October 21, 2004
Risk Management of Free and Open Source Software
Purpose
This guidance is intended to raise awareness within the financial services industry of risks and risk management practices applicable to the use of free and open source software (FOSS). 1 For the purpose of this guidance, FOSS refers to software that users are allowed to run, study, modify, and redistribute without paying a licensing fee. Access to source code is a pre-requisite to the use of FOSS. 2 A few of the most well-known examples of FOSS are the Linux operating system, Apache web server, and mySQL database.FOSS is also widely used for network monitoring, diagnosis, and vulnerability testing tools such as the Snort and Kismet network intrusion detection systems, Nessus and Nmap security scanners, and Kismet wireless network detector.
The Federal Financial Institutions Examination Council (FFIEC) agencies 3 believe that the use of FOSS by financial institutions or their technology service providers (hereafter referred to as institutions) involves strategic business decisions. The implementation of those decisions should include prudent risk management practices.
Introduction
The use of FOSS is increasing in the mainstream information technology (IT) and financial services communities.The agencies believe that the use of FOSS does not pose risks that are fundamentally different from the risks presented by the use of proprietary or self-developed software.However, the acquisition and use of FOSS necessitates implementation of unique risk management practices.
Institutions should continue to refer to the risks and risk mitigation strategies outlined in the FFIEC IT Examination Handbook , “Development and Acquisition Booklet” (D&A Booklet).This guidance supplements the D&A Booklet by addressing strategic, operational, and legal risk considerations in acquiring and using FOSS.
Strategic Risks
Software requirements should be driven by the institution’s strategic business objectives.Institutions should evaluate the benefits of implementing software in terms of its effectiveness, efficiency, and ability to support future growth.Key risk management considerations include code customization, IT architecture, product maturity, forking 4 , systems integration and support, and total cost of ownership.
Operational Risks
Operational risks exist within any IT operating environment.Risks, controls, and prudent risk management practices are detailed in several of the FFIEC IT Examination Handbook booklets.Operational risk considerations associated with the use of FOSS that warrant attention include code integrity, sufficiency of documentation, contingency planning, and support.
Legal Risks
Institutions should identify and consider the legal risks associated with the use of FOSS prior to deployment or development.Key legal risks include licensing, infringement, indemnification, and warranties.In most cases, prior to selecting a FOSS solution, institutions should consult with counsel knowledgeable in the areas of copyright and patent law.
Summary
The use of FOSS by financial institutions does not pose risks that are fundamentally different from those presented by the use of proprietary or self-developed software.However, FOSS adoption and usage necessitates some distinctive risk management practices with which institutions must be familiar.This guidance describes those unique risk management practices and should be used in conjunction with other published guidance, such as the FFIEC IT Examination Handbook , Development and Acquisition Booklet.
1 The use of the word “free” in this context does not necessarily mean that the software is available at no cost.For additional information about FOSS, refer to www.fsf.org and www.opensource.org .
2 In contrast, users of proprietary software are generally not permitted access to the source code or allowed to redistribute programs.
3 The FFIEC member agencies are the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of Currency, and Office of Thrift Supervision.
4 A fork is the redirection of existing FOSS, generally resulting in a new application that may compete with or replace the established FOSS.
5 Refer to the Legal Risk section for further discussion of these issues.
6 Interoperability is the ability of a system or a product to work with other systems or products.
7 Open standards exist to enable interoperability while at the same time ensuring certain minimum requirements are met across diverse hardware and software products and services.For example, the Open Source Development Labs (OSDL) provides computing and test facilities in the United States and Japan to developers around the world.The OSDL is also actively involved in the development and deployment of open source standards.
8 PGP refers to Pretty Good Privacy, which uses public key encryption to exchange files or messages with confidentiality and authentication.
9 MD5 refers to Message Digest Algorithm Five developed by Ron Rivest of RSA.MD5 is a one-way hash function that processes input data to create a unique message digest to verify data integrity.
10 The term “clean room” is a method of writing software whereby developers cannot be accused of reverse engineering an existing product.Briefly, one team studies the behavior and specifications of the product to be copied, and a second team develops the new product without any exposure to the original.