A Warning for Founders About Open Source Software and Lean Teams
Founders of startups are mostly interested in getting a minimal viable product (MVP) out the door as quickly as possible. This is quite reasonable and what the investors likely want. After all, if there is no product, there is no revenue.
The solution to this is, among other things, to reduce cost by relying on open source software and using lean teams. While this does save money, at least in the short term, it is not without risk.
While this risk applies to startups, it also applies to any company using open source software.
The theory is that if we use open source software we don’t have to deal with software license fees and we can reduce staff because we are writing less code.
By the way, even the statement about not having to deal with software licenses is wrong.
On the other hand, if these founders assume that open source software is bug free because, after all, the source code is open and is being examined by thousands of people, that would be a big mistake.
In fact, most open source software is developed by a small handful of developers, who actually have a day job. On top of that, many open source software packages are actually abandoned and not maintained by anyone. A developer created it, thought it could be useful and posted it to Github or PyPI, among many other repositories, and was never touched again.
But even extremely mainstream open source software (ever hear of Linux?) has bugs. Linux is patched frequently.
This week the 25 year old utility cURL, which has over ten billion installations, patched a total meltdown bug – especially now that it is known publicly.
A year ago, a high severity bug in OpenSSL was released with a lot of fanfare.
These are packages that are downloaded millions or even billions of times.
But they are NOT bug free.
Many times developers, in the haste to get to market, don’t even know what is inside their systems. Packages contain packages contain packages, many times.
If you don’t have a detailed software bill of materials (SBoM), even when a bug like cURL is announced, those lean startups – and many others – don’t have any way to know if they are at risk.
As Progress Software is learning the hard way after the MOVEit breach, just because your software license agreement says that you are not responsible, you still are. They are defending themselves against dozens and dozens of well financed companies. Even if they win, which is not a given, it will still cost them millions.
If you are a startup, especially, but any small company, and you integrate open source software into your product, don’t think that you can use, as a defense in court, “well, it is open source so we thought it was bug free”. That won’t fly.
That doesn’t mean you should not use open source software.
It does mean that you should not ASSUME that open source software is secure.
What you should assume is that it is YOUR responsibility to make sure that any open source software, just like software your team writes internally, is vetted to reasonable business standards.
And, if you contract with a third party to write software for you, you are still responsible and legally liable.
The definition of reasonable is based on your organization’s risk tolerance.
If this concerns you and you have not implemented a secure software development framework, now is the time to do that. Need help? Contact us.
Credit: Tech Crunch