Where does open source fit into third-party/supply chain risk?

I was having this discussion about open source, and the challenge of even getting people to care about open source components or even the libraries. A lot of general managers aren't going to give a crap about either open source we're using in our internal operations or open source that has been embedded in other bits and bytes, because the security issue (ransom, the data leak, etc.) is one of a gazillion things that could happen. What would matter to them is the business model of risks they might face, depending upon who owns that open source capability, who owns that library, who has the software component that you grabbed and used. They could do even a patent infringement against your business and then hold you hostage that way. I think that would perhaps garner more attention and then you kind of sweep under the rug all the security stuff because if people were doing that level of integrity checking, you could nest the security things underneath it pretty easily.

Anonymous Author
I was having this discussion about open source, and the challenge of even getting people to care about open source components or even the libraries. A lot of general managers aren't going to give a crap about either open source we're using in our internal operations or open source that has been embedded in other bits and bytes, because the security issue (ransom, the data leak, etc.) is one of a gazillion things that could happen. What would matter to them is the business model of risks they might face, depending upon who owns that open source capability, who owns that library, who has the software component that you grabbed and used. They could do even a patent infringement against your business and then hold you hostage that way. I think that would perhaps garner more attention and then you kind of sweep under the rug all the security stuff because if people were doing that level of integrity checking, you could nest the security things underneath it pretty easily.
0 upvotes