Reduce Your Investment Risk: Open Source Vulnerability Scan

min readpublished onupdated on
Reduce Your Investment Risk: Open Source Vulnerability Scan
Reduce Your Investment Risk: Open Source Vulnerability Scan
Table of contents

All across Europe, we are witnessing astonishing levels of growth within the tech sector, thanks to business decision makers increasingly making this area a priority for their investments. In fact, the UK is one of only three nations worldwide to have created more than 100 tech unicorns (1) – private companies valued at over $1bn. 

This means that there is no time like the present for investors and businesses to stop and reconsider their approach when it comes to reducing investment risk in tech deals.

When it comes to risk prevention, it’s a common practice for investors to concentrate their efforts on financial, legal, and operations throughout their due diligence processes, but they leave a lot to be desired when it comes to protecting themselves from software risks. Given that software is a primary asset of almost every investment in the tech sector, this is an area of focus that should be much more of a priority for investors in their overall due diligence process.

More often than not, when tech due diligence is carried out, it tends to be implemented manually by non-experts, which then leads to an analysis which is far from comprehensive. As a result, a thorough assessment of the use of open source software of the company is lacking, which can then pose some significant risks.

In this article, we will outline exactly how inadequate open source vulnerability management can put your investments at risk and how investors can mitigate these risks in the most efficient way- through the use of an open source vulnerabiltiy scanner.

 

Vaultinum’s Tech Due Diligence Checklist

So what is Open Source Software? 

Open source software is software that developers can inspect, copy, modify and redistribute. This is different from application software, which is designed for end-users and does not allow developers to adapt it in any way (such as Skype or the Microsoft suite).

A huge part of the open source community is how it operates on shared values when it comes to collaboration, and it is because of these values that popular software developing website GitHub witnessed a 35% increase in the number of code repositories created in 2020 compared to the previous year. The reality is that the use of open source software can almost be considered a necessity for developers in this day and age, as fast development is essential for businesses to achieve an increased market share and gain a competitive edge.

For reasons such as these, there are many benefits to integrating open source code within the code repositories of commercial software, so let us reiterate that it certainly should not be viewed with fear by business leaders and investors. For starters, open source code is less likely to become obsolete than in-house developed code, as developers can always rely on the support of the strongly connected open source community when it comes to the need for updates or bug fixes. That very same community can also enable organisations to overcome hiring complications and save money, as they can always work with open source developers as an alternative.

But there’s one catch: investors will not be able to take advantage of these benefits on a long term basis if their open source vulnerability management is not thorough enough- which is often the case.

Intellectual Property Licence Restrictions- a Threat to your Investments? 

Open source licencing can be complex, but when looking at the intellectual property side, investors need to be particularly aware of highly restrictive licencing that can come with particular code. Copyleft, or ‘non-permissive' licences, require that the redistribution of the software must be done under the same terms as stated in the original open source licence. The most commonly used copyleft licence that you must look out for is the GNU General Public Licence (GPL).

This licence is considered as strong copyleft as it applies to modifications made to the open source code originally licenced under the GPL and also to any work that is then derived from GPL code. As a result, even if a developer uses a few lines of this GPL code, it means that their entire code base is then bound by GPL terms. If organisations choose to use code bound by restrictive licences like the GNU GPL, they must do so with the understanding that their intellectual property could in fact be at risk.

Woman working on a laptop showing sourcecode

In 2013, they built an open source PDF interpreter called Ghostscript into their word-processing software. Unbeknown to Hancom, Ghostscript was bound by the GNU GPL, so according to the licence's terms Hancom should have made its entire app suite open source and in effect lose its IP rights. Hancom did not provide the source code to their product (and did not elect to purchase a commercial license), which then put them in conflict with the license that Ghostscript is distributed under.)

In 2017 Artifex filed a lawsuit (2), which resulted in the US District Court ruling in Artifex's favour (3). The exact terms of this settlement of course remain confidential, but it is fair to assume that Hancom will have suffered significantly in terms of finances, reputation and its intellectual property rights. Had they have used an open source vulnerability scanner prior to implementation, this would have been reported and the situation could have been avoided.

Let’s Talk Open Source Software Licencing

Even when not as strict as the GNU GPL, all open source licences need to be carefully reviewed by businesses, so that they are fully aware of the restrictions that they must comply with. All open source licences share common principles inscribed in the ‘essential freedoms' of the open source movement, meaning that they are free to use, run, study, modify and redistribute open source software for any and all purposes. But there are so many different types of licences out there, so one piece of open source software can be very different from another. 

Differing from the hard copyleft of the GNU GPL licence, there also exists permissive licenses such as the BSD licence, the MIT licence, and Apache Licence v2.0. These licences maintain the ‘essential freedoms' of the open source community, but do not demand that these are upheld in derivative works. This means that with a permissive licence, developers are free to integrate open source software into their wider codebase without any consequences and can distribute the full software under separate licencing terms- something that is not possible with more restrictive licences.

Due to the wide diversity of open source licencing out there, it’s standard practice that businesses should continuously monitor and assess the various open source code that is used by their developers, as part of their open source vulnerability management., in order to make sure they do not run into any unwanted non-compliance issues. 

DISCOVER VAULTINUM'S TECH DUE DILIGENCE SOLUTIONS

How to Improve Open Source Vulnerability Management.

In the pre-acquisition phase investors must ensure that they implement comprehensive software due diligence which includes an analysis of the open source licencing restrictions that come with a piece of software. The most in-depth audits tend to use a open source vulnerability scanner, which is able to scan every line of code, combined with a review by experts, to ensure that any use of open source software is identified and assessed accordingly.

 

Open Source Vulnerability Management

Vaultinum's Open Source Vulnerability Scanner

Vaultinum’s Know Your Software Tech Due Diligence offers a source code scan which acts as an open source vulnerability scanner. This reviews both the code itself as well as the business’ internal operational and development processes (such as their open source management strategy) in order to reduce and avoid any possible risks in the future.

Secondary to this, users also receive a self-auditing series of questionnaires that offers Cybersecurity, Intellectual Property, Operations, and Third-Party Software assessments.

The results of the online assessment and code audit are then reviewed by our IT experts, who adapt the recommendations to the context of the business. The report includes clear findings, illustrations, an estimated time of fix.

Speak to us today and find out more about how Vautinum’s Know Your Software Tech Due Diligence assists investors with their open source vulnerability management, giving them the reassurance needed to make informed decisions.  

SPEAK TO US TODAY

(1) https://technation.io/news/tech-unicorns-dont-appear-by-magic

(2) https://bit.ly/3IcaDd3

(3) https://www.linux.com/topic/open-source/artifex-v-hancom-open-source-now-enforceable-contract

Kristin Avon Senior Legal Officer Vaultinum
Kristin A.Kristin is a registered US attorney specializing in the areas of IP and technology law. She is a member of Vaultinum’s Strategy and Legal Commissions charged with overseeing and implementing the policies and processes related to the protection of digital assets.
Previous article
How to Audit Software
Next article
Due Diligence: The Precautionary Principle in Business

Recommended for you