Open Source Risk Management
Governance & ComplianceDefinition
The practice of identifying, assessing, and mitigating security risks from open source software components, including vulnerability tracking, license compliance, maintainer trust evaluation, and end-of-life management.
Technical Details
Modern applications contain 70-90% open source components by code volume, making OSS risk management critical. Key activities include SCA (Software Composition Analysis) scanning, SBOM generation, CVE triage using CVSS and EPSS scores, license compatibility analysis (GPL, MIT, Apache), and tracking component health metrics (maintenance activity, contributor diversity, security disclosure processes).
Practical Usage
Security teams should integrate SCA tools (Dependabot, Snyk, OWASP Dependency-Check) into CI pipelines to automatically detect vulnerable dependencies. Governance teams should establish policies for acceptable license types, maximum vulnerability severity thresholds, and mandatory upgrade timelines for critical CVEs.
Examples
- Log4Shell (CVE-2021-44228) exposed organizations relying on Log4j, highlighting the need for comprehensive SBOM-based vulnerability detection.
- A procurement team requires vendors to submit SBOMs and attest that no components exceed CVSS 7.0 without documented mitigations.
- An SCA scan reveals a transitive dependency on an unmaintained library with multiple known CVEs, triggering an emergency patching process.