Here is an example from the FFIEC Cybersecurity Assesment Tool:
The more OSS you have, the lower your score will be.
I'm not defending or even sure this is what they are talking about, but they may be looking at the risk of the licensing. It can be tough to keep track of all of the licensing of open source tools and making sure you comply with them.
But, honestly, not nearly as hard as the risks of anything else. And "can be" should never be a legitimate factor. ONce we go down that path, we could list unrealistic risks for forever.
Right, like I said I'm not defending them. Just trying to look at it from all angles.
What people never consider is that closed source licensing COULD still require in the EULA that you comply with GPL of your own code simply by using the closed source product Cloud source EULAs can pretty much carry any risk imaginable. They don't, but they could.
Yeah definitely true. I don't like closed source at all. I mean if I need the tool I'll buy it but I'd rather use a open source tool.
I've seen a lot of people thought that think they can just do whatever since it's open source and it doesn't matter. AGPL is pretty strict and there's a lot of popular tools written with that license.
In most cases, it's people thinking that they can just use the code without following the license. Technically, a far bigger risk with closed source under the same conditions.
In general yeah, but the GPL police are fierce. I work with a guy who's old company was going to be sued for not including the simple configs they wrote along with the distribution.
Yeah, although now we are talking product firms, not operations. The affect on operations is generally minimal.
Yeah true, but that's similar with proprietary also, most people don't get caught. You still have to comply though. It can be a lot of work to ensure you're in compliance. Like when software decides to change licenses between versions.