FFIEC Guidance: the effortless path to controlling risks when using open source components


The FFIEC (Federal Financial Institutions Examination Council) has released the “Risk Management for the Use of Free and Open Source Software” guidance. This interagency guidance reviews the risks and controls associated with the use of free and open source software (FOSS).

Fundamentally, the risks associated with open source software are similar to those presented by proprietary or self-developed software. 

However, distinctive risk management practices connected with the use of open source software do exist, and financial institutions must be aware of and follow these guidelies.

The guidance addresses the strategic, operational and legal challenges that financial institutions face when using open source software. ISVs wishing to sell software to financial institutions are required to provide solutions that are aligned with said guidance.

Here are some of the key elements ISVs should consider when selling software to financial organizations:

  1. The guidance acknowledges the fact that FOSS development is fundamentally different from other software development, and suggests that the financial institution considers the following factors:
  • How long has the software been supported or in use?
  • How is the development community organized and how well does it function?
  • How active is the development community?
  • How much published material is devoted to the software?
  • How many commercial vendors support the software?
  • What is the security track record of the software?

The very same criteria should be used by the ISV to decide whether to use an open source software components.

Specifically, the ISV should check whether a component he is considering is stale and whether it has known security vulnerabilities. It must alsocontinuously monitor published CVEs to know of security risks as soon as they are discovered, apply a fix when one is available,and notify customers of potential ramifications.

  1. The guidance discusses the legal implications of using open source software.

As it rightly explains, FOSS acquisition and use can be governed by any of more than fifty different licenses that have significant differences in the rights and restrictions contained in the license.

A list of some of the most common FOSS licenses can be found at the Open Source Initiative’s Web site (www.opensource.org).

Since the financial institutions need to know, understand, manage and review the licenses for the open source components in their use, they of course demand that ISVs wishing to sell to them do the same.

ISVs need to make sure that these efforts are part of their software delivery management routine:

  1. They need to always know what open source components are in their software; these are usually documented and indemnified against in the purchase contract.
  2. They need to know of, understand and manage the licensing and compliance demands of the components in use.
  3. They need to make sure software vulnerabilities are known and patched, and that the components in use are not stale.
  4. They need to be able to create and deliver a detailed and updated open source report to their customers, at all times.