Open source software best practice & supply chain risk management
This research maps and evaluates existing best practices for managing risks related to open-source software.
Documents
Details
The government is working to improve the security and resilience of software. This research has been commissioned by the Department for Science, Innovation and Technology (DSIT) to inform the development of software security and resilience policy.
Open source software is widely used across the economy. It is an important source of innovation and is often incorporated into other software and systems. However open source components may lack ongoing maintenance due to resource constraints, meaning a vulnerability in one software component could indirectly impact many other components and users. As part of its work on software, the government is therefore looking at how to address risks in the open source space.
This research includes an analysis of current best practice guidance on how organisations should manage risks when they use open source software components in their own software development activities. The paper explores how well existing guidance meets the needs of businesses across the economy. It also provides recommendations on which future best practices should be prioritised as being impactful and also achievable for organisations of different sizes and sectors.
The government understands that open source software is vital to innovation and efficiency in software used in all our economic sectors, to support both day-to-day business operations and growth and innovation. However in recent years open source dependencies, and the mismanagement of risks associated with these dependencies, have become a source of disruption due to software failure and cyber attacks targeting software supply chains. The insights and recommendations provided in this research could inform future interventions for the public or private sector on the promotion of best practices for managing open source software risk.
For more information on the government’s work to improve the security and resilience of software, please see:
- The government’s response on the software vendors code of practice
- The government’s response to the call for views on software resilience and security
This research is part of the government’s wider work to improve the UK’s cyber defences and protect and grow the economy.