Gartner: The Crucial Role of Open Source Software License Compliance

Cloud & Services Home IT Asset Management Management Risk & Audit Software

by | December 23, 2019

Gartner’s report, Technology Insight for Software Composition Analysis, makes four recommendations to improve software security. The first is to ensure a software bill of materials (or SBOM) exists for every software application; an SBOM illuminates all component parts and assists with rapid remediation, when necessary. The second recommendation is to “harden” the software supply chain; in other words, reinforce all internal and external code so that the entire system is more resilient.

Gartner’s third recommendation elevates governance of open source software (OSS) licensing. Open source software (OSS) licensing is an important governance consideration; its management is central to secure development. Operating without license compliance, intentionally or not, invites peril.
Governing Open Source Licenses

Virtually all contemporary, proprietary software incorporates OSS components. Most open source components include licenses. (OSS without an explicit license should never be used because the authority to do so is unclear.) So how could these licenses be overlooked, ignored, or dismissed? It starts with the sheer volume of OSS in a typical application. Writes Gartner:

“One vendor-conducted study revealed 96% of codebases examined contained at least some open source, and 40% of those packages contained at least one high-risk vulnerability. In most modern DevOps development projects, the majority of code used in an application is made up of open source — with the remaining code largely serving as “glue” to assemble and invoke the various functions.” Emphasis added.




Subscribe To Our Newsletter

Subscribe To Our Newsletter

ITAM Channel brings the best news and views from the ITAM industry. Sign up for the newsletter and get them straight to your inbox

You have Successfully Subscribed!