momius - Fotolia

Managing open-source security: a legal perspective

Open-source software is being used more widely than ever – but do IT leaders understand the legal risks?

It seems almost redundant to point out that open-source software is literally everywhere. It’s in your datacentre, on your desktop, in your browser and in your phone.

It pretty much powers the technology industry, and it’s safe to say that we wouldn’t have a lot of the technology we take for granted were it not for open-source methodology and licensing models.

As you are reading this, I will assume you are already familiar with the likes of permissive and copyleft licences, the differences between them, and the acts of distribution that will trigger the core obligations in the latter, so I won’t go into that here. If you want to learn about them, websites such as have excellent and detailed explanations.

Instead, I will focus on the resulting practical business risk. That risk can really be put into two categories: infringement risk (getting sued) and security risk (getting pwned).

Infringement risk stems from the fact that open-source software is licensed software – that is, it belongs to someone else, and you are allowed to use and distribute it subject to conditions.

If you breach those conditions, the person who owns it can sue you. And this isn’t just a theoretical possibility. A live example is making its way through the German courts, in Hellwig vs VMware, and it was a core issue in the recent Versata litigation in California, to take just two examples.

That said, copyleft bites on distribution, not use, so unless you are actively engaged in the business of supplying software, copyleft infringement claims remain, for the most part, a fairly remote contingency.

Daniel Hedley

“Open-source software is a huge resource, and you absolutely should leverage it, because if you don’t, your competitors will”

Daniel Hedley, Irwin Mitchell

For that reason, although lawyers tend to get very excited about infringement risk – mostly because, from a lawyer’s perspective, copyleft is just coolfor most businesses, it’s actually the security risk that is the more pressing concern.

That’s not to suggest that open source is inherently less secure than conventionally licensed software – but open source is acquired differently, so it has to be managed differently.

Conventionally-licensed software ends up in your IT real estate when you procure licences for it. You have actively decided to procure them, you have been through a procurement process for them, and you have paid for them, so they are perceived to be important and they get recorded in your asset register.

You know what you have, where it is and what version it is, and you can feed that information into your patching regime.

The same is not necessarily true of open source, because often you haven’t actively decided to acquire it. Because it is so easy to use, it can find its way into your organisation in all sorts of ways. It might be a library shipped with a commercial product, it might be embedded in an appliance such as a firewall or a monitoring system, it might power system management boards in your servers, or it might just be incidentally introduced by one of your staff to plug a gap somewhere. 

You can always guarantee that there is loads of open-source software in your organisation that doesn’t appear on your asset register, and that you don’t know you are running. What you don’t know will hurt you.

A fair point, you might say, but why is a lawyer banging on about security? Well, here are a few reasons – 20 million of them, in fact.

EU data protection laws

The law is catching up with the importance of information security, and it’s coming down hard. The new General Data Protection Regulation, which comes into force in May 2018, allows for fines of up to €20m or 4% of your worldwide turnover, if greater, for data breaches. That is a serious amount of money, especially when compared to the UK Information Commissioner’s anaemic current powers

We also have a new EU Network and Information Security Directive that has just been agreed, and a new Trade Secrets Directive on the way, not to mention the myriad contractual obligations that are inevitably breached after a major security incident, such as non-disclosure agreements and supply contracts.

The legal fallout from a security breach can last years, and be very expensive indeed, to say nothing of reputational damage.

Read more about open-source software

So, what should you do? In short, treat open-source software like any other third-party software. Know what you’re running and keep it patched. For a CIO, that means a number of things:

  • Know the content of your own home-grown codebase, if any. Audit it if necessary. Have a policy about open-source use, ensure that in-house developers and contractors alike are aware of it and police it. Make sure your developers and your lawyers communicate.
  • Challenge your software suppliers to disclose the open source in, and shipped with, their products. Be sceptical if they tell you there isn’t any; they are probably wrong. Don’t assume you will have much legal recourse if you get pwned because of a vulnerability they have introduced.
  • Understand what is in each layer of your stack. If a supplier has shipped you a product as an appliance, that appliance is probably running an open-source stack underneath the clever whizzbangery that you’re paying them for.

Open-source software is a huge resource, and you absolutely should leverage it, because if you don’t, your competitors will. Just make sure you can manage the resulting security challenges.

Daniel Hedley is a senior associate at law firm Irwin Mitchell LLP ................................................................................................................. ........

Read more on Open source software