OSS Business Risk

February 2, 2026

Prior posts have alluded to various business risks abstractly. What does business risk specifically mean relative to your software supply chain, cybersecurity, and open source software (OSS) dependencies?

There are many competitive forces which may come to bear on your business through OSS dependencies.

Porter’s Five Forces

One way to approach an analysis of the threats to your business is through the framework found in Porter’s Five Forces. These abstract forces are nothing new:

New entrants may come to compete with you
Another product may substitute in the place of yours in the market
Customers may have the power to bargain in ways which erode your business
Suppliers may similarly bargain in ways which erode your business
Existing competitors may compete with you more aggressively

Porter's forces form a useful framework for assessing specific areas of potential concern.

OSS and Porter’s Five Forces

Exploring Porter’s Five Forces relative to OSS and security impact on a business yields a large list of potential concerns:

New entrants: Is it possible for anybody else to build something like what you’ve built given they have access to the OSS basis you chose? Can an OSS entrant displace what you’ve built outright, replacing your commercial offering with a free one? Could a different OSS basis enable new entrants to more quickly take on market share?

Substitution threat: Can or will consumers adopt a new entrant, whether commercial or OSS? Open APIs can enable substitution. But given a key benefit of OSS is often interoperability, could work to counter substitution threat actually work against your product’s basic operability in a complex market demanding interoperability? There are many examples of a company reducing open access to elements of their product through re-licensing. Invariably this encourages the rapid growth of a market substitute. Appropriate initial selection of OSS licenses for your business’ open projects relative to market expectations is critical.

Customer bargaining power: Will customers demand an SBOM and will competitors’ SBOMs show they have a better OSS basis than you, for whatever is their definition of “better”? Even without an SBOM, will consumers perceive lower quality in your offering due to security or other quality failings and thus seek better elsewhere in the market or seek a lower price from you? Will customers make legal claims against you with consequences on your ability to get or keep cybersecurity insurance?

Supplier bargaining power: OSS projects will correctly assert “I am not your vendor”, but you are also treating them as a supplier. They can revoke the supply.

Competitive rivalry: Can a competitor point to your product's OSS foundations and dependencies and show relative weakness, if they have an incentive to do so? Do they visibly outperform you in upstream OSS communities, work sustaining OSS projects, and gain more good will among influential developer communities? Do they have higher levels of compliance to regulatory frameworks? Are their cybersecurity practices better such that their insurance and other development expenses are lower, advantaging them on price in the market?

An athlete holding a biathlon rifle while standing in the snow. Photo by Aaron Doucett on Unsplash.com

Dependency Risk

Through all of this it becomes clear that what may naively be presumed to be simple software dependencies, of little consequence and acquired seemingly at zero cost, actually have notable associated potential costs on an ongoing business. A dependency may be re-license to more restrictive terms. There may be a complete withdrawal of a project. A project may reach end of life or end of support. A project may simply trend too buggy for your usage or lack some new feature. You may need to replace an OSS component or invest in an OSS project for any of those reasons or others. Surprises and unplanned expenses loom.

Appropriate planning relative to OSS dependencies is an important element of actively managing potential future business risks and costs.

Business Advantage

Much of this post is couched in negative terms around risks and threats and forces against your business. With only that simple viewpoint, a traditional Open Source Program Office (OSPO) might have been focused just on mitigating risk around IP license infringement risks in OSS.

On the flip side is the strategic planning and market assessments through which a modern OSPO brings increased velocity to your enterprise. Proactively managing supply chain security risks, making early and good decisions around those risks, and selecting the best OSS foundations actually advantages and accelerates your business and its products and services.

Need more strategic advising around OSS in your business? Reach out to start a conversation on how intentional use of OSS brings value in your business.

Page updated

Report abuse