The Israeli Privacy Protection Authority (“PPA“) issued guidelines for managing cybersecurity risks arising from open-source software (“OSS“), emphasizing compliance with the Protection of Privacy Law, and the Protection of Privacy Regulations (Data Security). The guidelines explain that using OSS can carry risks, including privacy risks, especially when the code is not properly maintained. OSS may contain security vulnerabilities that remain unpatched and lack compensatory controls, potentially conducive to exploitation, which in turn can damage systems and expose sensitive, private, or commercial information.
The key recommendations of the guidelines include:
- Avoiding the use of unsupported OSS libraries.
- Adopting a “privacy by design” approach, that begins during the specification, design, and development stages of a system and includes continuous monitoring and updating of the OSS.
- Before deploying OSS, it is necessary to document the repository, identify the main risks of using OSS, outline management strategies, initiate necessary training programs, and clearly define the roles of those responsible for information security.
- Ensuring that proprietary or commercial software does not contain any known exploitable vulnerabilities.
Click here to read the PPA’s guidelines for managing cybersecurity risks associated with OSS (in Hebrew).