective parts are found. And until now, Open-Source developers have also made some effort to manage problematic SW components based on finding the defective parts through BOM. The Linux Foundation, in particular, has led the path with the ‘OpenChain’ project ensuring to supply a safe environment for open-source compliance and management.
The basis of open-source compliance is to understand the status of the supplied open-source included in the SW, based on SW BOM. If an application has an inaccurate or no BOM, there is no way to perform SW updates due to the difficulties in tracking critical security patches and emergency updates as well as in checking licenses. In 2014, Heartbleed, an OpenSSL SW vulnerability was unveiled, and it took Microsoft over 6 months to fix the issue. The Open SSL SW is relied upon many aspects of the Internet security such as HTTPS and VPN.
Thus, it is of the utmost importance to have a secure and accurate SW Bill of Materials(SBOM) for a safe SW ecosystem. Overseas, the importance of SBOM, a SW composition statement, is already recognized and is leading the way through the system along with the emergence of SBOM service providers. In 2014, the U.S. government passed the Cyber Supply Chain and Special Act and for all products procured by the federal government, SW configuration specifications were provided, and vulnerabilities were demonstrated. The legislation scope was extended to all IOT devices by the end of 2020.
In Korea, a service providing SBOM has recently been established to help create a safe SW ecosystem. So, who is responsible for checking and securing SBOM? The SW producers who are in charge of supplying SW ecosystems as well the demanding users who should perform their share of inspection to achieve balance and stability in SW ecosystems. In other words, all participants in the SW Supply Chain must play their own role to ensure the safety of the SW.
As the era of artificial intelligence and autonomous driving are approaching, the safe use of SW is necessary. The foundation for becoming a digital powerhouse should be strengthened in order to used a SW with confidence. The starting point is sharing the accurate SBOM. This is something that suppliers, consumers and governments must pay attention to. Just as small restaurants that we visit daily go through mandatory ’country of origin’ food labelling, the BOM of SW labelling, in the era of digital acceleration, is only natural.
Jinseok Kim, CEO of IOTCUBE firstname.lastname@example.org
Original article link :