Professional Documents
Culture Documents
Four Strategies To Reduce Open Source Risk PDF
Four Strategies To Reduce Open Source Risk PDF
Rogue Wave Software / 5500 Flatiron Parkway, Suite 200 / Boulder, CO 80301, USA / www.roguewave.com
Try and think of a single system in the world that hasn’t been touched by open source software.
Whether included in the product or as part of the development environment, open source plays a
dominant role in the success of software development teams everywhere. It’s not surprising that
every developer has their favorite open source tool to solve particular problems because they
understand the substantial time and cost savings when reusing code built by an expert. Code they
don’t have to worry about.
That’s why over 50 percent of enterprise organizations today adopt and contribute to open source
(from the 2014 Future of Open Source survey). With open source so pervasive, it’s surprising how
little developers and organizations are aware of the risks inherent in the software choices they’re
making and the solutions available.
roguewave.com 2
Risky business
Like commercial software, open source is licensed for use by developers. Unlike commercial software, open source
licenses generally provide the rights to study, change, and distribute the software to anyone for any purpose, without
payment (there are conditions of use that vary from license to license). The Open Source Initiative (OSI) has a ten-point
definition of what open source is and it’s important to note that all ten points relate to the distribution of software and
none relate to technical features or quality. Most developers realize there’s “something problematic” about open source
but few take the time to understand these implications:
Acknowledgement – most open source licenses require some form of acknowledgement when the code is
reused in other projects.
Redistribution – all open source licenses have some clause that specifies how the software is to be reproduced
and distributed within a product. This may include conditions on access to the source code, providing copies of
the license, trademark use, or a variety of other requirements.
Modification – if the open source code is changed in any way, most licenses include requirements on how the
modifications are tracked and notices given.
Compatibility – for projects that include open source code managed by different licenses, it’s important to know
whether those licenses conflict with each other. The Free Software Foundation, for example, considers the Apache
License, version 2.0 incompatible with the GNU General Public License version 2.0. Projects with nested licenses
are even trickier to understand and it’s nearly impossible to determine obligations without deep analysis and
expert knowledge.
Security – open source code is developed to fill a specific technical gap and delivered “as is” — rarely is it created
with security in mind. If its testing process doesn’t explicitly include security vulnerabilities, any product that
includes its code could be potentially compromised. This issue is so prevalent that using risky components is now
number 9 on OWASP’s list of Top 10 Application Security Concerns.
Beyond these issues is the fact that open source software isn’t necessarily tested to the same technical and performance
requirements of the organization. When it comes to troubleshooting issues, often the only help resource available is the
open source community. This type of help can be sporadic or unreliable at best so teams must spend their own time
researching and fixing the issues, if at all.
One last consideration affects those companies selling to industries or governments that require software audits.
By purchasing software that may contain open source, these organizations take on the same licensing, security, and
technical risks. Open source audits are a way of characterising any potential liabilities before making a purchase and
the effort to obtain accurate and comprehensive coverage for these audits cannot be underestimated. Considering that
most development teams don’t know all the ways in which open source code is used, audits can be a significant cost to
the project.
Understanding how these implications affect a project can be difficult to grasp but one thing is certain: the use of open
source is always unilateral. If a portion or the entire open source package is used, the project agrees to the terms of the
license and any potential technical debt.
roguewave.com 3
Bring on the strategies
Few organizations have an open source management policy in place and for those that do, the policy is often ad-hoc
and difficult to manage. Because the technical and legal risks could have potentially massive impacts, it’s worthwhile to
understand the building blocks of a comprehensive open source strategy.
Scanning tools offer an automated and repeatable method for understanding the scope and depth of open source use
within a company. Not only do they free up time to focus on other development efforts, they also remove any element of
human error. Given that open source packages can contain other open source packages and that even just a few lines of
reused code can contain risks, scanning tools are the only reliable choice.
Typical concerns about open source scanning revolve around maintenance and protection of intellectual property.
Scanning tools that operate as a Software as a Service (SaaS) have very little start-up and deployment costs and allow
easy updates that are transparent to the end-user. Scanning tools that don’t require source code upload are vital to
protecting intellectual property — those that generate “fingerprints” of code for scanning ensure that code stays behind
the firewall.
With these factors in play and often very little internal expertise, companies turn to application auditing services to create
open source Bill of Materials (BOM) and to help understand license obligations. By interviewing development teams
and scanning code bases, an application auditor uses their dedicated open source experience to create comprehensive
reports and recommendations about open source use within the organization.
roguewave.com 4
Establish an open source policy
Tying together different aspects of open source risk mitigation can be difficult, especially across multiple teams and large
code bases. That’s why establishing open source policies and controls is critical to ensuring the effective management
of both processes and risks. An open source policy guides the different aspects of risk mitigation to address licensing,
security, and support issues, but such a policy can be difficult to manage. That’s why open source policy tools exist.
An effective policy tool lets organizations define and verify all aspects of open source use. Such a tool enables
developers to find technology that’s safe and supported while also allowing the organization to track and govern its use.
These tools include the ability to:
• Browse and download open source that’s trustworthy and approved by the organization
• Find open source within the organization through deep source code scanning
• Customize and manage open source policies and approvals
• Help developers solve issues with expert knowledge bases and technical support
• Determine license compliance across the organization
• Notify individuals of open source updates and security patches
roguewave.com 5
Rogue Wave provides software development tools for mission-critical applications. Our trusted solutions address the growing complexity of building
great software and accelerates the value gained from code across the enterprise. Rogue Wave’s portfolio of complementary, cross-platform tools helps
developers quickly build applications for strategic software initiatives. With Rogue Wave, customers improve software quality and ensure code integrity,
while shortening development cycle times.