Open Source Lessons for IoT Companies

• Only 37 percent said their companies had open source acquisition or usage policies in place. 43 percent said they didn't. And 19 percent didn't know.
• 39 percent of respondents said that either no one within their company is responsible for open source compliance - or they do not know who is

This data illustrates an operational gap for IoT companies—there is no infrastructure is in place to know the scope of OSS use, monitor for risks, and close any potential breaches.

Lack of Structure Caused Equifax Issues

The OSS community announced the suspected vulnerability on March 7, 2017 along with a patch. But the patch was not applied immediately and the hack was not uncovered until July. The result-143 million consumers exposed, lawsuits and a significant negative impact on reputation.

Software Controls at All Levels of Development Lifecycle

IoT companies need to require software controls. The process begins by implementing protection mechanisms at all stages of the software development cycle, and a realization that decisions made during coding have a bigger organizational impact.

• Requirements and user interface definition phase: identify which features require OSS or third-party use.
• Coding phase: create a process with checks and balances on risks and compliance before adding OSS or third-party code.
• Patch management phase: carefully audit any OSS or third-party code that offers a quick fix for an issue.

Analyze the Software Component of Your Products

Historically, hardware has been the focal point for IoT companies. As more and more software runs behind the scenes, it's time to analyze what's there, what is the source and what is needed to manage it. An OSS audit is a great place to start.

Create Training on OSS Use and Management

OSS use is often behind the scenes. Key stakeholders and development teams need education on possible risks and the importance of a disciplined process for using OSS. The organization should be aligned and committed to a formal OSS methodology.

Develop a Review Board

Engineering, legal, IT and management stakeholders join forces to create a powerful compliance team, often called an Open Source Review Board (OSRB).

Define a Formal OSS Security Strategy and Process

To truly gain the impact needed, document the procedures that everyone will follow, including:

• Review the code you are using. Check what's being used at multiple stages and different code levels.
• Ask your outsourced partners to follow the audit process and document compliance
• Define detailed audit trails to make it easy to find vulnerabilities and fix them
• Create a third party bill of materials for customers and partners. Expect the same from your software vendors.

Explore Software Composition Analysis (SCA) Technology

Don't Be Next-Plan, Scan and Protect

With proactive planning, IoT companies can learn from what occurred with Equifax and Heartbleed, and experience the wins of OSS with minimal risk. Secure and protect your IP and with Software Composition Analysis.