25.4 Managing Commercial Software with Open Source Components¶
The commercial software you purchase is rarely 100% proprietary. Studies consistently show that commercial applications contain significant open source components—often 70-90% of the codebase [see Synopsys Black Duck OSSRA 2025 and Sonatype State of the Software Supply Chain 2024]. When Log4Shell emerged in December 2021, organizations discovered Log4j not just in applications they built, but embedded in commercial products from hundreds of vendors. Your vendor risk management must account for the open source supply chain hidden inside commercial products.
This creates a challenging dynamic: you're responsible for the security of your environment, but you don't control the code in commercial products. Vulnerability scanning may detect issues in vendor software that you cannot directly remediate. Effective management requires understanding what's inside vendor products, coordinating with vendors on vulnerability response, and planning for scenarios where vendor support is inadequate.
This section addresses the specific challenges of managing supply chain risk in commercial software that contains open source components.
Understanding Vendor Open Source Usage¶
Before you can manage risk in vendor open source, you need visibility into what exists.
Vendor open source discovery approaches:
| Approach | What It Reveals | Limitations |
|---|---|---|
| Request SBOM | Comprehensive dependency list | Vendor must provide; quality varies |
| Network scanning | Components with network signatures | Limited to detectable components |
| Binary analysis | Components in executables | Requires specialized tools; may miss some |
| Documentation review | Disclosed dependencies, licenses | Often incomplete |
| Vendor questionnaire | Self-reported information | Accuracy depends on vendor |
| CVE monitoring | Vulnerabilities vendor acknowledges | Reactive; only known issues |
Binary analysis tools:
When vendors won't provide SBOMs, binary analysis can extract component information:
| Tool | Capability |
|---|---|
| OWASP Dependency-Check | Identifies components in various package formats |
| Tern | Container image analysis |
| Binary Analysis Platform | Deep binary analysis |
| Commercial SCA tools | Many support binary scanning (Black Duck, Snyk, etc.) |
Binary analysis has limitations—it may not detect all components, versions may be approximate, and it cannot see inside encrypted or heavily obfuscated binaries.
Creating inventory of vendor open source:
# Commercial Software Open Source Inventory
### Product: [Vendor Product Name]
- Vendor: [Vendor name]
- Version deployed: [Version]
- Last SBOM received: [Date]
- SBOM format: [CycloneDX/SPDX/Proprietary/None]
### Known Open Source Components:
| Component | Version | License | Notes |
|-----------|---------|---------|-------|
| Log4j | 2.17.1 | Apache-2.0 | Updated after Log4Shell |
| OpenSSL | 3.0.x | Apache-2.0 | LTS until 2026 |
| ... | ... | ... | ... |
### Discovery Method:
- [ ] Vendor-provided SBOM
- [ ] Binary analysis
- [ ] Vendor documentation
- [ ] Vulnerability disclosures
- [ ] Unknown/incomplete
### Risk Assessment:
- Critical components present: [Yes/No]
- Known vulnerabilities: [Count by severity]
- Last vulnerability review: [Date]
Requesting and Interpreting Vendor SBOMs¶
SBOMs from vendors enable proactive vulnerability management rather than waiting for vendor notifications.
SBOM request guidance:
When to request: - During procurement evaluation - At contract renewal - After major version upgrades - Following significant security incidents - Periodically (quarterly or annually) for critical systems
What to specify in requests:
Subject: SBOM Request for [Product Name]
We request a Software Bill of Materials (SBOM) for [Product Name]
version [X.Y.Z] currently deployed in our environment.
Requirements:
1. FORMAT: `CycloneDX` 1.7+ or `SPDX` 2.3+ in JSON format
2. CONTENT: All third-party and open source components, including:
- Direct dependencies
- Transitive dependencies
- Component versions
- License information
- Package identifiers (`PURL` where possible)
3. SCOPE: All components in the deployed product, including
embedded libraries, containers, and supporting services
4. ONGOING: Updated SBOMs with each release and security update
This information supports our vulnerability management and
compliance requirements. Please provide within [30 days] or
indicate any challenges with this request.
SBOM interpretation for commercial software:
Vendor SBOMs often differ from internally-generated SBOMs:
| Consideration | What to Expect |
|---|---|
| Completeness | May exclude some internal components; transitive depth varies |
| Accuracy | Version pinning may be imprecise; "approximately 2.x" |
| Format | May use proprietary formats; conversion may be needed |
| Updates | May not match release cadence; request specific triggers |
| Validation | Self-reported; consider verification through scanning |
Processing vendor SBOMs:
- Ingest into vulnerability management: Import into
Dependency-Track,GUAC, or similar platform - Correlate with vulnerability databases: Match components to CVE data
- Track over time: Compare SBOMs across versions to see changes
- Cross-reference with your SBOMs: Understand overlap with internal dependencies
- Alert on critical components: Flag when known-risky components appear
Vulnerability Management for Vendor Software¶
When vulnerabilities affect commercial software, you depend on vendor response—but can take steps to manage risk in the meantime.
Vendor vulnerability coordination:
Monitoring for vulnerabilities:
| Source | What to Monitor |
|---|---|
| Vendor advisories | Subscribe to vendor security notification lists |
| Your SBOM correlation | Automatic alerts when vendor component CVEs emerge |
| NVD/CVE databases | Filter by vendor or known products |
| Security news | Major vulnerabilities often reported broadly |
| Vulnerability intelligence | Commercial feeds for prioritized alerts |
When you discover a vulnerability before the vendor notifies you:
- Verify the vulnerability applies: Check if the affected component/version is in your vendor's product
- Assess exploitability: Is the vulnerable code reachable in the vendor's implementation?
- Contact the vendor: Report what you've found and ask about their response
- Document the timeline: Track when you notified vendor and their response
- Implement compensating controls: If vendor response is delayed
- Consider alternatives: If vendor is unresponsive to critical issues
Compensating controls while awaiting vendor patches:
| Control | When Applicable |
|---|---|
| Network segmentation | Limit exposure of vulnerable system |
| WAF/IPS rules | Block known exploitation patterns |
| Access restriction | Reduce who can interact with vulnerable system |
| Enhanced monitoring | Detect exploitation attempts |
| Disable features | If vulnerable feature can be turned off |
| Rollback | If previous version is not affected |
Escalation for unresponsive vendors:
| Timeline | Action |
|---|---|
| Initial contact | Report vulnerability, request timeline |
| +1 week | Follow up, escalate to account team |
| +2 weeks | Escalate to vendor management, document in risk register |
| +30 days | Engage legal if contractual SLAs violated |
| +90 days | Consider replacement, public disclosure options |
The Challenge of Appliances and Embedded Software¶
Appliances and embedded systems present unique supply chain challenges: limited visibility, difficult patching, and long lifecycles.
Appliance and embedded system challenges:
| Challenge | Implication |
|---|---|
| Opaque internals | Can't easily see what's inside |
| Vendor-controlled updates | Can't patch independently |
| Long release cycles | Vulnerabilities may persist for extended periods |
| Firmware updates risky | May require downtime, testing |
| No SBOM culture | Many appliance vendors don't provide SBOMs |
| Legacy components | May contain very old open source versions |
| Extended deployment | 10+ year lifecycles not uncommon |
Examples of affected categories:
- Network appliances (firewalls, load balancers, switches)
- Security appliances (SIEM, DLP, endpoint protection)
- Industrial control systems (SCADA, PLCs)
- Medical devices
- IoT devices
- Specialized hardware (storage arrays, backup appliances)
Managing appliance risk:
- Require SBOMs in procurement: Make it a purchasing criterion
- Inventory appliances explicitly: Don't let them disappear from asset management
- Subscribe to vendor security updates: Actively track vendor advisories
- Test updates in non-production: Firmware updates can cause issues
- Maintain patching cadence: Don't let appliances fall behind
- Network segment appropriately: Limit blast radius of compromised appliances
- Plan for replacement: Have exit strategy for critical appliances
Compensating for limited visibility:
When you cannot obtain SBOMs for appliances:
- Monitor network behavior for anomalies
- Apply strict network segmentation
- Monitor vendor security advisories diligently
- Consider third-party vulnerability intelligence specific to product
- Include in penetration testing scope
- Document risk acceptance
End-of-Life and Unsupported Software Considerations¶
All software eventually reaches end of life. Unsupported commercial software with open source components becomes a growing security liability.
EOL planning and migration:
Warning signs of impending EOL:
- Vendor announces end of support date
- Release frequency decreasing
- Vendor acquired or changing business model
- Newer version requires major migration
- Vendor stops responding to security issues
- Similar products being consolidated
EOL planning process:
- Track EOL dates: Maintain calendar of vendor EOL announcements
- Assess impact: What depends on this product? What replaces it?
- Plan migration: Create timeline for replacement before EOL
- Budget appropriately: Migrations require resources
- Communicate internally: Stakeholders need to plan
- Execute before EOL: Don't run unsupported in production
When migration isn't immediately possible:
Sometimes you're stuck with unsupported software:
| Scenario | Mitigation |
|---|---|
| No replacement available | Enhanced monitoring, isolation, compensating controls |
| Migration in progress | Accelerate timeline, document residual risk |
| Budget constraints | Document risk, escalate for resources |
| Technical dependencies | Plan dependency removal alongside migration |
| Regulatory requirements | Engage compliance; may not be acceptable |
Risk acceptance documentation:
When unsupported software must remain:
## Risk Acceptance: [System Name]
### System Information
- Product: [Vendor Product]
- Version: [Version]
- EOL Date: [Date]
- Planned migration date: [Date or N/A]
### Risk Assessment
- CVSS score of highest known unpatched vulnerability: [Score]
- New vulnerabilities expected: [Yes/No - if known components at risk]
- Data sensitivity: [Classification]
- Business criticality: [Critical/High/Medium/Low]
### Compensating Controls
- [ ] Network segmentation: [Details]
- [ ] Access restrictions: [Details]
- [ ] Enhanced monitoring: [Details]
- [ ] Regular vulnerability assessment: [Frequency]
- [ ] Incident response plan: [Link]
### Residual Risk
[Description of remaining risk after compensating controls]
### Approval
- Risk owner: [Name, Title]
- Approval date: [Date]
- Review date: [Date - should be frequent for unsupported software]
- Approver signature: _______________
### Conditions
This acceptance is valid only while compensating controls remain
in place. Any significant change requires re-evaluation.
Regular review of unsupported software:
| Review Element | Frequency |
|---|---|
| Vulnerability check | Monthly or continuous |
| Compensating control effectiveness | Quarterly |
| Migration plan status | Monthly |
| Risk acceptance renewal | Quarterly |
| Executive escalation if prolonged | At each renewal |
Recommendations¶
We recommend the following approach to managing commercial software with open source components:
-
Request SBOMs from all software vendors: Make SBOM provision a standard part of vendor relationships. The more visibility you have, the better you can manage risk.
-
Don't wait for vendor notifications: Use vendor SBOMs to proactively detect vulnerabilities through your own correlation. You may discover issues before vendors notify you.
-
Establish vendor vulnerability coordination processes: Know how to contact vendors about security issues, what response to expect, and how to escalate when needed.
-
Apply compensating controls for delayed patches: When vendor remediation takes time, implement network, access, and monitoring controls to reduce risk.
-
Pay special attention to appliances: Appliances and embedded systems often have the least visibility and longest patch cycles. Segment them, monitor them, and track vendor updates diligently.
-
Plan for EOL before it arrives: Unsupported software is a growing security liability. Track EOL dates and migrate before support ends.
-
Document risk acceptance formally: When unsupported or unpatched software must remain, document the decision, compensating controls, and regular review requirements with appropriate approval.
-
Build SBOM capability into contracts: Future procurement should include SBOM requirements (Section 25.2). Managing open source in commercial software becomes easier when vendors commit to transparency.
The open source components inside commercial software are part of your supply chain, even though you didn't choose them directly. Managing this risk requires partnership with vendors, visibility into their software composition, and contingency plans for when vendor response is inadequate.