What are Open Source Software License Risks? Solution Engineer
When someone uses an open source software component or library, they can automatically enter into an open source license with the code’s author. Although open source may seem like a free-for-use case, and it is in most cases, this license is a legally binding contract that declares how and where you can use the code commercially. In most cases, an open source license permits you to freely modify a work and use it in new ways, like integrating it into larger projects or developing the original work into a better version.
Open source licensing is gaining popularity because it promotes a free exchange of ideas within a community to drive creative, scientific, and technological advancement. Many organizations, regardless of size and industry, use open source licenses, however this can potentially land companies in legal trouble if they inadvertently use code in the wrong way.
Let’s explore some of the risks of using open source licenses and discuss tools to help mitigate this risk for safer, more legally compliant applications.
Open Source Licences Vary
Open source components usually contain a chain of dependencies. These components and their dependencies have varying licenses. You may be surprised to learn that open source licenses come in more than 200 varieties, with unique (and sometimes confusing) terms and conditions which, let’s face it, we don’t even read most of the time.
The license transforms ordinary code into an actual open source component. Without it, the software component is unusable by others, even if it appears publicly on GitHub.
We can broadly divide open source licenses into two main categories: copyleft and permissive. When a developer releases an open source software component under the copyleft license, it implies that anyone is free to use this component as long as they also make their code open for use by others. A permissive open source license places minimal restrictions on library use. It guarantees freedom to use, modify, and redistribute a library, including for proprietary derivative works. Developers refer to these licenses as “anything goes.”
The most common open source licenses include MIT License, GNU General Public License (GPL), Apache License, Eclipse Public License (EPL), Microsoft Public License (MS-PL), Berkeley Software Distribution (BSD), and Common Development and Distribution License (CDDL). Some projects have no license, implying that default copyright laws apply to them.
The Problem with Manual Detection
With the myriad of possible licenses in open source projects, it’s nearly impossible for developers or security teams to track them all. This is especially true when we’re under pressure to churn out new features at a rapid rate. As such, we can’t rule out the possibility of accidentally importing a restrictive-licensed library into an enterprise application’s codebase. If teams don’t detect and mitigate this early enough, it can lead to serious legal issues, or other risks, such as incurring substantial financial losses, loss of productive time, and even loss of clients.
Most developers would rather channel their energy toward building helpful new software than ensuring license compliance. Therefore, the license compliance tracking, monitoring, and remediation will often fall on SecOps teams. In that case, we must find a cost-effective way of dealing with the challenge and help SecOps teams manage the risk while you build and ship secure applications. This is where Trend Micro Cloud One™ – Open Source Security by Snyk comes in.
Reduce License Risk with Trend Micro
Trend Micro Cloud One™ has partnered with Snyk to help security teams gain early visibility and tracking insight into open source security, library, and license risks, allowing developers to securely use open source code with peace of mind.
It does this by automatically finding, prioritizing, and reporting vulnerabilities and license risks in open source dependencies that applications use. Since it’s part of the Trend Micro Cloud One security services platform, you can integrate this solution into code repositories like GitHub and Bitbucket and your continuous integration and continuous deployment (CI/CD) pipeline.
Read More HERE