Security considerations when using open source software (ITSAP.10.059) – Canadian Centre for Cyber Security
Summary
This guidance from the Canadian Centre for Cyber Security explains the security risks linked to using open-source software (OSS) and offers practical steps organisations can take to mitigate those risks. It defines open source, outlines common threat vectors (such as excessive access, lack of verification and lack of support), and describes the OSS development lifecycle. The guidance emphasises supply chain security, maintaining a software bill of materials (SBOM), secure deployment, licensing checks and continuous testing and monitoring.
Key Points
- Open source means publicly available and modifiable code; this openness can be both beneficial and risky for organisations.
- Main OSS risks: excessive access (easy manipulation by threat actors), lack of verification (limited formal testing) and lack of dedicated support or timely patches.
- OSS development follows a public, iterative lifecycle; security isn’t always built in, especially for smaller volunteer projects.
- Improve OSS security by favouring secure-by-design practices and memory-safe languages where possible (for example Rust or Python over unsafe languages for certain components).
- Maintain a software bill of materials (SBOM) and continuously track OSS in your environment to align vulnerability disclosures with patch management.
- Include supply chain risk assessment in your OSS strategy and verify licensing to avoid legal and jurisdictional issues.
- Treat OSS like commercial software: test before install, vet updates, harden deployments and ensure ongoing monitoring and incident response procedures.
Context and relevance
OSS is deeply embedded in modern IT — from browsers to cryptographic libraries — so the security posture of OSS affects organisations across sectors. This guidance is relevant to IT, security and procurement teams responsible for evaluating, deploying and maintaining software. It aligns with broader trends emphasising supply chain security, SBOM adoption and secure-by-design development practices.
Author style
Punchy: This is practical, no-nonsense guidance from a national cyber authority. If your organisation uses or considers OSS, the details here are directly applicable and worth actioning.
Why should I read this?
Short version: if your team runs or buys software, this doc saves you from nasty surprises. It flags the real pain points (unpatched libraries, licence traps, volunteer projects that vanish) and gives the must-do steps — SBOMs, testing, supply-chain checks — so you don’t end up firefighting a breach.
