Understanding Risk is a complicated subject. In the world of Information Technology, the FAIR framework is well accepted. However there are some areas of operational risk that are simple to understand and verbalize, but actually difficult to measure. In this article we will be talking about an aspect of business risk that we term as “Shadow Liability”. This shadow liability is a critical measure of how much risk is put upon the shoulders of the business as a result of using 3rd party computer software.
Why is this an important tropic to discuss? The answer lies in the magnitude of the problem it alludes to and the speed at which the problem can snowball and become a major issue.
How does software get built is a fundamental perspective that we need to delve into. A good discussion on how software gets built can be found here, the changes that have led to this problem become a multi headed hydra. Today when we build a piece of software we recognize clearly that our core competency and IP is quite limited to our are of expertise. Spending money, time and effort on the heavy lifting needed to build all the supporting harness around our main idea is not a good use of corporate resources. The ability to string together open source and closed source commercial tools into your pipeline to launch your business oriented service faster, to service customer with a higher velocity is now he name of the game.
Let’s talk about where are the risks in this model. The average SaaS product today has at least 200 Open Source components. Below we highlight where do these hidden risks lie, it is important to understand that it is not obvious how to quantify the amount of risk due to each component – primarily because of lack of visibility. We present an image here that lists out the various undefined risk sources from a software supply chain perspective.
When it comes to the 3rd party eco system from where corporations are borrowing open source code and from closed source commercial projects who are being paid for their products, the image below captures the nuances of this ecosystem.
Enterprises can follow the NIST’s guidance to protect against Software Supply Chain attacks – https://www.riscosity.com/nist-guidance-defending-against-software-supply-chain-attacks/ – this is a good firsts step to understanding and quantifying shadow liability. Once you have visbility intot he nuances of these types of risk then you can embark on controlling the risk.
Book your free Demo
For more information on how your organization can implement these standards in place please feel free to contact us at Riscosity, +1-888-RISCOSI, or book a free demo with us.