​

What are the benefits of using free and open-source software (FOSS) rather than a proprietary software product? And what are the risks? These questions are examined by the Federal Deposit Insurance Corporation (FDIC) in a guidance letter to financial institutions.

The use of FOSS, such as the Linux operating system, “does not pose risks that are fundamentally different from the risks presented by the use of proprietary or self-developed software,” according to the letter. However, it requires organizations to implement some “unique risk management practices.”

A strategic risk that needs examination is compatibility and interoperability with other operating systems or applications. Proprietary products typically are certified with regard to these requirements; FOSS, however, may not be formally certified. Institutions, therefore, “should exercise due care to ensure it meets their needs for compatibility and interoperability.”

Joe Cooper, the CEO of Digital Defense, which offers vulnerability assessment services for financial services companies, says that compatibility and other risks associated with FOSS can be overcome by putting test environments in place to see how new software “is really going to interact with your production environment.” Unfortunately, Cooper says that this is done far too infrequently.

Another strategic risk to be considered is the total cost of ownership, according to the FDIC letter. Direct costs, such as licensing and maintenance fees, may be much lower or even absent for FOSS, the letter notes. Meanwhile, indirect costs—for example, the potential need for extensive staff training or for identifying and installing upgrades and patches—may be higher with FOSS than with proprietary software.

Cooper says that those costs for proprietary software and FOSS generally turn out about the same. A greater potential issue, he says, is that with open source software, an IT worker may represent the entire knowledge base of the system. If that person leaves, it could take time and effort to get a new person up to speed. A lack of documentation is another “huge issue with open source software,” Cooper says, a point also made in the FDIC letter.

The final section of the letter addresses legal risks, including infringement. The “code sharing” that occurs when software code is modified by numerous parties “increases the possibility that proprietary code may be inserted in the FOSS at some point during the development process.” Mitigation strategies include using automated tools to track licenses and changes and developing contingency plans “that will allow the institution to continue operating even if infringing code is taken out of production.” 

Though aimed at the financial services sector, the guidance letter can be valuable to a range of businesses, says Cooper, who explains that it addresses what he calls a lack of involvement by senior management in risk management. “You have to make sure you have adequate resources and controls in place in case something happens,” Cooper says. “You have to acknowledge them instead of just relegating them to the IT folks.”