Li Xiang, director of ZTE cloud infrastructure open source and standards: open source risks and open source governance for enterprises

Now , The basic software used by most enterprises is based on open source software, but it is different from commercial software with suppliers providing one-stop services , Open source software usually comes from the open source community or major code hosting platforms , How to ensure the security and compliance of these software , It has become a problem that every enterprise using open source software must think about .

2022 year 7 month 21 Japan , Hosted by China open source software promotion alliance , Sadie media 、《 Software and integrated circuits 》 Co sponsored by the magazine ,CSDN Exclusive live “ The 17th open source China open source world summit ” On , Li Xiang, director of ZTE cloud infrastructure open source and standards, brought 《 Open source risks for enterprises 》 Keynote speech of .

The following is the transcript of Li Xiang's speech ：

Hello everyone , I'm Li Xiang from ZTE , It is a great honor to have the opportunity to share with you the risks and Countermeasures of open source for enterprises .

Indispensable open source

Open source has become the foundation of the software industry , On the operating system 、 programing language 、 Development and testing tool chain , There are many open source software has become the mainstream of the industry .

Open source has become a powerful driving force for the development of the current cutting-edge technology , In the current cutting-edge technology field, such as cloud computing 、 Artificial intelligence and so on , Many excellent open source software have become the most powerful carrier in the field of Technology .

Open source brings many advantages to enterprises , Enterprises can use open source to quickly develop and build technical solutions , cost reduction .

At present, Chinese enterprises are widely using open source software , According to statistics ,2020 In, the proportion of enterprises using open source technology in China has reached 88.2%. meanwhile , Open source software is also widely used in all walks of life , The proportion of open source code in the code base is also very high .

An overview of open source risks

There are always good and bad things , Open source software brings us many benefits at the same time , There are also many hidden risks .

Pose an integrity risk

Open source software identification is the cornerstone of enterprise product open source governance , If there is an omission , In particular, it is not clear which dependent software is used , You may miss the risk of vulnerabilities in unidentified software . therefore , We need some methods to ensure that we avoid the risk of integrity ：

• Introduce third-party open source software scanning tools （BlackDuck、FossCheck etc. ）;
• Develop processes and systems , Third party tools must be used to scan before product release , Make sure SBOM integrity ;
• Establish a sound enterprise life cycle management of open source software .

License risk —— Open source infectious

For closed source commercial projects based on open source software development , When using open source software with highly infectious open source licenses , Its own proprietary code may be forced to open source . This puts forward relevant requirements for enterprises ：

• Specify the list of open source licenses allowed （ Including infectious licenses ）;
• Develop internal specifications for the use of open source licenses , For every infectious open source license , Identify ways to avoid open source contagion , Know the work of internal R & D projects .

License risk —— License compatibility

For the projects that enterprises spontaneously open source and the parts that need open source in product projects , The incompatible licenses contained therein make the project unable to meet the requirements of all these contained licenses , Thus causing violations . This requires enterprises to do ：

• When the project needs to introduce and rely on new and other open source software , It is necessary to consider the issue of license compatibility , Ensure that the newly introduced open source software is compatible with the project's own license and the license of the included open source software ;
• With the help of third-party scanning tools , Clarify the component structure of your own open source projects , Analyze the compatibility of all open source software that make up this project , Avoid incompatibility problems .

Intellectual property risk —— patent

When using open source software , Open source software may contain patented technology , It will make the enterprise unintentionally infringe when reusing . From a corporate perspective , There are the following ways to avoid ：

• The project tries to complete the patent research before introducing and using open source software ;
• Try to introduce open source software using licenses with patent terms ;
• Join the R & D patent protection alliance , Such as OIN（Open Invention Network）, Get a free patent Cross License .

Intellectual property risk —— Copyright

Introduce open source software when writing code , However, the copyright terms in the open source license are not fully complied with , Risk of infringement . Regarding this , There are two ways to avoid risks ：

• Comply with open source license requirements , It is forbidden to delete the copyright information of the introduced open source software ;
• Open source software should be introduced in a complete form , It is forbidden to introduce in the form of fragments , And through third-party open source software scanning tools to check and manage .

Safety risk —— Security vulnerabilities

Security vulnerability is actually the biggest problem in the process of using open source software , It is also the most important issue for all enterprises . Software Bug Security vulnerabilities caused by such problems will affect product security . What is its solution ？

• Introduce third-party open source software scanning tools （BlackDuck、FossCheck etc. ）;
• Develop processes and systems , Before the product is released, all influential security vulnerabilities must be confirmed and cleared through tool scanning ;
• For open source software that has been used , Especially open source software that has been commercially deployed , Security vulnerabilities need to be effectively tracked , When there are loopholes , Release patches in time ;
• When selecting open source software , Open source software with strong ability to deal with security vulnerabilities should be preferred ;
• Have the ability to modify important open source software , When the open source community cannot provide patches in time to fill vulnerabilities , You can develop patches by yourself .

Safety risk —— Open source poisoning

Open source poisoning risks can be divided into two categories ：

• Non specific hazard objects ： Some people with ulterior motives bury viruses and Backdoors in open source code or open source products , In an unofficial warehouse ;
• Specific hazard objects ： Individual contributors to individual open source communities for some reason , Submitted a destructive code contribution , For specific countries 、 Specific area 、 Specific users 、 The effect of a specific scene is equivalent to the destructive result of the virus .

In this case , There are the following ways to avoid ：

• R & D projects only download code and artifacts from reliable open source libraries ;
• Strengthen the test , Especially with countries 、 Tests related to different scenarios such as regions ;
• Build product projects with stable versions ;
• Introduce grayscale publishing and other methods , Once a problem occurs, the impact is limited to the minimum .

Isolation risk —— Unable to use foreign open source scanning tools well

If it is used online , It may not be possible to immediately use foreign open source scanning tools ; If it is used offline ,License The contract cannot be renewed after expiration ,License Technical support cannot be obtained during the validity period . There are two solutions ：

• The internal open source governance system of the enterprise must be decoupled from the open source scanning tool , It can be replaced when necessary ;
• Use domestic open source scanning tools .

Isolation risk —— export control

Some enterprises may be subject to special export controls tailored , Unconditionally include open source software from some countries in the scope of governance . This possibility is relatively low , But it is not absolutely impossible . Once it appears , It will make most products containing open source software impossible to export .

For this risk , At present, there is no better solution , Only try to use domestic leading open source software .

Enterprise open source governance

There are many risks in open source , It requires enterprises to establish a set of open source governance systems and related personnel and resource security systems .

It can be divided into three areas ：

• In terms of system , We should establish a complete open source life cycle management system and risk management system ;
• Personnel , Experts in various fields need to work together to participate in open source governance ;
• Resource aspects , The basic configuration should be fully guaranteed , Such as establishing an open source warehouse 、 Purchase scanning tools, etc .

All in all , Open source governance of enterprises , In fact, the main purpose is to manage and control risks , This is one of the main purposes of our open source governance . Today I will share with you here , If you have any subsequent communication, you can contact me directly , Thank you. .

Click on 2022（ The seventeenth ） Open source China open source World Summit Forum -CSDN live broadcast , See more wonderful speeches ！