Presentation. Open Source is NOT Free. For ISACA. By Dave Yip / Gamatech Ltd. Agenda

Presentation Open Source is NOT Free For ISACA By Dave Yip / Gamatech Ltd Agenda Gamatech Introduction to Open Source Open Source and Enterprises Open Source Licensing Open Source Risks Open Source Management Summary 2

Gamatech Limited Established in Q4 2002. Formed Joint Venture with Karin Group in 2005. Karin is a company listed in Singapore Exchange. Focus 100% on Identity Management and Information Security. Customer references: Education, Entertainment, Finance, Health, Government, Logistics, Telco, Transportation. 3 Agenda Gamatech Introduction to Open Source Open Source and Enterprises Open Source Licensing Open Source Risks Open Source Management Summary 4

From Sources to Product Open Source? Open Source? Included Source Codes Object Code Libraries Final Source Code Object Code Source Code Open Source? Obligations? Final Product Executable Program 5 History of Open Source University Contributions Source code made available by universities with very few restrictions. Goal to encourage development. Academic licenses support university model. Broad rights, negligible obligations. Companies permitted to re-license under traditional models. 6

History of Open Source Free Software Movement Free software invented by Richard Stallman ( free as in freedom ). Goal to ensure user rights to use, modify and re-distribute code. Free Software Foundation (the FSF ). The General Public License (the GPL ). Copyleft uses copyright to ensure availability of code, instead of protection of it as private property. Reciprocity is key to copyleft. 7 Sharing key of Open Source Create Modify Share 8

Agenda Gamatech Introduction to Open Source Open Source and Enterprises Open Source Licensing Open Source Risks Open Source Management Summary 9 9 Open Source Use in Enterprises It is not a matter whether enterprises have open sources. It is a matter whether enterprises know what open sources they use and associated obligations. 10

Open Source and other development options comparison Four key variables: Cost, Programming time, Potential license restrictions, Fit for customized application Legend Programming Time 9 12 3 Freeware Open Source Home Grown Modified licensed work (if permitted) Outsource Development Cost Restrictions High Medium Low 6 License Suitability for Application 11 UNIX History Linus Torvalds From Unix History by Éric Lévénez 12

Global Web Server Use (May 2007) Source: Netcraft 10.00% Apache IIS Other 31.00% 59.00% 13 Open Source: Typical Situations Use of Open Source software in Company s infrastructure. Use of Open Source software in Company s products. Open Source issues in mergers and acquisitions. Releasing proprietary software in an Open Source model. 14

The Sea Change is Happening 15 Innovation Aimed at Development Productivity Scope Individual Software Developer Project Team Single Enterprise Development Ecosystem Focus Code Design Collaboration Application Life Cycle Management Component-Based Development 1980 s 1990 s 2000 s 16

Why Open Source? Quality and Reliability if the project is being actively developed by a community of developers, peer review will encourage quality 66% of web server deployment today is Apache Google uses Linux Security Because the code is available for anyone to view, and because of the scrutiny of peer developers, security problems tend to be discovered quickly and fixed quickly Support Many companies offer Open Source product support Forum, Mailing List, FAQ, online Documentation No such thing as stop support and force customers to upgrade as always happen in commercial products Cost Effectiveness 17 Agenda Gamatech Introduction to Open Source Open Source and Enterprises Open Source Licensing Open Source Risks Open Source Management Summary 18 18

Basic Principles of Open Source Licensing Open Source Definition 1. Free Redistribution 2. Source Code Availability 3. Derived Works Permitted 4. Integrity of Author s Source Code 5. No Discrimination Against Persons or Groups 6. No Discrimination against Fields of Endeavor 7. Same Distribution License 8. License not Specific to a Product 9. License Must Not Restrict Other Software 10. License Must be Technology Neutral 19 Open Source Licenses GNU General Public License (GNU GPL or simply GPL). Others OSI lists over 50 licenses which OSI has approved as being Open Source. Community BSD Apache Academic Free License Traditional License Mozilla license Apple Public License Common Public License Usually these licenses are less restrictive or more permissive than the GPL. 20

Open Source Licenses Overview Restrictions Copyleft License compatibility Permissive versus Copyleft the belief that the copyleft licenses, particularly the GNU General Public License (GPL), are too complicated and have restrictions which are undesirable. PD Permissive BSD LGPL GPL AGPL Restrictive License Proprietary Software linking Distribution of the Work Redistributing of the code with changes GPL Not allowed (since the linked software is considered a whole) Not allowed with software whose license is not GNU GPL compatible. Only if the derivative is GNU GPL. LGPL Allowed (since the software that links to the library is not considered a derivative work) Allowed with some restrictions: You have to provide source code of the distributed LGPL library with (if any) modifications, changes to the LGPL library should be allowed to third parties and if BC your app/lib should still work with the modified LGPL lib/app. Only if the derivative is GNU LGPL or GNU GPL. Source: Wikipedia and Open Source Licenses by Zack Rusin 21 Open Source Licenses Overview GPLv2 Originally written by Richard Stallman for the GNU project. Most popular >65% GPLv3 (Released June 29 th, 2007) Free Software Foundation (FSF) GPLv3 was written by Richard Stallman, with legal counsel from Eben Moglen and Software Freedom Law Center. Important changes Handling software patent issues, Free software license compatibility, The definition of "source code Tivoization Copyleft: The GPL does not give the licensee unlimited redistribution rights. The right to redistribute is granted only if the distribution is licensed under the terms of the GPL and either includes, or unconditionally offers to include at the moment of distribution, the source code. AGPL, Aferro clause, is intended to plug a web-publishing loophole. 22

SCO / NOVELL UNIX Lawsuit Case: the fact that Novell had the copyright to UNIX, and that the SCO Group had improperly kept money that was due to Novell. On August 10, 2007, a major portion of the case was decided in Novell s favor. The court also ruled that SCO is obligated to recognize Novell s waiver of SCO s claims against IBM and Sequent. After the ruling, Novell announced they have no interest in suing people over Unix. Novell stated "We don't believe there is Unix in Linux. 23 Other SCO UNIX Lawsuits SCO v. Novell Settled on Aug 10, 2007 SCO v. IBM trial date vacated pending resolution of SCO v. Novell SCO v. Autozone stayed pending outcome of SCO v. IBM SCO v. DaimlerChrysler summary judgment entered against SCO Red Hat v. SCO stayed pending outcome of SCO v. IBM 24

GPL Enforcement Cases Free Software Foundation claims rights to enforce GPL Created Compliance Lab. Claims 50 enforcement actions in 2002. Approximately 30-40 enforcement actions in 2003. Sends letter alleging violations and demanding right to audit. Claims everyone settles because they know they will lose. Most actions never become public MySQL/NuSphere dispute. The Software Freedom Law Center (SFLC) announced on Mar 17, 2008 that agreements have been reached to dismiss the GPL enforcement lawsuit filed by SFLC against Verizon Communications Inc. on behalf of two principal developers of BusyBox. 25 The Story of Cisco Linksys - Broadcom An overseas developer used GPL code in the driver for a 802.11 wireless device adopted this technology into its WRT54G wireless broadband router bought for $500M in 2003 FSF accused Cisco of a license violation Source code made available by The story ends... Developers modified firmware turning a low-end ($60) device into a high-function router Copyright 2007 Black Duck Software, Inc. All Rights Reserved. Confidential and Proprietary. 26

Google bans AGPL source codes hosted in Google Code April 2008 News Google's ban on projects licensed under the Affero GPL license has claimed its first victim. The ClipperZ online password manager has defected to rival code host. SourceForge from Google Code host. Today, AGPL is being in use by about 42 Open Source Projects. 27 Agenda Gamatech Introduction to Open Source Open Source and Enterprises Open Source Licensing Open Source Risks Open Source Management Summary 28 28

Potential Consequences for Violation of GPL or other Open Source license Copyright infringement actions. Negative publicity (one of the strongest weapons available to the Open Source community is the Internet). Possible monetary consequences Costly delays in product launch or product recall Expensive redundant development efforts Restricted commercializations and lost profit opportunities Potential enforcement rights for every contributor. Automatic termination of GPL. 29 Open Source Risks Infection of other code or programs with license requirements What is a derivative work: dynamic vs. static code. Security risks No warranty or indemnity Code may contain restricted copyrighted materials. Processes may infringe patents. No standard or easy source of help Different licenses have different terms. 30

Open Source Licenses are Enforced Free Software Foundation enforces open source license requirements. http://www.fsf.org/licensing - 18 open cases, 28 reports in December. Reports may be made by: Disgruntled employees Hackers Savvy programmers Improper use can: Require the unrestricted release of all associated software. Create public relations problems. Create copyright liability. Encroach on third party obligations. 31 Complexity: Each Component has Owner & License 32

Mixed Code Risk Loss of Intellectual Property License Rights and Restrictions Export Regulations Software Defects Injunction s Security Vulnerabilities Contractual Obligations Escalating Support Costs 33 Other Situations when need to address Open Source Risks Merger Acquisitions Investment Due- Diligence! IPO 34

Options For Mitigating Open Source IP Risk Prohibit re-use of internal/external software Challenging to implement and enforce Development productivity lower than competitors Demotivates the engineering team You didn t use any Open Source, right?! Ignore the problem Open source and commercial licensors are asserting their rights Courts are upholding open source and commercial licenses Impacts can be life-threatening for a business How would anybody know? Manage your software IP 35 Agenda Gamatech Introduction to Open Source Open Source and Enterprises Open Source Licensing Open Source Risks Open Source Management Summary 36 36

Open Source Policy Needed to Manage Risks Formal identification of application and review process Is the software modified? How are the libraries accessed? Define uses: Internal [Manageable Risk] Linux server External [Higher Risk] Products transferred to third parties 37 Open Source Policy Identify approved licenses and models for use. List prohibitions Inventory what has already entered the company. Educate employees about the policy and procedures. Build due diligence into software licensing procedures. Audit all software use to ensure license compliance, not just open source applications. Include combination of legal and senior technical personnel to review and approve of each use of open source software. Have separate terms for proprietary and open source code. Understand what modifications may be made to the Open Source Code. Consider obtaining a commercial license for the open source code ($$$). 38

Solution by Blackduck Software License Compliance Mgmt 39 Agenda Gamatech Introduction to Open Source Open Source and Enterprises Open Source Licensing Open Source Risks Open Source Management Summary 40 40

SW Development Project Legal and IT Professionals Collaboration Chart IT Professionals Legal Professionals Use proven Open Source modules in IT software development projects to save tremendous development efforts and time Research on Open Source License Legal Issues and Obligations Identify all Open Source Modules and their associated licenses used in IT software development projects Review Identified Open source licenses and their obligations to minimize litigation risks Optionally Outsource some of software development work to subcontractors Look at Open Source issues and add relevant terms / conditions to the subcontract agreement 41 Summary Open Source is NOT free. Open Source is here to stay. Stake is high and will get higher. Will complement not replace traditional development models. Enterprises must understand the Open Source risks. Enterprises are recommended to implement policies and procedures for handling open source code. 42