Accessibility Statement Skip Navigation
  • Why PRWeb
  • How It Works
  • Who Uses It
  • Pricing
  • Login
  • GDPR
  • Create a Free Account
Return to PRWeb homepage
  • News
  • Resources
  • Contact
When typing in this field, a list of search results will appear and be automatically updated as you type.

Searching for your content...

No results found. Please change your search terms and try again.
  • News in Focus
      • Browse News Releases

      • All News Releases
      • Multimedia Gallery

      • All Multimedia
      • All Photos
      • All Videos
  • Business & Money
      • Auto & Transportation

      • Aerospace, Defense
      • Air Freight
      • Airlines & Aviation
      • Automotive
      • Maritime & Shipbuilding
      • Railroads and Intermodal Transportation
      • Supply Chain/Logistics
      • Transportation, Trucking & Railroad
      • Travel
      • Trucking and Road Transportation
      • View All Auto & Transportation

      • Business Technology

      • Blockchain
      • Broadcast Tech
      • Computer & Electronics
      • Computer Hardware
      • Computer Software
      • Data Analytics
      • Electronic Commerce
      • Electronic Components
      • Electronic Design Automation
      • Financial Technology
      • High Tech Security
      • Internet Technology
      • Nanotechnology
      • Networks
      • Peripherals
      • Semiconductors
      • View All Business Technology

      • Entertain­ment & Media

      • Advertising
      • Art
      • Books
      • Entertainment
      • Film and Motion Picture
      • Magazines
      • Music
      • Publishing & Information Services
      • Radio & Podcast
      • Television
      • View All Entertain­ment & Media

      • Financial Services & Investing

      • Accounting News & Issues
      • Acquisitions, Mergers and Takeovers
      • Banking & Financial Services
      • Bankruptcy
      • Bond & Stock Ratings
      • Conference Call Announcements
      • Contracts
      • Cryptocurrency
      • Dividends
      • Earnings
      • Earnings Forecasts & Projections
      • Financing Agreements
      • Insurance
      • Investments Opinions
      • Joint Ventures
      • Mutual Funds
      • Private Placement
      • Real Estate
      • Restructuring & Recapitalization
      • Sales Reports
      • Shareholder Activism
      • Shareholder Meetings
      • Stock Offering
      • Stock Split
      • Venture Capital
      • View All Financial Services & Investing

      • General Business

      • Awards
      • Commercial Real Estate
      • Corporate Expansion
      • Earnings
      • Environmental, Social and Governance (ESG)
      • Human Resource & Workforce Management
      • Licensing
      • New Products & Services
      • Obituaries
      • Outsourcing Businesses
      • Overseas Real Estate (non-US)
      • Personnel Announcements
      • Real Estate Transactions
      • Residential Real Estate
      • Small Business Services
      • Socially Responsible Investing
      • Surveys, Polls and Research
      • Trade Show News
      • View All General Business

  • Science & Tech
      • Consumer Technology

      • Artificial Intelligence
      • Blockchain
      • Cloud Computing/Internet of Things
      • Computer Electronics
      • Computer Hardware
      • Computer Software
      • Consumer Electronics
      • Cryptocurrency
      • Data Analytics
      • Electronic Commerce
      • Electronic Gaming
      • Financial Technology
      • Mobile Entertainment
      • Multimedia & Internet
      • Peripherals
      • Social Media
      • STEM (Science, Tech, Engineering, Math)
      • Supply Chain/Logistics
      • Wireless Communications
      • View All Consumer Technology

      • Energy & Natural Resources

      • Alternative Energies
      • Chemical
      • Electrical Utilities
      • Gas
      • General Manufacturing
      • Mining
      • Mining & Metals
      • Oil & Energy
      • Oil and Gas Discoveries
      • Utilities
      • Water Utilities
      • View All Energy & Natural Resources

      • Environ­ment

      • Conservation & Recycling
      • Environmental Issues
      • Environmental Policy
      • Environmental Products & Services
      • Green Technology
      • Natural Disasters
      • View All Environ­ment

      • Heavy Industry & Manufacturing

      • Aerospace & Defense
      • Agriculture
      • Chemical
      • Construction & Building
      • General Manufacturing
      • HVAC (Heating, Ventilation and Air-Conditioning)
      • Machinery
      • Machine Tools, Metalworking and Metallurgy
      • Mining
      • Mining & Metals
      • Paper, Forest Products & Containers
      • Precious Metals
      • Textiles
      • Tobacco
      • View All Heavy Industry & Manufacturing

      • Telecomm­unications

      • Carriers and Services
      • Mobile Entertainment
      • Networks
      • Peripherals
      • Telecommunications Equipment
      • Telecommunications Industry
      • VoIP (Voice over Internet Protocol)
      • Wireless Communications
      • View All Telecomm­unications

  • Lifestyle & Health
      • Consumer Products & Retail

      • Animals & Pets
      • Beers, Wines and Spirits
      • Beverages
      • Bridal Services
      • Cannabis
      • Cosmetics and Personal Care
      • Fashion
      • Food & Beverages
      • Furniture and Furnishings
      • Home Improvement
      • Household, Consumer & Cosmetics
      • Household Products
      • Jewelry
      • Non-Alcoholic Beverages
      • Office Products
      • Organic Food
      • Product Recalls
      • Restaurants
      • Retail
      • Supermarkets
      • Toys
      • View All Consumer Products & Retail

      • Entertain­ment & Media

      • Advertising
      • Art
      • Books
      • Entertainment
      • Film and Motion Picture
      • Magazines
      • Music
      • Publishing & Information Services
      • Radio & Podcast
      • Television
      • View All Entertain­ment & Media

      • Health

      • Biometrics
      • Biotechnology
      • Clinical Trials & Medical Discoveries
      • Dentistry
      • FDA Approval
      • Fitness/Wellness
      • Health Care & Hospitals
      • Health Insurance
      • Infection Control
      • International Medical Approval
      • Medical Equipment
      • Medical Pharmaceuticals
      • Mental Health
      • Pharmaceuticals
      • Supplementary Medicine
      • View All Health

      • Sports

      • General Sports
      • Outdoors, Camping & Hiking
      • Sporting Events
      • Sports Equipment & Accessories
      • View All Sports

      • Travel

      • Amusement Parks and Tourist Attractions
      • Gambling & Casinos
      • Hotels and Resorts
      • Leisure & Tourism
      • Outdoors, Camping & Hiking
      • Passenger Aviation
      • Travel Industry
      • View All Travel

  • Policy & Public Interest
      • Policy & Public Interest

      • Advocacy Group Opinion
      • Animal Welfare
      • Congressional & Presidential Campaigns
      • Corporate Social Responsibility
      • Domestic Policy
      • Economic News, Trends, Analysis
      • Education
      • Environmental
      • European Government
      • FDA Approval
      • Federal and State Legislation
      • Federal Executive Branch & Agency
      • Foreign Policy & International Affairs
      • Homeland Security
      • Labor & Union
      • Legal Issues
      • Natural Disasters
      • Not For Profit
      • Patent Law
      • Public Safety
      • Trade Policy
      • U.S. State Policy
      • View All Policy & Public Interest

  • People & Culture
      • People & Culture

      • Aboriginal, First Nations & Native American
      • African American
      • Asian American
      • Children
      • Diversity, Equity & Inclusion
      • Hispanic
      • Lesbian, Gay & Bisexual
      • Men's Interest
      • People with Disabilities
      • Religion
      • Senior Citizens
      • Veterans
      • Women
      • View All People & Culture

  • Hamburger menu
  • Cision PRWeb provides efficient communication tools to continuously engage with target audiences across multiple online channels
  • Create a Free Account
    • ALL CONTACT INFO
    • Contact Us


      11AM ET Sunday – 8PM ET Friday

  • Send a Release
  • Sign up
  • Log in
  • Resources
  • RSS
  • GDPR
  • News in Focus
    • Browse All News
    • Multimedia Gallery
  • Business & Money
    • Auto & Transportation
    • Business Technology
    • Entertain­ment & Media
    • Financial Services & Investing
    • General Business
  • Science & Tech
    • Consumer Technology
    • Energy & Natural Resources
    • Environ­ment
    • Heavy Industry & Manufacturing
    • Telecomm­unications
  • Lifestyle & Health
    • Consumer Products & Retail
    • Entertain­ment & Media
    • Health
    • Sports
    • Travel
  • Policy & Public Interest
  • People & Culture
    • People & Culture
  • Send a Release
  • Sign up
  • Log in
  • Resources
  • RSS
  • GDPR
  • Send a Release
  • Sign up
  • Log in
  • Resources
  • RSS
  • GDPR
  • Send a Release
  • Sign up
  • Log in
  • Resources
  • RSS
  • GDPR

The Hidden Licensing and Security Risks Lurking in Open-Source Software


News provided by

Eracent

Sep 25, 2023, 08:25 ET

Share this article

Share toX

Share this article

Share toX

The Hidden Licensing and Security Risks Lurking in Open-Source Software
The Hidden Licensing and Security Risks Lurking in Open-Source Software

Walt Szablowski, Founder and Executive Chairman of Eracent, cautions that there is a blind spot for software asset procurement and management teams when selecting and managing software products. It's imperative for all application users and developers to understand what licensing requirements and potential security risks are involved in widely used open-source software (OSS). Maintaining compliance and protecting against vulnerabilities requires complete visibility and constant vigilance to ensure legal compliance, protect intellectual property, and avoid costly litigation and security breaches.

RIEGELSVILLE, Pa., Sept. 25, 2023 /PRNewswire-PRWeb/ -- According to GitHub's 2022 Octoverse Report, 97% of the software code used within modern applications is open source, with 90% of companies leveraging the low-cost and agile benefits of OSS.(1) Synopsys researchers discovered that 84% of commercial and proprietary code bases have at least one known open-source vulnerability, and 48% contain high-risk vulnerabilities.(2) Walt Szablowski, Founder and Executive Chairman of Eracent, which has provided complete visibility into its large enterprise clients' networks for over two decades, cautions that "Many companies don't understand the licensing structure of open-source software and are opening themselves up to hidden risks and unnecessary liabilities. Companies need to scrutinize what they are buying to mitigate the cybersecurity and financial risks when relying on open-source software."

Software licenses are legal agreements that dictate how software can be used. Open-source licenses allow users to access, modify, and distribute source code under specified terms. In contrast, proprietary software can only be accessed and modified by the company that owns the source code, which is protected by a proprietary software license. Open-source licenses provide the legal framework protecting the rights of the software creators and users and are broadly categorized as copyleft and permissive. In a copyleft licensing model, the creator asserts their copyright while granting others the freedom to utilize, alter, and share the work. However, they must reciprocate by doing the same when incorporating it into their own projects.

If you don't know the vulnerabilities, you can't fix the problems. It's about transparency that enables you to identify, quantify, and prioritize risks with a consolidated, proactive management approach using structure, automation, and heads-up reporting

Post this

Reciprocity in open-source software refers to the principle of giving back to the open-source community when benefitting from open-source projects. It is a fundamental concept in open-source development and is often associated with open-source licenses like the GNU General Public License (GPL) and the Mozilla Public License (MPL). Reciprocity emphasizes the idea that the benefits of open source should be shared with the community. It encourages collaboration, contribution, and the continued growth and improvement of open-source projects.

On the other hand, a permissive open-source license, or non-copyleft, offers the liberty to use, modify, and redistribute the work, even for creating proprietary derivative applications, with minimal constraints.(3)

Strong copyleft licenses require that any additional, enhanced, or modified code must inherit all the original work's license requirements, such as making the code publicly available. A GPL is the most recognized example of a strong copyleft license. In contrast, weak copyleft licenses require that only the source code of the original or modified work be made publicly available. Open-source licenses grant considerable freedoms, but rarely without conditions. Most demand attributions with a copyright and permission notice, sometimes requiring the full license text and publication of the source code. Others introduce extra terms regarding patents, trademarks, data, and privacy, complicating compliance.(4)

Szablowski warns, "There can be a sinister side to copyleft. When a company develops and sells software they created using OSS or uses it internally, they need to credit the developer of the OSS by name. Failing to utilize OSS according to the structured terms outlined in the original copyleft license can lead to seriously damaging financial consequences. The original developer could demand that a company that spent years and millions of dollars developing its proprietary software be forced to provide the product to the public for free. There could be expensive litigation and even penalties for other organizations using the software."

A newsworthy example of the critical nuances of OSS licensing claims features Microsoft, GitHub, and OpenAI, who are currently facing a class action lawsuit alleging copyright infringement. The lawsuit claims that their code-generating AI, Copilot, used licensed code snippets without proper attribution. The tool, trained on billions of lines of public code, converts natural language into code snippets across many programming languages, raising concerns over potential violations of open-source licensing. There have also been reports of Copilot inadvertently exposing secrets from public repositories, such as Application Programming Interface (API) keys included in its training data. The complaint filed in a California court seeks $9 billion in damages, alleging potentially millions of violations of the Digital Millennium Copyright Act (DMCA) Section 1202.(5)

Procurement teams must carefully inspect the open-source content of commercial applications that they are considering for purchase or subscription to head off security risks at the pass. Application development teams must take the idiosyncrasies of open-source licensing into account when designing, creating, deploying, and updating programs. Companies should consider adding ongoing management and governance processes to their Software Asset Management program.

Non-compliance with open-source licenses can have serious consequences, including legal action, financial losses, project delays, and damage to a company's reputation. To avoid these potential risks, businesses must understand and adhere to open-source license terms. Utilizing open-source software can expose businesses to liability issues, such as copyright infringement and breach of contract. Mitigating these risks requires compliance, educating development teams, and license tracking tools.(6)

One of the often-promoted advantages of open-source software is the idea that with a large user base inspecting the code, security vulnerabilities can be detected and disseminated more rapidly. However, the reality is that most users primarily assess the software's functionality and lack the expertise needed to pinpoint potential security issues. OSS undergoes constant updates and can eventually become outdated or even obsolete. A study conducted by Veracode examined 13 million scans across 86,000 repositories and 301,000 unique libraries, revealing that in nearly 80% of cases, developers do not update third-party libraries after incorporating them into an application. The study further noted that almost all repositories include libraries with at least one vulnerability, which can cascade into every application that uses that code.(7)

A zero-day pertains to an unknown software, hardware, or firmware security weakness. The term "zero-day vulnerability" refers to the specific flaw, whereas a "zero-day attack" denotes an attack with zero days between when the hazard is discovered and when the first attack takes place. Malicious actors employ zero-day exploits, frequently through malware, to capitalize on these weaknesses. Typically, when a security issue is identified, it is reported to the software publisher, which can then issue a remedy. However, in cases where a malicious hacker is the first to uncover the defect, there is no pre-existing protection, underscoring the importance of early detection protocols.(8)

In May 2021, the White House issued Executive Order 14028, "Improving the Nation's Cybersecurity." This order sets forth cybersecurity requirements for software publishers and developers engaging with the Federal Government. One significant provision stipulates that software developers must provide a Software Bill of Materials (SBOM).(9) An SBOM is a comprehensive inventory of components and libraries comprising a software application. SBOMs typically include details regarding the content of a software application, encompassing open-source and proprietary codes, associated licenses, versions in use, component download locations, dependencies, and sub-dependencies. One notable advantage of SBOMs is their capacity to assist organizations in identifying potential vulnerabilities within the components constituting a software application, thereby mitigating security risks.

The best way to counter these risks is to minimize the unknown. Eracent maintains and curates the IT-Pedia® Open Source Library, which provides essential — and up-to-date — information about potential vulnerabilities within open-source components and libraries. This vulnerability data is a foundational piece for any cybersecurity program. This data is a critical input for Eracent's ICSP Application Risk Management (ARM) module. The ARM module provides a consolidated repository, comprehensive management, and automated analysis for every SBOM that an organization has for the applications that it utilizes. In conjunction with Eracent's ITMC Discovery™, the ARM module provides a match between known vulnerabilities and any installed software that may contain potentially vulnerable open-source components and libraries.    

Szablowski explains, "If you don't know the vulnerabilities, you can't fix the problems. It's about transparency that enables you to identify, quantify, and prioritize risks with a consolidated, proactive management approach using structure, automation, and heads-up reporting."    

About Eracent
Walt Szablowski is the Founder and Executive Chairman of Eracent and serves as Chair of Eracent's subsidiaries (Eracent SP ZOO, Warsaw, Poland; Eracent Private LTD in Bangalore, India, and Eracent Brazil). Eracent helps its customers meet the challenges of managing IT network assets, software licenses, and cybersecurity in today's complex and evolving IT environments. Eracent's enterprise clients save significantly on their annual software spend, reduce their audit and security risks, and establish more efficient asset management processes. Eracent's client base includes some of the world's largest corporate and government networks and IT environments. Dozens of Fortune 500 companies rely on Eracent solutions to manage and protect their networks. To learn more, visit http://www.eracent.com.‥

References:
1) Plumb, Taryn. "GitHub's Octoverse Report Finds 97% of Apps Use Open Source Software." VentureBeat, VentureBeat, 10 Nov. 2022, venturebeat.com/programming-development/github-releases-open-source-report-octoverse-2022-says-97-of-apps-use-oss/.
2) "At Least One Open Source Vulnerability Found in 84% of Code Bases: Report." CSO Online, 23 Feb. 2023, csoonline.com/article/574607/at-least-one-open-source-vulnerability-found-in-84-of-code-bases-report.html.
3) "Top Open Source Licenses Explained." Mend, 28 Aug. 2023, mend.io/blog/top-open-source-licenses-explained/.
4) Team, Debricked Editorial. "Open Source License Families and More." Debricked, 26 Aug. 2022, debricked.com/blog/open-source-license-families-compliance/.
5) Toulas, Bill. "Microsoft Sued for Open-Source Piracy through Github Copilot." BleepingComputer, BleepingComputer, 4 Nov. 2022, http://www.bleepingcomputer.com/news/security/microsoft-sued-for-open-source-piracy-through-github-copilot/.
6) "Open Source Licenses to Avoid: Exploring the Legal Risks." Montague Law, 7 Sept. 2023, montague.law/blog/open-source-licenses-to-avoid/#:~:text=Non%2DCompliance%20Consequences;text=Licensors%20may%20pursue%20legal%20action,businesses%20to%20copyright%20infringement%20risks.
7) "Glaring Gap in Open Source Security: Veracode Finds 80 Percent of Libraries Used in Software Are Never Updated." Veracode, veracode.com/press-release/glaring-gap-open-source-security-veracode-finds-80-percent-libraries-used-software-0. Accessed 8 Sept. 2023.
8) Posey, Brien, and Sharon Shea. "What Is a Zero Day Vulnerability Exploit?" Security, TechTarget, 30 Jan. 2023, techtarget.com/searchsecurity/definition/zero-day-vulnerability#:~:text=The%20term%20zero%2Dday%20vulnerability,discovered%20and%20the%20first%20attack.
9) "Executive Order on Improving the Nation's Cybersecurity: CISA." Cybersecurity and Infrastructure Security Agency CISA, cisa.gov/topics/cybersecurity-best-practices/executive-order-improving-nations-cybersecurity#:~:text=Executive%20Order%20(EO)%2014028%2C,adjust%20their%20network%20architectures%20accordingly. Accessed 8 Sept. 2023.    

Media Contact

Karla Jo Helms, JOTO PR™, 727-777-4619, [email protected], jotopr.com

Twitter

SOURCE Eracent

Modal title

Contact PRWeb

  • 11AM ET Sunday – 8PM ET Friday
  • Contact Us

About PRWeb

  • About PRWeb
  • Partners
  • Partnership Programs
  • Editorial Guidelines
  • Resources

Why PRWeb

  • Why PRWeb
  • How It Works
  • Who Uses It
  • Pricing

Accounts

  • Create a Free Account
  • Log in
  • Contact Us

Do not sell or share my personal information:

  • Submit via [email protected] 
  • Call Privacy toll-free: 877-297-8921

Contact Cision

Products

About

My Services
  • All News Releases
  • Online Member Center
  • ProfNet
Cision Distribution Helpline
888-776-0942
  • Legal
  • Site Map
  • RSS
  • Cookie Settings
Copyright © 2025 Cision US Inc.