July 7, 2020

Volume X, Number 189

July 06, 2020

Subscribe to Latest Legal News and Analysis

Survey Finds Most Companies Still Lack Formal Policies to Manage Open Source Risks

As highlighted in the Information Week blog DARKReading, a recent study assessing industry trends regarding open source software found that although 78% of organizations surveyed run part or all of their operations on open source software (only 3% of respondents reported not using open source software in any way), a majority of respondents had no formal policies or procedures governing the use of open source software. The study’s findings also highlighted a number of other specific ways the adoption of appropriate internal controls has not kept pace with the increasing use of open source software, leaving many organizations exposed to significant potential risks, including the following:

  • Tracking Use of Open Source Software. According to the study, less than 42% of organizations maintain an inventory of open source components. Tracking the use of open source software is the most fundamental function of an open source software policy. Accurate tracking enables an organization to ensure it uses open source components in accordance with license terms and that such use does not expose the organization to unnecessary risks.

  • Assessing Security Vulnerabilities. The study found that greater than 50% of respondents were not satisfied with their ability to understand known security vulnerabilities in open source components, and only 17% planned to monitor open source code for security flaws. Having an open source software policy in place which provides for a system of prior approval and tracking can enable organizations to more easily assess security weaknesses, preempt security issues before components are used in production environments, and maintain approved code to foreclose future security vulnerabilities.

  • Employee Contributions to Open Source Projects. The study found that only 27% of respondents had a formal policy in place governing contributions of code developed by its employees to the open source community. While permitting and encouraging employee contributions has many benefits to an organization, including promoting wider adoption of an organization’s technology and improving an organization’s standing with its customers, the press, and the open source community, organizations should have a formal policy in place that requires prior approval for open source contributions, including guidelines for approval and the licenses to be used for contributions.

The survey, the Ninth Annual Future of Open Source Survey, was published by Black Duck Software and North Bridge.

Copyright © 2020 by Morgan, Lewis & Bockius LLP. All Rights Reserved.National Law Review, Volume V, Number 325


About this Author

Peter Watt-Morse, Morgan Lewis, Intellectual property lawyer

Peter M. Watt-Morse, one of the founding partners of the firm’s Pittsburgh office, has worked on all forms of commercial and technology transactions for more than 30 years. Peter works on business and intellectual property (IP) matters for a broad range of clients, including software, hardware, networking, and other technology clients, pharmaceutical companies, healthcare providers and payors, and other clients in the life science industry. He also represents banks, investment advisers, and other financial services institutions.

Glen Rectenwald, Morgan Lewis, Technology Attorney

Glen W. Rectenwald focuses his practice on technology, outsourcing, and commercial transactions. He regularly assists a broad range of clients with development, licensing, and distribution agreements; strategic alliances and joint ventures; manufacturing and supply agreements; complex outsourcing and strategic commercial transactions; and general commercial matters. Glen’s experience also includes mergers and acquisitions, private equity, venture capital, and general corporate matters.