Four strategies to reduce your

open source risk

Be aware and prepare for what could happen

Rogue Wave Software / 5500 Flatiron Parkway, Suite 200 / Boulder, CO 80301, USA / www.roguewave.com
Try and think of a single system in the world that hasn’t been touched by open source software.
Whether included in the product or as part of the development environment, open source plays a
dominant role in the success of software development teams everywhere. It’s not surprising that
every developer has their favorite open source tool to solve particular problems because they
understand the substantial time and cost savings when reusing code built by an expert. Code they
don’t have to worry about.

That’s why over 50 percent of enterprise organizations today adopt and contribute to open source
(from the 2014 Future of Open Source survey). With open source so pervasive, it’s surprising how
little developers and organizations are aware of the risks inherent in the software choices they’re
making and the solutions available.

roguewave.com 2
Risky business
Like commercial software, open source is licensed for use by developers. Unlike commercial software, open source
licenses generally provide the rights to study, change, and distribute the software to anyone for any purpose, without
payment (there are conditions of use that vary from license to license). The Open Source Initiative (OSI) has a ten-point
definition of what open source is and it’s important to note that all ten points relate to the distribution of software and
none relate to technical features or quality. Most developers realize there’s “something problematic” about open source
but few take the time to understand these implications:

Acknowledgement – most open source licenses require some form of acknowledgement when the code is
reused in other projects.

Redistribution – all open source licenses have some clause that specifies how the software is to be reproduced
and distributed within a product. This may include conditions on access to the source code, providing copies of
the license, trademark use, or a variety of other requirements.

Modification – if the open source code is changed in any way, most licenses include requirements on how the
modifications are tracked and notices given.

Compatibility – for projects that include open source code managed by different licenses, it’s important to know
whether those licenses conflict with each other. The Free Software Foundation, for example, considers the Apache
License, version 2.0 incompatible with the GNU General Public License version 2.0. Projects with nested licenses
are even trickier to understand and it’s nearly impossible to determine obligations without deep analysis and
expert knowledge.

Security – open source code is developed to fill a specific technical gap and delivered “as is” — rarely is it created
with security in mind. If its testing process doesn’t explicitly include security vulnerabilities, any product that
includes its code could be potentially compromised. This issue is so prevalent that using risky components is now
number 9 on OWASP’s list of Top 10 Application Security Concerns.

Beyond these issues is the fact that open source software isn’t necessarily tested to the same technical and performance
requirements of the organization. When it comes to troubleshooting issues, often the only help resource available is the
open source community. This type of help can be sporadic or unreliable at best so teams must spend their own time
researching and fixing the issues, if at all.

One last consideration affects those companies selling to industries or governments that require software audits.
By purchasing software that may contain open source, these organizations take on the same licensing, security, and
technical risks. Open source audits are a way of characterising any potential liabilities before making a purchase and
the effort to obtain accurate and comprehensive coverage for these audits cannot be underestimated. Considering that
most development teams don’t know all the ways in which open source code is used, audits can be a significant cost to
the project.

Understanding how these implications affect a project can be difficult to grasp but one thing is certain: the use of open
source is always unilateral. If a portion or the entire open source package is used, the project agrees to the terms of the
license and any potential technical debt.

roguewave.com 3
Bring on the strategies
Few organizations have an open source management policy in place and for those that do, the policy is often ad-hoc
and difficult to manage. Because the technical and legal risks could have potentially massive impacts, it’s worthwhile to
understand the building blocks of a comprehensive open source strategy.

Know your open source inventory

It’s not surprising that most organizations don’t know the extent of where and how open source is being used.
Developers have nearly limitless options when it comes to finding and downloading open source code and can include
this code in any number of ways and amounts. Reporting open source use isn’t usually a priority for developers when
they’re focused on delivering features.

Scanning tools offer an automated and repeatable method for understanding the scope and depth of open source use
within a company. Not only do they free up time to focus on other development efforts, they also remove any element of
human error. Given that open source packages can contain other open source packages and that even just a few lines of
reused code can contain risks, scanning tools are the only reliable choice.

Typical concerns about open source scanning revolve around maintenance and protection of intellectual property.
Scanning tools that operate as a Software as a Service (SaaS) have very little start-up and deployment costs and allow
easy updates that are transparent to the end-user. Scanning tools that don’t require source code upload are vital to
protecting intellectual property — those that generate “fingerprints” of code for scanning ensure that code stays behind
the firewall.

Maintain open source support

Enterprises universally understand the benefits of commercial-grade support for commercial software, yet most don’t
realize that the same level of support is available for open source. From set up to coding to maintenance, open source
support guarantees access to experts that help resolve problems affecting delivery or running systems. Companies that
engage in open source support realize that software is software regardless of the source and pass on the benefits to
their customers.

Improve open source audits

Companies should realize that when a customer asks for an open source audit, it’s far more involved than simply
generating a list of software packages used by the team. The goal of the audit must be understood (it could range
from discovering unknown components to determining licensing and compliance gaps) and the process must be
clear to ensure the results are comprehensive and accurate. The audit itself should also minimize the impact on the
development team and schedule.

With these factors in play and often very little internal expertise, companies turn to application auditing services to create
open source Bill of Materials (BOM) and to help understand license obligations. By interviewing development teams
and scanning code bases, an application auditor uses their dedicated open source experience to create comprehensive
reports and recommendations about open source use within the organization.

roguewave.com 4
Establish an open source policy
Tying together different aspects of open source risk mitigation can be difficult, especially across multiple teams and large
code bases. That’s why establishing open source policies and controls is critical to ensuring the effective management
of both processes and risks. An open source policy guides the different aspects of risk mitigation to address licensing,
security, and support issues, but such a policy can be difficult to manage. That’s why open source policy tools exist.

An effective policy tool lets organizations define and verify all aspects of open source use. Such a tool enables
developers to find technology that’s safe and supported while also allowing the organization to track and govern its use.
These tools include the ability to:

• Browse and download open source that’s trustworthy and approved by the organization
• Find open source within the organization through deep source code scanning
• Customize and manage open source policies and approvals
• Help developers solve issues with expert knowledge bases and technical support
• Determine license compliance across the organization
• Notify individuals of open source updates and security patches

Open source is here to stay

The lure of open source is undeniable. Developers take advantage of it every day and organizations are just beginning
to understand the impacts of having license, security, and technical issues impact their time to delivery. Software is
software, regardless of source, and investing in open source scanning, support, and policy tools help organizations
understand what they have and find ways to solve any open source issue.

roguewave.com 5
Rogue Wave provides software development tools for mission-critical applications. Our trusted solutions address the growing complexity of building
great software and accelerates the value gained from code across the enterprise. Rogue Wave’s portfolio of complementary, cross-platform tools helps
developers quickly build applications for strategic software initiatives. With Rogue Wave, customers improve software quality and ensure code integrity,
while shortening development cycle times.

© 2014 Rogue Wave Software, Inc. All Rights Reserved