Interview: Understanding the Open Source Security ISO 18974

Given the increasing prominence of Open Source in today’s digital world, how crucial is ISO 18974 in addressing security concerns in the Open Source ecosystem and in the software supply chain as a whole?

Marcel Scholze: ISO 18974 is of utmost importance. Over the years, we have seen various security incidents in the Open Source ecosystem, such as the Heartbleed bug in OpenSSL or the more recent attacks on SolarWinds or through Log4Shell. These events highlight vulnerabilities and underline the need for robust security processes. 

There is often a debate on Open Source vs. closed source in terms of security. What is your position on this?

Scholze: Open Source, in essence, is not less secure than closed source. However, its transparent nature means that while vulnerabilities can be discovered and fixed more quickly by the community, they’re also more visible to potential attackers. It is not about Open Source being less secure; it is about managing it professionally. And this is where ISO 18974 comes in – it provides a structured approach to optimise security practices around Open Source components.

It is also important to keep in mind that the absolute majority of closed source software contains Open Source components – which means that the security of Open Source Software also benefits closed source products.

Could you please briefly explain the most important contents to our readers who may not be familiar with the specifics of ISO 18974?

Scholze: Absolutely. ISO 18974 focuses on:

1. Program Foundation: It encompasses having a clear Open Source security policy, defining roles and responsibilities, ensuring properly managed contributions to the ecosystem, and setting out the program’s scope.
   
2. Tasks Defined and Supported: This entails facilitating external vulnerability inquiries and providing essential resources to the Open Source Security program.
3. Review and Approval: This aspect highlights the importance of a Software Bill Of Materials (SBOM) for Open Source components and ensuring each one goes through rigorous security checks.

Simply put, the standard establishes a firm foundation for secure Open Source management.

With the release of ISO 18974, how is PwC positioned to help organisations adopt and implement this new standard?

Scholze: At PwC, we have always been at the forefront of helping businesses deal with the complexities and benefits of Open Source.

From understanding its core principles to practical implementation and ongoing compliance, we provide end-to-end support. Our ultimate goal is to build trust in the Open Source supply chain, and ISO 18974 is a key tool in this journey.

Lastly, for organisations that are still on the fence, why would you emphasise the adoption of ISO 18974?

Scholze: There are several reasons to give priority to the adoption of ISO 18974:

First, regulators, both at national and international level, are focusing their attention on the issue of Open Source security (see e.g Digital Operational Resilience Act (DORA), Guidelines on Securing the IoT Supply Chain or the EU Cyber Resilience Act (CRA))­ and are calling for state-of-the-art OSS management to strengthen the resilience of IT systems. By implementing ISO 18974, companies are taking an important step towards meeting current regulatory requirements.

In addition, as the software supply chain becomes more complex and global business relationships more intricate, the importance of high-quality SBOMs (Software Bills of Materials) is increasing. These SBOMs play a critical role in effectively managing the security of Open Source components within the supply chain. ISO 18974 recognises and emphasises the need for professional creation of SBOMs.

After all, adopting ISO 18974 isn’t just about compliance, it’s also about protecting the integrity and reputation of your organisation. As the Open Source community and usage grows exponentially, it’s essential to be proactive. This standard provides a clear roadmap, and with the right partner like PwC, organisations can safely navigate the Open Source landscape and ensure that innovation and security go hand in hand.