Comprehensive guidance to manage security risks in a timely and professional manner

Interview: Understanding the Open Source Security ISO 18974

  • Interview
  • 4 minute read
  • 19 Dec 2023

In this interview, Marcel Scholze, Head of Open Source Software Services at PwC Germany, discusses the importance of the new Open Source Security ISO, ISO/IEC 18974:2023, especially in light of the recent security incidents in the Open Source ecosystem.

About Marcel Scholze: Marcel Scholze holds a degree in computer science and is a Director at PwC Germany, where he heads the Open Source Software Services division. He is a board member of Bitkom e. V.’s Open Source Working Group, is involved in the OpenChain project at The Linux Foundation, heads its Germany Work Group and is a speaker at international Open Source congresses. He and his team carry out Open Source consulting and auditing projects in all sectors and provide professional Open Source Compliance and Security Managed Services in public administration, SMEs and large companies.

Marcel Scholze - PwC

Given the increasing prominence of Open Source in today’s digital world, how crucial is ISO 18974 in addressing security concerns in the Open Source ecosystem and in the software supply chain as a whole?

Marcel Scholze: ISO 18974 is of utmost importance. Over the years, we have seen various security incidents in the Open Source ecosystem, such as the Heartbleed bug in OpenSSL or the more recent attacks on SolarWinds or through Log4Shell. These events highlight vulnerabilities and underline the need for robust security processes. 

ISO 18974 provides comprehensive guidance to tackle these challenges head-on and enables users to manage Open Source security risks in a timely and professional manner.

There is often a debate on Open Source vs. closed source in terms of security. What is your position on this?

Scholze: Open Source, in essence, is not less secure than closed source. However, its transparent nature means that while vulnerabilities can be discovered and fixed more quickly by the community, they’re also more visible to potential attackers. It is not about Open Source being less secure; it is about managing it professionally. And this is where ISO 18974 comes in – it provides a structured approach to optimise security practices around Open Source components.

It is also important to keep in mind that the absolute majority of closed source software contains Open Source components – which means that the security of Open Source Software also benefits closed source products.

Could you please briefly explain the most important contents to our readers who may not be familiar with the specifics of ISO 18974?

Scholze: Absolutely. ISO 18974 focuses on:

  1. Program Foundation: It encompasses having a clear Open Source security policy, defining roles and responsibilities, ensuring properly managed contributions to the ecosystem, and setting out the program’s scope.
  2. Tasks Defined and Supported: This entails facilitating external vulnerability inquiries and providing essential resources to the Open Source Security program.
  3. Review and Approval: This aspect highlights the importance of a Software Bill Of Materials (SBOM) for Open Source components and ensuring each one goes through rigorous security checks.

Simply put, the standard establishes a firm foundation for secure Open Source management.

Any questions?

Contact our experts

With the release of ISO 18974, how is PwC positioned to help organisations adopt and implement this new standard?

Scholze: At PwC, we have always been at the forefront of helping businesses deal with the complexities and benefits of Open Source.

With our extensive experience and cross-functional expertise in the field of Open Source management and the already existing ISO 5230, we are ideally placed to help organisations adopt ISO 18974.

From understanding its core principles to practical implementation and ongoing compliance, we provide end-to-end support. Our ultimate goal is to build trust in the Open Source supply chain, and ISO 18974 is a key tool in this journey.

Lastly, for organisations that are still on the fence, why would you emphasise the adoption of ISO 18974?

Scholze: There are several reasons to give priority to the adoption of ISO 18974:

First, regulators, both at national and international level, are focusing their attention on the issue of Open Source security (see e.g Digital Operational Resilience Act (DORA), Guidelines on Securing the IoT Supply Chain or the EU Cyber Resilience Act (CRA))­ and are calling for state-of-the-art OSS management to strengthen the resilience of IT systems. By implementing ISO 18974, companies are taking an important step towards meeting current regulatory requirements.

In addition, as the software supply chain becomes more complex and global business relationships more intricate, the importance of high-quality SBOMs (Software Bills of Materials) is increasing. These SBOMs play a critical role in effectively managing the security of Open Source components within the supply chain. ISO 18974 recognises and emphasises the need for professional creation of SBOMs.

After all, adopting ISO 18974 isn’t just about compliance, it’s also about protecting the integrity and reputation of your organisation. As the Open Source community and usage grows exponentially, it’s essential to be proactive. This standard provides a clear roadmap, and with the right partner like PwC, organisations can safely navigate the Open Source landscape and ensure that innovation and security go hand in hand.

“OpenChain is proud to continue our work in building trust in the supply chain with ISO/IEC 18974, a sister standard for operating quality open source security assurance programs. ISO/IEC 18974 represents a simple, cross-industry solution for organizations of all sizes in the supply chain. The provision of commercial services and third-party certification represents a key component in ensuring a realistic, targeted market solution. PwC is a key partner in this regard and have been deeply involved in helping the open source supply chain increase efficiency in providing innovative solutions to market.”

Statement from Shane Coughlan,General Manager of the OpenChain Project (The Linux Foundation), that initiated ISO 18974
Follow us

Contact us

Marcel Scholze

Marcel Scholze

Director Open Source Software Services & IT Sourcing, PwC Germany

Tel: +49 151 16157049