Open Source Compliance: The Challenge of Managing Abundance. Peter Vescuso Black Duck Software

Transcription

1 Open Source Compliance: The Challenge of Managing Abundance Peter Vescuso Black Duck Software

2 Open Source Compliance: The Challenge of Managing Abundance Agenda The abundance The Challenges Meeting the Challenges: Best Practices Case Studies Summary

3 The Abundance of Open Source Open source projects: 220,000+ OSS projects Tens of billions of lines of code From a recently completed study of commercial developer projects: 22% of typical application/project is open source Avg project size: ~ 700MB of code Cost to develop the OSS used: ~$26M Dozens to hundreds of components Sampled hundreds of commercial projects Millions of files Hundreds of GB of code

4 Top 20 Most Commonly Used Licenses in Open Source Projects Rank License 1 GNU General Public License (GPL) GNU Lesser General Public License (LGPL) Artistic License (Perl) 4 BSD License GNU General Public License (GPL) Apache License MIT License 8 Code Project Open 1.02 License 9 Microsoft Public License (Ms-PL) 10 Mozilla Public License (MPL) Common Public License (CPL) 12 zlib/libpng License 13 Eclipse Public License (EPL) 14 GNU Lesser General Public License (LGPL) Academic Free License 16 Open Software License (OSL) 17 Common Development and Distribution License (CDDL) 18 Mozilla Public License (MPL) PHP License Version Ruby License Top 10 licenses account or 93% of OSS projects Top 20 licenses account for 97% Rank by # of OSS projects using the license Source: Black Duck Software Note: The table above illustrates the top 20 licenses that are used in open source projects, according to the Black Duck Software KnowledgeBase. This data is updated daily. See: //

5 Top Programming Languages Used By Open Source Projects (Share is calculated based on lines of code) Rank Language All Projects - Share (%) Trailing 12- Month Share (%) Trailing 12- Month Gain/Loss (%) 1C C Java Shell Javascript PHP Perl Python SQL Assembler C# Pascal Ruby Ada TCL % of open source is C, C++, Java, Shell and JavaScript Of the top 5, only JavaScript is gaining in share up almost 2 points Overall static languages losing share to dynamic languages Source: Black Duck Software. Note: The table above illustrates the top languages used in open source projects. This data is updated daily. See: //

6 Top 10 Encryption Algorithms Used in Open Source Projects Algorithm Percent of All Algorithms Type of Algorithm RSA 13% Asymmetric DSA* 9% Signature DES 9% Symmetric MD5* 8% Hash SHA* 8% Hash Blowfish 6% Symmetric Diffie Hellman 6% Keyman HMAC* 5% Mac ElGamal 5% Asymmetric AES 5% Symmetric sub total 74% Other 26% Total 100% * used for encryption only A Guide to Encryption Export Compliance for Open Source Open source projects are allowed to publish software containing encryption under license exception TSU. See: //

7 Potential of Open Source Gartner estimates the impact of open source: $37B in 2009 Infrastructure Software: $30 billion Application Software: $ 7 billion $77B by 2012: Infrastructure software: $58 billion Application software: $19 billion Source: Gartner November 2008 The fundamental economics of software development leads you to open-source software David Rivas, Nokia VP for S60 Software

8 The Future of Software Development is Open Software development has changed forever Community/global development Componentization and re-use Agile methods OSS has gone mainstream 85% of enterprises use OSS today 45% of OSS use is Running Mission-critical applications 80% of OSS contributors are corporate developers Microsoft OSS code repository (CodePlex) Large pool of proven, re-usable software

9 Making Abundance Manageable: What We re Hearing Goals for reuse/standardization of up to 80%; build / fix / fit 20% Scale ad hoc use of hundreds of OSS components has led to a management/tracking problem Increase agility, velocity of development Desire to take advantage of the benefits of open source but need to have oversight and control Manual governance, compliance and approval processes are cumbersome/burdensome to developers, prone to error, often ignored $7800/yr/component to manage OSS components (Source: Black Duck The Business Case for Automating Open Source Code Management )

10 Challenges of Using Open Source at Scale Manual management methods are inadequate, prone to error when open source usage proliferates E.g., version proliferation raises complexity and likelihood of errors When managed poorly, use of open source can introduce risks and challenges: Legal exposure due to unmet license obligations Security vulnerabilities Unsupported open source Version proliferation

11 Meeting the Challenges

12 The New Pragmatism: Multi-Source Development with Open Source Outsourced Code Development Commercial 3 rd -Party Code Internally Developed Code Open Source Software Individuals Universities Corporate Developers Code Obligations Software Application YOUR COMPANY

13 Criteria for Making OSS Abundance Manageable 1. Enable Freedom of choice Choose the best code for the job: open, outsourced, proprietary 2. Support & automate making good selections Developer - Find the best code Dev Mgr Standardization, Reuse, Innovation Cross-functional Development, Legal, Security, CxO 3. Mitigate/eliminate the challenges Management and automation Compliance 220,000+ projects using 1,800+ licenses Security 4. Integrate with existing development tools 5. Policy and process must be integrated & automated 13

14 Open Source Program Elements 1. Published Policy Created via Cross Functional Team Organization is educated on the policy 2. Open Source Process Owner Keeps the wheels running Grant certain types of approvals 3. Approval Processes Component Review & Approval Sensitive to Use: internal/external/products License Review & Approval Release Plan Review & Approval 4. Monitoring & Tracking Process Component Verification Security Notifications Component Upgrade Notifications Application to contractors/outsource vendors 5. Validation Process Ensure using approved components and Meeting the license and business obligations Current reporting for responsive due diligence request OSS Policy Resource: FOSSbazaar

15 Sample Contents of A Concise Open Source Software Policy

16 Evaluating OSS Projects Current offering (maturity) Project governance Community participation License strategy Ecosystem Features, frequency and number of releases, bug fixes Leadership, structure, charter, goals, strategy Number of participants, activity level, frequency of commits Commercially friendly, viral, dual/ multi-license Service, support, extensions, add-ons, training, consulting Source: Jeff Hammond, Forrester Research, 2009

17 Case Studies Landmark Graphics Reliant Security Insurance Company

18 Case Study: Landmark Graphics Landmark Graphics supplies software to Oil and Gas industry across a broad variety of applications areas OSS Steward monitors policy compliance Prioritize standardization Restructured release process Ongoing compliance monitoring PM assumes responsibility for OSS Remediate if/as violations are found Contributes back to OSS community Result: Rapid adoption of the latest models and technologies, with accurate identification of OSS dependencies

19 Case Study: Reliant Security Reliant sells PCI compliant in-store systems that include many OSS subsystems. Set a clear policy for OSS use Tuned acquisition policies OSS first mandate Prioritized ilities Adjusted dev processes OSS use identified at design Developer on the hook for provenance Result: Significant savings over commercial alternatives

20 Case Study: Fortune 100 Insurance Company Problem Solution Benefits Identify open source software in commercial OEM s/w (company had been sued for distributing code with GPL license) Control OS use for internal development (compliance) Automated compliance integrated with build tools; Automates internal approval process Lowers risk of legal issues Automates manual process

21 Summary Making Abundance Manageable Easy access to information on open source projects to support development The new pragmatism: multisource development using open & proprietary code Successful management requires education, policy, automation

22 Resources Search for open source code to reuse White Papers (ROI, Agile and OSS, Best Practices) OSS Policy: FOSSbazaar Best Practices for Open Source Adoption with Jeff Hammond, Forrester Research //