The UK government, through the Department for Science, Innovation and Technology (DSIT), has commissioned research to evaluate best practices for managing risks associated with open-source software (OSS). The study assesses existing guidance on OSS security and resilience, examines its effectiveness across sectors, and provides recommendations for strengthening software supply chain security. That research is part of the government's wider work to improve the UK's cyber defences and protect and grow the economy.

The report outlines key recommendations for organisations using OSS, including:

• Establishing an internal OSS policy to manage the adoption of OSS components.
• Creating a Software Bill of Materials (SBOM) to track OSS components and their dependencies.
• Continuously monitoring the software supply chain with software composition analysis (SCA) tools to identify vulnerabilities and licensing issues.
• Actively engaging with the OSS community to attract talent, foster innovation, enhance reputation, and ensure a sustainable ecosystem.
• Using automation tools to streamline OSS management processes, particularly for smaller organisations, as a cost-effective alternative to manual practices.

The report also highlights the need for further research and policy development in areas such as scale-appropriate best practice guidance, industry-specific OSS management frameworks, standardised metrics for evaluating OSS component maturity, and the impact of community engagement on OSS quality and security.