The FFIEC (Federal Financial Institutions Examination Council) has released the “Risk Management for the Use of Free and Open Source Software” guidance. This interagency guidance reviews the risks and controls associated with the use of free and open source software (FOSS).
Fundamentally, the risks associated with open source software are similar to those presented by proprietary or self-developed software.
However, distinctive risk management practices connected with the use of open source software do exist, and financial institutions must be aware of and follow these guidelies.
The guidance addresses the strategic, operational and legal challenges that financial institutions face when using open source software. ISVs wishing to sell software to financial institutions are required to provide solutions that are aligned with said guidance.
Here are some of the key elements ISVs should consider when selling software to financial organizations:
The very same criteria should be used by the ISV to decide whether to use an open source software components.
Specifically, the ISV should check whether a component he is considering is stale and whether it has known security vulnerabilities. It must alsocontinuously monitor published CVEs to know of security risks as soon as they are discovered, apply a fix when one is available,and notify customers of potential ramifications.
As it rightly explains, FOSS acquisition and use can be governed by any of more than fifty different licenses that have significant differences in the rights and restrictions contained in the license.
A list of some of the most common FOSS licenses can be found at the Open Source Initiative’s Web site (www.opensource.org).
Since the financial institutions need to know, understand, manage and review the licenses for the open source components in their use, they of course demand that ISVs wishing to sell to them do the same.
ISVs need to make sure that these efforts are part of their software delivery management routine: