How to secure your open source supply chain

Commentary: Open source has never been more popular, which means it’s time to figure out how to effectively secure the open source you use. Two experts weigh in.

The world is made of software, and upwards of 99% of any software you use–open source or proprietary–includes open source components. Some of those components come with a vendor standing behind them, willing to indemnify you in case something goes wrong. For other components, you might be able to get a subscription through a company like Tidelift to ensure steady maintenance.

But then something like the Heartbleed bug rips a hole open in OpenSSL, and you’re left wondering, “How could I have prevented this?” The short, but hopeful answer is: You can’t. Not really. Not completely. As Chef and System Initiative co-founder Adam Jacob stressed in a recent Open Source in Business interview, the real question is “how quickly can you react to the disruption in your supply chain?” not how to preempt such disruptions.