[$] The burden of knowledge: dealing with open-source risks

Organizations relying on open-source software have a wide range oftools, scorecards, and methodologies to try to assess security, legal,and other risks inherent intheir so-called supply chain. However, Max Mehl arguedrecently in a short talk at FOSS Backstage in Berlin (andonline) that all ofthis objective information and data is insufficient to trulyunderstand and address risk. Worse, this information doesn't provideoptions to improve the situation and encourages a passive mindset. Mehl, who works as part of the CTO group at DBSystel, encouraged better risk assessment usingqualitative data and direct participation in open source.