Four strategies to reduce your open source risk

Transcription

1 Four strategies to reduce your open source risk Be aware and prepare for what could happen Rogue Wave Software / 5500 Flatiron Parkway, Suite 200 / Boulder, CO 80301, USA / www.

2 Try and think of a single system in the world that hasn t been touched by open source software. Whether included in the product or as part of the development environment, open source plays a dominant role in the success of software development teams everywhere. It s not surprising that every developer has their favorite open source tool to solve particular problems because they understand the substantial time and cost savings when reusing code built by an expert. Code they don t have to worry about. That s why over 50 percent of enterprise organizations today adopt and contribute to open source (from the 2014 Future of Open Source survey). With open source so pervasive, it s surprising how little developers and organizations are aware of the risks inherent in the software choices they re making and the solutions available. 2

3 Risky business Like commercial software, open source is licensed for use by developers. Unlike commercial software, open source licenses generally provide the rights to study, change, and distribute the software to anyone for any purpose, without payment (there are conditions of use that vary from license to license). The Open Source Initiative (OSI) has a ten-point definition of what open source is and it s important to note that all ten points relate to the distribution of software and none relate to technical features or quality. Most developers realize there s something problematic about open source but few take the time to understand these implications: Acknowledgement most open source licenses require some form of acknowledgement when the code is reused in other projects. Redistribution all open source licenses have some clause that specifies how the software is to be reproduced and distributed within a product. This may include conditions on access to the source code, providing copies of the license, trademark use, or a variety of other requirements. Modification if the open source code is changed in any way, most licenses include requirements on how the modifications are tracked and notices given. Compatibility for projects that include open source code managed by different licenses, it s important to know whether those licenses conflict with each other. The Free Software Foundation, for example, considers the Apache License, version 2.0 incompatible with the GNU General Public License version 2.0. Projects with nested licenses are even trickier to understand and it s nearly impossible to determine obligations without deep analysis and expert knowledge. Security open source code is developed to fill a specific technical gap and delivered as is rarely is it created with security in mind. If its testing process doesn t explicitly include security vulnerabilities, any product that includes its code could be potentially compromised. This issue is so prevalent that using risky components is now number 9 on OWASP s list of Top 10 Application Security Concerns. Beyond these issues is the fact that open source software isn t necessarily tested to the same technical and performance requirements of the organization. When it comes to troubleshooting issues, often the only help resource available is the open source community. This type of help can be sporadic or unreliable at best so teams must spend their own time researching and fixing the issues, if at all. One last consideration affects those companies selling to industries or governments that require software audits. By purchasing software that may contain open source, these organizations take on the same licensing, security, and technical risks. Open source audits are a way of characterising any potential liabilities before making a purchase and the effort to obtain accurate and comprehensive coverage for these audits cannot be underestimated. Considering that most development teams don t know all the ways in which open source code is used, audits can be a significant cost to the project. Understanding how these implications affect a project can be difficult to grasp but one thing is certain: the use of open source is always unilateral. If a portion or the entire open source package is used, the project agrees to the terms of the license and any potential technical debt. 3

4 Bring on the strategies Few organizations have an open source management policy in place and for those that do, the policy is often ad-hoc and difficult to manage. Because the technical and legal risks could have potentially massive impacts, it s worthwhile to understand the building blocks of a comprehensive open source strategy. Know your open source inventory It s not surprising that most organizations don t know the extent of where and how open source is being used. Developers have nearly limitless options when it comes to finding and downloading open source code and can include this code in any number of ways and amounts. Reporting open source use isn t usually a priority for developers when they re focused on delivering features. Scanning tools offer an automated and repeatable method for understanding the scope and depth of open source use within a company. Not only do they free up time to focus on other development efforts, they also remove any element of human error. Given that open source packages can contain other open source packages and that even just a few lines of reused code can contain risks, scanning tools are the only reliable choice. Typical concerns about open source scanning revolve around maintenance and protection of intellectual property. Scanning tools that operate as a Software as a Service (SaaS) have very little start-up and deployment costs and allow easy updates that are transparent to the end-user. Scanning tools that don t require source code upload are vital to protecting intellectual property those that generate fingerprints of code for scanning ensure that code stays behind the firewall. Maintain open source support Enterprises universally understand the benefits of commercial-grade support for commercial software, yet most don t realize that the same level of support is available for open source. From set up to coding to maintenance, open source support guarantees access to experts that help resolve problems affecting delivery or running systems. Companies that engage in open source support realize that software is software regardless of the source and pass on the benefits to their customers. Improve open source audits Companies should realize that when a customer asks for an open source audit, it s far more involved than simply generating a list of software packages used by the team. The goal of the audit must be understood (it could range from discovering unknown components to determining licensing and compliance gaps) and the process must be clear to ensure the results are comprehensive and accurate. The audit itself should also minimize the impact on the development team and schedule. With these factors in play and often very little internal expertise, companies turn to application auditing services to create open source Bill of Materials (BOM) and to help understand license obligations. By interviewing development teams and scanning code bases, an application auditor uses their dedicated open source experience to create comprehensive reports and recommendations about open source use within the organization. 4

5 Establish an open source policy Tying together different aspects of open source risk mitigation can be difficult, especially across multiple teams and large code bases. That s why establishing open source policies and controls is critical to ensuring the effective management of both processes and risks. An open source policy guides the different aspects of risk mitigation to address licensing, security, and support issues, but such a policy can be difficult to manage. That s why open source policy tools exist. An effective policy tool lets organizations define and verify all aspects of open source use. Such a tool enables developers to find technology that s safe and supported while also allowing the organization to track and govern its use. These tools include the ability to: Browse and download open source that s trustworthy and approved by the organization Find open source within the organization through deep source code scanning Customize and manage open source policies and approvals Help developers solve issues with expert knowledge bases and technical support Determine license compliance across the organization Notify individuals of open source updates and security patches Open source is here to stay The lure of open source is undeniable. Developers take advantage of it every day and organizations are just beginning to understand the impacts of having license, security, and technical issues impact their time to delivery. Software is software, regardless of source, and investing in open source scanning, support, and policy tools help organizations understand what they have and find ways to solve any open source issue. 5

6 Rogue Wave provides software development tools for mission-critical applications. Our trusted solutions address the growing complexity of building great software and accelerates the value gained from code across the enterprise. Rogue Wave s portfolio of complementary, cross-platform tools helps developers quickly build applications for strategic software initiatives. With Rogue Wave, customers improve software quality and ensure code integrity, while shortening development cycle times Rogue Wave Software, Inc. All Rights Reserved