When should you consider an open-source code audit?

Have you ever considered an open-source code audit for your organisation?

Whether it’s due to needing to identify known vulnerabilities in a codebase containing open-source code, or due to an impending acquisition of a software company, you’ve come to the right place. This article will walk you through what open-source code is, when you should consider investing in an open-source code audit all the way through to what happens after the audit has been completed.

What is Open-Source code?

Before we dive in to explaining all about open-source code audits and when you should consider them, let’s first start by understanding what open-source code is.

The “Source code” is the part of software that most computer users don’t ever see; it’s the code computer programmers can manipulate to change how a piece of software—a “program” or “application”—works. Programmers who have access to a computer program’s source code can improve that program by adding features to it or fixing parts that don’t always work correctly. Open-source code is widely used by software development companies to accelerate development and reduced costs. Open-source software is software with source code that is publicly available and anyone can inspect, modify and enhance.

According to Gartner, 95% of the IT enterprises across the globe use open-source software for their mission-critical IT workloads, whether they are aware of it or not. Benefits to using open-source software include freedom and flexibility, lower costs, high quality, and innovation via communities.

However, the use of open-source software also creates challenges for businesses. These include an increase in security breaches, they can sometimes become too complex, software patches and updates will have to be managed by the IT teams and it may come with a lack of customer support. Using open-source code within proprietary software also creates challenges if the code breaches any licensing rules.

What is an open-source code audit?

An open-source code audit is used by businesses to detect and identify the existence of open-source code. The audit will identify the open-source code and their corresponding licences. There are many common open-source licenses Including:

• GPL
• LGPL
• MPL
• AGPL
• GNU
• Apache

There are certain reasons as to why businesses today use open-source code audits. These include:

Investment – The opportunity to invest in a software or SaaS company may be tempting. Before investing you need to ensure that the IP of the company is owned by that company and does not contain open-source code which may negatively affect the value of the company.

Acquisition (M&A) – During the acquisition of a software company or the intellectual property (IP) belonging to a company, it is essential to identify if any of these products contain open-source code not owned by that company. For example, if open-source code with a GPL license exists within the code base, this will most likely be problematic.

Outsourced Developer – If you subcontract software development to a third-party developer, you may request assurances or warranties that the codebase does not contain any open-source code. In order to determine if the developer is keeping to their end of the agreement, it is essential to conduct an open-source code audit to verify compliance.

Security – The use of open-source code comes with security risks as the code is available to the public. Hackers can use this code to seek out and exploit vulnerabilities that may exist. Research has shown that 78% of audited codebases contained at least one open-source vulnerability, of which 54% were high-risk ones that hackers could exploit.  The recent Log4j breach highlights the inherent risks of opensource code embedded within IT systems.  According to cybersecurity experts, hackers can gain easy access to a company’s computer server, giving them entry into other parts of a network. It’s also very hard to find the vulnerability or see if a system has already been compromised. An open-source code audit and implementing a policy of maintaining a Software Bill of Materials (SBOM) will assist in identifying known vulnerabilities in a codebase containing open-source code.

What happens after the open-source code audit?

After the audit, a final audit report will be presented and should provide a complete overview of the build of materials. Items in the report may include the following:

• An inventory of all source code files contained within the codebase
• List of files containing copyrights
• List of files containing licenses
• List of open-source licenses linked to this code
• Detailed report authored by an open-source licensing expert identifying possible constraints, potential IP issues, and known security vulnerabilities with the audited open-source code. 

It is important to choose an open-source code audit vendor who can walk you through what was found and provide actionable insights for the IT team within your business to run with.

Escrow London performs audits of software code bases to detect and identify the existence of open-source code. The Escrow London Open Source team creates a detailed report identifying the open-source code and their corresponding licenses. For more information, please click here.

##

About Escrow London
Escrow London is a global software escrow vendor with offices located in Atlanta, USA, London, United Kingdom and Sydney, Australia.

We have invested considerable resources into innovation to reinvent software escrow for a SaaS world. Escrow London provides a range of SaaS Continuity escrow solutions suitable for AWS, Microsoft Azure and Google Cloud Platform hosted SaaS applications. We support a wide range of clients includes major banks, central banks, insurance firms, technology companies and government.

For all articles, please click here