Open source software (OSS) gives access to an neverending amount of external development resources. It is simply more efficient to reuse building blocks from others than having to write it yourself. Businesses should see it as a valuable resource - that requires managing.
Using OSS to build applications allows access to additional developer resources and expertise that wouldn’t otherwise be available. The downside - you have no influence over the persons behind the component or their direct actions. And there is no reason to blindly trust them.
We need to start viewing open source as a resource like any other, that needs to be managed and invested in. For internal development resources this is the norm, where you spend time and money hiring the best candidates and continuously invest in their skills and performance. Echo some of that effort spent finding the right in-house talent into safe use of open source - instead of taking it for granted.
Open source in short
If you’re not working with software development in your day-to-day work, then perhaps the analogy in the title is not self-explanatory. Not to worry, let’s walk through it.
Open source software is the foundation of most modern applications. Today there is no need to start from scratch every time you are to deliver a feature. There are millions of already finished components ready to be used - and they are only a few letters on the keyboard away from being nested in your application and inside your environments.
What makes something open source is that the source code for all these components are freely available to everyone and anyone, to view, duplicate, work on etc. That means that as long as you adhere to licenses of components, you can use them in your applications to serve your needs.
And open source software (OSS) has proven to be an explosive engine for business growth. And it’s everywhere. For ecosystems like JavaScript / npm the figures speak for themselves:
- 99% of projects use open source components to some extent.
- An astonishing 70% of all code used to run applications are open source.
So massive gains - what’s the downside
When your application utilizes external dependencies you’ll depend on developers who you can exert no direct control over. Without such control, how do you know whether the open source components in your codebase are being maintained and adhere to your security guidelines?
Let that sink in. Core components of your business are probably relying on components that your dev team has never reviewed or seen the insides of. Eye opening, isn’t it?
And to be clear, open source is a positive thing. We wholeheartedly support it and use it every day in our own apps. But like most things in life it needs some safeguards to make sure everyone is playing by the rules.
Using a particular open source component extensively? Support it!
Sponsor, buy the developers some coffee or spend some development time on improving it.
The solution - insert control into your supply chain
Not everyone can be an expert - and fortunately you don’t have to be. Committing to safe use of open source can be as simple as supporting the right process and tools for your organization. Tooling that:
- Keeps track of the open source software used - across your whole organization
- Scans for security threats - and keeps potential issues out
- Highlights issues early- for easier and more cost-effective remediation
The solution - insert control into your supply chain. Bytesafe allows you to combine your team’s need for a private registry for your application with security.
When your developers add public open source dependencies or private proprietary components in your applications, they also add those dependencies to Bytesafe.
Bytesafe identifies all the components your team is using and keeps track of them for you. Your supply chain is kept secure as part of the firewall where threats are automatically quarantined. And all issues are highlighted for you - accessible to all team members.