What is open source software?

The idea of making source code freely available originated in 1983 from an ideological movement informally founded by Richard Stallman, a programmer at MIT. Stallman believed that software should be accessible to programmers so they could modify it as they wished, with the goal of understanding it, learning about it, and improving it.ⁱ Stallman began releasing free code under his own license, called the GNU Public License. This new approach and ideology surrounding software creation took hold and eventually led to the formation of the Open Source Initiative in 1998.ⁱ

The Open Source Initiative (OSI) was created to promote and protect open source software and communities.ⁱⁱ In short, the OSI acts as a central informational and governing repository of open source software. It provides rules and guidelines for how to use and interact with OSS, as well as providing code licensing information, support, definitions, and general community collaboration to help make the use and treatment of open source understandable and ethical.ⁱⁱ

Open source code is usually stored in a public repository and shared publicly. Anyone can access the repository to use the code independently or contribute improvements to the design and functionality of the overall project.

OSS usually comes with a distribution license. This license includes terms that define how developers can use, study, modify, and most importantly, distribute the software.ⁱⁱⁱ According to the Black Duck® KnowledgeBase, five of the most popular licenses are:

• MIT License
• GNU General Public License (GPL) 2.0—this is more restrictive and requires that copies of modified code are made available for public use
• Apache License 2.0
• GNU General Public License (GPL) 3.0
• BSD License 2.0 (3-clause, New or Revised)—this is less restrictive^iv

• GNU/Linux
• Mozilla Firefox
• VLC media player
• SugarCRM
• GIMP
• VNC
• Apache web server
• LibreOffice
• jQuery

The short answer is no. With multiple parties making modifications and improvements, it’s inevitable that open source software will contain quality, performance, and security flaws. However, the broad base of code contributors can also mean that bugs are identified and fixed faster.

No matter the type of software—open source or commercial—code flaws will exist. The main difference is who is responsible for fixing the bugs; for commercial software, vendors are responsible, whereas the consumer is responsible for open source software. With a robust set of AppSec tools and practices in place, OSS can be easily secured.

Pros of open source software

• Open source software is free.
• Open source is flexible; developers can examine how the code works and freely make changes to dysfunctional or problematic aspects of the application to better fit their unique needs.
• Open source is stable; the source code is publicly distributed, so users can depend on it for their long-term projects since they know that the code’s creators cannot simply discontinue the project or let it fall into disrepair.
• Open source fosters ingenuity; programmers can use pre-existing code to improve the software and even come up with their own innovations.
• Open source comes with a built-in community that continuously modifies and improves the source code.
• Open source provides great learning opportunities for new programmers.^v

• Open source can be harder to use and adopt due to difficulty setting it up and the lack of friendly user interfaces.
• Open source can pose compatibility issues. When attempting to program proprietary hardware with OSS, there is often a need for specialized drivers that are typically only available from the hardware manufacturer.  
• Open source software can pose liability issues. Unlike commercial software, which is fully controlled by the vendor, open source rarely contains any warranty, liability, or infringement indemnity protection. This leaves the consumer of the OSS responsible for maintaining compliance with legal obligations.
• Open source can incur unexpected costs in training users, importing data, and setting up required hardware.^vi

While open source software offers a multitude of benefits, it introduces a whole new level of software risk management. It is critical that an organization utilizing OSS, or acquiring codebases that contain OSS in a merger or acquisition, truly understand what is in their code so they can effectively manage and secure it. The Black Duck solution suite offers complete open source coverage, so you can use OSS confidently. 

If you want to learn more about open source risk and how to mitigate it, here are some steps you can take:

1. Read the annual "Open Source Security and Risk Analysis" (OSSRA) report to understand the current state of open source vulnerabilities and risks.
2. Research open source risk management organizations and consulting firms that can provide guidance and tools for identifying and addressing open source risks in your own organization.
3. Look for articles, blogs, and webinars online that offer tips and best practices for managing open source risk.
4. Get in touch with experts in the field of open source risk management, to get personalized advice and guidance tailored to your organization's specific needs.
5. Consider implementing automated solutions for open source management and security, to help you detect and resolve vulnerabilities, and to stay compliant with open source licenses.

By taking these steps, you can learn more about open source risk and take the necessary steps to mitigate it, ensuring the security and compliance of your organization's software.