In a progressive step towards encapsulating the benefits of open-source software (OSS) more judiciously, the Open Source Security Foundation (OpenSSF) has launched the Open Source Consumption Manifesto (OSCM). Akin to the iconic Agile Manifesto, the OSCM is a document fortified by core values and houses 15 guiding principles designed to streamline open source usage.
Open-source software has indisputably been a shot in the arm for budding innovations and operational efficacies. However, it's a well-acknowledged fact that there's a stark variance in terms of quality and security among different OSS projects. Consequently, the OpenSSF has highlighted the lack of a strategic approach towards consuming OSS across numerous organizations.
Convenience-packed as it might be, the OSS has its own baggage of flaws. An alarming negligence has been observed in the evaluation process OSS undergoes, especially when compared to third-party software. The instances of scrutiny it is subjected to, in terms of security, code quality, and licensing, are inadequate to say the least. This leads to significant risk factors creeping in, as noted by the OpenSSF End Users Working Group.
While third-party software is unlikely to contain malicious content, risks materialize during the downloading phase for those unfamiliar with OSS intricacies. We've seen 96% of time, a vulnerable component is downloaded when a fixed version is already available, said Brian Fox, co-founder and CTO at Sonatype, discussing OSS consumption pitfalls with the SD Times.
Recognizing these issues, the OpenSSF End Users Working Group was galvanized into action to devise a way to rectify this. Guided by a series of discussions, they came up with the Open Source Consumption Manifesto. Rather than being a strict commandment, the OSCM champions the cause of inclusivity and its shape has been moulded by the input from several disciplines, and its text refines itself based on the individuals utilizing it.
The manifesto includes pivotal provisions like augmenting open-source consumption through auditing and quarantine functions for components that correlate with known vulnerabilities and harmful packages.
A pivotal measure to counter threats from intentionally harmful components is to have a comprehensive tracking system to monitor components consumption. Coupling this with data and behavioral feeds enables your systems to take real-time calls on whether something should be approved or earmarked pending detailed scrutiny, Fox added.
For organizations starting on the path of open-source software observability, it is fruitful to start by categorizing their applications by importance. This should be followed by compiling an inventory of the OSS embedded in these applications, typically via software bills of materials, and spotting different suppliers. Quite a few development teams currently don't have these vital components in place, according to Fox.
Afterwards, it is wise to seek out instances where multiple suppliers are employed for the same function, like using an assortment of logging frameworks. Next in line should be zeroing in on the best suppliers by appraising their secure software development practices. Factors like known vulnerabilities, software age, popularity, the average time taken to patch issues, etc, should dictate this evaluation.
Each organization would need to tailor its decision based on its own risk appetite and the aforementioned analysis. While there are certain standard risk tolerances like finding known critical vulnerabilities in an application that handles PII data, creating an OSS consumption policy would mean integrating it across the SDLC, from development to CI/CD, and most importantly at release.
In the current landscape that is teeming with a diverse range of no-code and low-code platforms, it's crucial to adopt measures like OSCM. A platform like AppMaster, a comprehensive no-code tool to create backend, web and mobile applications, reiterates the importance of OSS and enforces means like the OSCM to mitigate risks and enhance productivity. For organizations to fully harness the power of open source, it's vital to minimize potential risks and inefficiencies, something that OSCM can significantly assist with.
