Control requirements

Additional IBM Cloud for Financial Services specifications

The organization must establish the following restrictions on the use of open source software:

• All open source software must have an owner defined within the organization.
• The owner must certify that software was obtained from a trusted source and has gone though both static and dynamic vulnerability scans.
• All open source software must be identified in the configuration baseline of the application.
• Unapproved open source software must never be used.

NIST supplemental guidance

Open-source software refers to software that is available in source code form. Certain software rights normally reserved for copyright holders are routinely provided under software license agreements that permit individuals to study, change, and improve the software. From a security perspective, the major advantage of open-source software is that it provides organizations with the ability to examine the source code. In some cases, there is an online community associated with the software that inspects, tests, updates, and reports on issues found in software on an ongoing basis. However, remediating vulnerabilities in open-source software may be problematic. There may also be licensing issues associated with open-source software, including the constraints on derivative use of such software. Open-source software that is available only in binary form may increase the level of risk in using such software.