FOUR STRATEGIES TO REDUCE
YOUR OPEN SOURCE RISK
Be aware and prepare for what could happen
Try and think of a single system in the world that hasn’t been touched by open source software.
Whether included in the product or as part of the development environment, open source plays a
dominant role in the success of software development teams everywhere. It’s not surprising that
every developer has their favorite open source tool to solve particular problems because they
understand the substantial time and cost savings when reusing code built by an expert. Code they
don’t have to worry about.
That’s why over 50 percent of enterprise organizations today adopt and contribute to open source
(from the 2014 Future of Open Source survey). With open source so pervasive, it’s surprising how
little developers and organizations are aware of the risks inherent in the software choices they’re
making and the solutions available.
ROGUEWAVE.COM
2
RISKY BUSINESS
Like commercial software, open source is licensed for use by developers. Unlike commercial software, open source
licenses generally provide the rights to study, change, and distribute the software to anyone for any purpose, without
payment (there are conditions of use that vary from license to license). The Open Source Initiative (OSI) has a ten-point
definition of what open source is and it’s important to note that all ten points relate to the distribution of software and
none relate to technical features or quality. Most developers realize there’s “something problematic” about open source
but few take the time to understand these implications:
Acknowledgement – most open source licenses require some form of acknowledgement when the code is
reused in other projects.
Redistribution – all open source licenses have some clause that specifies how the software is to be
reproduced and distributed within a product. This may include conditions on access to the source code, providing
copies of the license, trademark use, or a variety of other requirements.
Modification – if the open source code is changed in any way, most licenses include requirements on how the
modifications are tracked and notices given.
Compatibility – for projects that include open source code managed by different licenses, it’s important to
know whether those licenses conflict with each other. The Free Software Foundation, for example, considers the
Apache License, version 2.0 incompatible with the GNU General Public License version 2.0. Projects with nested
licenses are even trickier to understand and it’s nearly impossible to determine obligations without deep analysis
and expert knowledge.
Security – open source code is developed to fill a specific technical gap and delivered “as is” — rarely is it
created with security in mind. If its testing process doesn’t explicitly include security vulnerabilities, any product
that includes its code could be potentially compromised. This issue is so prevalent that using risky components is
now number 9 on OWASP’s list of Top 10 Application Security Concerns.
Beyond these issues is the fact that open source software isn’t necessarily tested to the same technical and performance
requirements of the organization. When it comes to troubleshooting issues, often the only help resource available is the
open source community. This type of help can be sporadic or unreliable at best so teams must spend their own time
researching and fixing the issues, if at all.
One last consideration affects those companies selling to industries or governments that require software audits.
By purchasing software that may contain open source, these organizations take on the same licensing, security, and
technical risks. Open source audits are a way of characterizing any potential liabilities before making a purchase and
the effort to obtain accurate and comprehensive coverage for these audits cannot be underestimated. Considering that
most development teams don’t know all the ways in which open source code is used, audits can be a significant cost to
the project.
Understanding how these implications affect a project can be difficult to grasp but one thing is certain: the use of open
source is always unilateral. If a portion or the entire open source package is used, the project agrees to the terms of the
license and any potential technical debt.
ROGUEWAVE.COM
3
BRING ON THE STRATEGIES
Few organizations have an open source management policy in place and for those that do, the policy is often ad-hoc
and difficult to manage. Because the technical and legal risks could have potentially massive impacts, it’s worthwhile to
understand the building blocks of a comprehensive open source strategy.
Maintain open source support and improve open source audits
Enterprises universally understand the benefits of commercial-grade support for commercial software, yet most don’t
realize that the same level of support is available for open source. From set up to coding to maintenance, open source
support guarantees access to experts that help resolve problems affecting delivery or running systems. Companies that
engage in open source support realize that software is software regardless of the source and pass on the benefits to
their customers.
Companies should realize that an open source audit is far more involved than simply generating a list of software
packages used by the team. The goal of the audit must be understood (it could range from discovering unknown
components to determining licensing and compliance gaps) and the process must be clear to ensure the results are
comprehensive and accurate. The audit itself should also minimize the impact on the development team and schedule.
With these factors in play and often very little internal expertise, companies turn to application auditing services to
create open source bill of materials (BOM) and to help understand license obligations. By interviewing development
teams and scanning code bases, an application auditor uses their dedicated open source experience to create
comprehensive reports and recommendations about open source use within the organization.
Know your open source inventory
It’s not surprising that most organizations don’t know the extent of where and how open source is being used.
Developers have nearly limitless options when it comes to finding and downloading open source code and can include
this code in any number of ways and amounts. Reporting open source use isn’t usually a priority for developers when
they’re focused on delivering features.
Establish an open source policy
Tying together different aspects of open source risk mitigation can be difficult, especially across multiple teams and large
code bases. That’s why establishing open source policies and controls is critical to ensuring the effective management
of both processes and risks. An open source policy guides the different aspects of risk mitigation to address licensing,
security, and support issues, but such a policy can be difficult to manage. That’s why open source policy tools exist.
An effective policy tool lets organizations define and verify all aspects of open source use. Such a tool enables developers
to find technology that’s safe and supported while also allowing the organization to track and govern its use. These tools
include the ability to:
• Find open source within the organization through an audit
• Customize and manage open source policies and approvals
• Help developers solve issues with expert knowledge bases and technical support
• Determine license compliance across the organization
• Notify individuals of open source updates and security patches
ROGUEWAVE.COM
4
OPEN SOURCE IS HERE TO STAY
The lure of open source is undeniable. Developers take advantage of it every day and organizations are just beginning
to understand the impacts of having license, security, and technical issues impact their time to delivery. Software
is software, regardless of source, and investing in open source support, open source audits, and policy tools help
organizations understand what they have and find ways to solve any open source issue.
Rogue Wave provides software development tools for mission-critical applications. Our trusted solutions address the growing complexity of building
great software and accelerates the value gained from code across the enterprise. The Rogue Wave portfolio of complementary, cross-platform tools
helps developers quickly build applications for strategic software initiatives. With Rogue Wave, customers improve software quality and ensure code
integrity, while shortening development cycle times.
© 2016 Rogue Wave Software, Inc. All rights reserved.