In the race to deliver better quality software to market, financials often leverage open source libraries through internal and outsourced application development, typically without a thorough risk assessment.
Open source software is, briefly, a type of application developed under a license that requires the source code used in development to be made available for distribution and, in some cases, modification.
Depending on the license, firms may be liable for including open source libraries in commercial applications.
Financials are increasingly cognizant of their open source liabilities. Based on discussions with our community, QA Vector® Research finds that up to 30% are formally investigating their exposure to these risks.
“Over the last two decades, open source has become encumbered by IP litigation,” says the Senior Vice President for Vendor Risk Management at a National US Bank. “Identifying the providence of a particular line of code is complex, and vendors are often unwilling to warrant against liability.”
So, open source is not necessarily free, but firms can take meaningful steps to manage these risks.
Software leaders at financial firms should first engage with product owners about the risk of undetected open source liability. Conducting this reality check – regardless of whether a product is homegrown or developed through outsourced engagements – should lead to increased awareness and funding allocation.
Second, deploying a suitable code analysis tool may well improve the identification of modules and libraries at risk. Objective assessments like these enable software leaders to select and prioritise remedial actions.
Our QA Vector® 500 provides a single source of truth on the code analysis vendors serving financial firms.
Finally, implementing a DevSecOps approach to software delivery is one option for firms to build compliance into the release pipeline and manage open source liability.
“Developers rely heavily on open source libraries,” asserts the Head of DevOps at a Global UK Bank. “A DevSecOps approach enables us to manage this risk.”
A sober risk assessment will enable financials to count the true cost of open source and make more informed decisions about how to bring better quality software to market, faster.
