SlideShare a Scribd company logo

Introduction to Open Source Governance and Compliance

I
iasaglobal

Open source software (OSS) is pervasive in today?s deployed software and the supply chain. Gartner estimates that by 2016, open source will be included in mission-critical software packages in 99 percent of global enterprises. There are over a million freely downloadable open source components that development organizations can use to build better software faster. But as open source software is more broadly used, IT organizations struggle to manage risk, control software assets and ensure compliance. In an environment where development organizations are under intense pressure to keep pace in competitive markets, a lack of formal policies and ad-hoc management practices for open source create unnecessary exposure.

1 of 8
Download to read offline
INTRODUCTION TO OPEN SOURCE GOVERNANCE AND COMPLIANCE GUIDE BOOK © 2012 Black Duck®, Know Your Code®, Ohloh®, SpikeSource®, Spike® and the Black Duck logo are registered trademarks of Black Duck Software, Inc. in the United States and/or other jurisdictions. Koders™ is a trademark of Black Duck Software, Inc. All other trademarks are the property of their respective holders. All Rights Reserved.
Why open source? Open source software (OSS) is pervasive in today’s software lifecycle and supply chain. Gartner estimates that by 2016, open source will be included in mission-critical software packages in 99 percent of global enterprises. Open source is used to build applications, products and services and offers hundreds of thousands of freely downloadable code components that can be leveraged to speed development and slash budgets by thousands, or even millions, of dollars. While cloud computing, mobile and distributed development trends are ramping up the intensity and pace of application development, development managers are under even more pressure to improve time to solution with fewer resources and under tighter budget restrictions. For mobile application development in particular, the benefits of OSS are extremely practical. For example, financial services firms face tremendous pressure to quickly deploy high-quality mobile applications, and OSS components are already proven in the mobile world. According to Eric Newcomer, former Chief Architect of Credit Suisse, “Banks worldwide are seeing universal interest in online interactions by customers via mobile devices, and it doesn’t take a lot of research to discover that most of the components used in mobile applications are open source.” Open source is the most practical and logical way of leveraging IT resources to respond to the emerging industry trends that are driving the accelerated development of mobile applications. The fastest growing and most agile companies are built on open source, from Facebook with 800+ million users and Twitter with 500+ million users to Amazon, YouTube and Google. Apple, the most valuable company in the world, built its iPhone, iPad and MacBook products with open source. The benefits are clear: the industry-standard cost per line of code (LoC) ranges from $10 to $20 and the average component used by a Global 2000 organization contains 50,000 LoC per component. Therefore, the use of OSS could save from $500K to $1M per project. 2 Growing popularity of open source in the enterprise
3 Open Source in the Code Base IDC recently reported that IT organizations have about 30 percent open source in their deployed code base. In Black Duck’s experience, our “best-in-class” customers use up to, and even over, 80 percent open source. These development organizations are taking advantage of code that already exists, not reinventing the wheel, and are producing more while coding less. Open source communities have demonstrated heightened levels of innovation and speed, and IT organizations are taking notice. The use of OSS methods and technologies combined with community best practices for development has become a strategic imperative for accelerating software development, controlling IT costs and remaining competitive. Established IT organizations are at risk of being outpaced by this new approach unless they consider proactively using OSS components and development methodologies as part of their business strategy. Given the increasing need to swiftly deploy high-quality products and applications, many IT executives believe that the adoption of OSS is inevitable because of its price and performance advantages. However, the benefits of OSS are fully realized only when its use is accompanied by an automated governance program that provides developers with control and visibility.
4 Why are governance and compliance essential? OSS empowers developers to increase innovation, efficiency and competitiveness, but as open source becomes more and more pervasive, the need for a governance and compliance solutions increases exponentially. Gartner predicts that by 2014, “50 percent of organizations will experience technology, cost and security challenges due to a lack of open source governance,” and through 2015, “less than 50 percent of IT organizations will have effective open source governance programs in place.” Poor OSS governance can create quality, security and business challenges, putting an organization’s software assets and intellectual property (IP) at risk. The key to avoiding the consequences of improperly using open source components is to develop policies and procedures based on best practices while automating the management of OSS component use. Business and IT leaders need to understand the obligations associated with OSS licenses and foster the development of cross-departmental policies that will prevent the organization from violating software license obligations. Many IT executives, enterprise architects and development managers have gained control over open source component use by automating the governance and compliance process as an integral part of their application development cycle. And they’ve done so without slowing the development process or adding overhead to the development team. Legal Obligations “Free code” does not mean “free of obligations,” and open source brings with it unique and sometimes complex legal requirements. Once a mere matter of proper attribution between developers and businesses, open source license disputes can ultimately threaten the reputation of a brand now that these issues have moved into the realm of the courts. Improperly managed open source code can result in bad publicity, copyright infringement and even stop shipment orders, damaging company reputations and immediately impacting product revenue streams.
How do you get started? A prudent first step towards managing OSS is to understand how much you have and where it’s used. Thanks to advances in technology, you can now acquire software that will automatically scan and audit a code base. It’s important to note that audits should not be a one-time event; it’s wise to audit code on an on-going basis to ensure long-term compliance as part of a continuous integration process with both the company’s risk management policies as well as external license obligations. Next, you should establish and implement a governance program that encompasses all third-party code, whether from a commercial vendor, an OSS project or an outsourced supplier. The diagram below illustrates a management maturity model showing five levels of open source adoption. Organizations with mature processes and policies don’t worry about compliance; compliance is built-in. They can instead focus on leveraging open source for strategic advantage and maximizing its value. 5 Stages of OS Adoption
6 An effective governance program has four main elements: Organizational leaders should develop governance strategies focusing on the specific issues related to the acquisition, use and management of OSS that ultimately align with their growth goals, business objectives and internal policies. They need to establish policies that serve as the rules for evaluating, approving, using, reusing and releasing open source code, as well as for participating in open source communities. These policies should encourage developers to leverage the benefits of open source, and they should be created and managed by key stakeholders.
7 Case Study: SITA Builds Path to Success with Open Source Software Strategy SITA, the world’s leading specialist in air transport communications and IT solutions, delivers business solutions for airline, airport and government customers over the world’s most extensive network. As the backbone of the global air transport industry, SITA is constantly searching for new ways to improve development processes and enhance innovative capabilities. Questions How much OSS is currently part of our code base? How can we maximize and streamline our OSS use? What are the licensing details of each OSS component? Governance Objectives Enable greater use of OSS across the organization to improve software development efficiency and quality. Ensure compliance with OSS licenses and distribution requirements. Results SITA’s open source governance program plays a fundamental role in the ongoing development of the Horizon project, allowing SITA’s development teams to search, discover and use pre-approved OSS and components within this ground-breaking reservation system. SITA’s Horizon program has already captured headlines as a major innovation ushering in the next generation of passenger management systems for the airline industry. “ We couldn’t have designed and implemented our current open source governance program without the Black Duck® Suite, and the benefits are immediately apparent. Now that we can constantly scan and establish a clean bill of materials across all projects with our automated governance program, we can combine the best of proprietary and open source software components to bring ground-breaking and innovative solutions like Horizon to market better, faster and more cost-effectively than ever before.” –Patrick Holden, Senior Programme Manager, Software Development, SITA SITA Horizon – The NextGen Passenger Management System that connects airlines with their customers
In Conclusion By using OSS strategically, you can gain significant management control with processes and technology while simultaneously helping your organization benefit from accelerated time-to-solution and cost advantages. In order to maximize the benefits of integrating open source components into your code base, it’s critical to implement a comprehensive, automated approach to governance and compliance that integrates across the application development lifecycle. A proactive strategy is the best approach, and the Black Duck team works with customers at all levels of adoption to ensure open source success. The Black Duck® Suite provides a comprehensive set of governance and compliance automation tools that enable development organizations to maximize the power of open source technologies and methods. Black Duck Consulting offers a quick and easy way to learn about industry best practices and assess organizational readiness and governance maturity. The easy-to-use, complementary Open Source Management Assessment (OSMA) begins with a self-guided survey and includes a phone consultation. The assessment is designed to help clients accelerate the implementation of a governance program. Visit www.blackducksoftware.com/OSMA to complete a free OSMA today and quickly benchmark your organization’s use of OSS. About Black Duck Offering award-winning software and consulting, Black Duck is the partner of choice for open source software adoption, governance and management. Enterprises of every size depend on Black Duck to harness the power of open source technologies and methods. As part of the greater OSS community, Black Duck connects developers to comprehensive OSS resources through Ohloh.net, and to the latest commentary from industry experts through the Open Source Delivers blog. Black Duck also hosts the Open Source Think Tank, an international event where thought leaders collaborate on the future of open source. Black Duck is headquartered near Boston and has offices in San Mateo, St. Louis, London, Paris, Frankfurt, Hong Kong, Tokyo, Seoul and Beijing. For more information about how to leverage open source to deliver faster innovation, greater creativity and improved efficiency, visit www.blackducksoftware.com and follow us at @black_duck_sw. Contact To learn more, please contact: sales@blackducksoftware.com or 1.781.891.5100 Additional information is available at: www.blackducksoftware.com GD-INTRO_OSGC-UL-1013

Recommended

Open Source Governance Models
Open Source Governance ModelsOpen Source Governance Models
Open Source Governance ModelsPaula Hunter
 
Guide to Open Source Compliance
Guide to Open Source ComplianceGuide to Open Source Compliance
Guide to Open Source ComplianceSamsung Open Source Group
 
Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016
Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016
Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016Mindtrek
 
GNUGPL
GNUGPLGNUGPL
GNUGPLguest7bf698
 
SFO15-TR7: OSS License Compliance
SFO15-TR7: OSS License Compliance SFO15-TR7: OSS License Compliance
SFO15-TR7: OSS License ComplianceLinaro
 
Copyright
CopyrightCopyright
CopyrightAltair Moisés Aguilar
 
Beyond the GPL
Beyond the GPLBeyond the GPL
Beyond the GPLMatt Ryan
 
Best practice recommendations for utilizing open source software (from a lega...
Best practice recommendations for utilizing open source software (from a lega...Best practice recommendations for utilizing open source software (from a lega...
Best practice recommendations for utilizing open source software (from a lega...Rogue Wave Software
 

Recommended

Open Source Governance Models
Open Source Governance ModelsOpen Source Governance Models
Open Source Governance ModelsPaula Hunter
 
Guide to Open Source Compliance
Guide to Open Source ComplianceGuide to Open Source Compliance
Guide to Open Source ComplianceSamsung Open Source Group
 
Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016
Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016
Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016Mindtrek
 
GNUGPL
GNUGPLGNUGPL
GNUGPLguest7bf698
 
SFO15-TR7: OSS License Compliance
SFO15-TR7: OSS License Compliance SFO15-TR7: OSS License Compliance
SFO15-TR7: OSS License ComplianceLinaro
 
Copyright
CopyrightCopyright
CopyrightAltair Moisés Aguilar
 
Beyond the GPL
Beyond the GPLBeyond the GPL
Beyond the GPLMatt Ryan
 
Best practice recommendations for utilizing open source software (from a lega...
Best practice recommendations for utilizing open source software (from a lega...Best practice recommendations for utilizing open source software (from a lega...
Best practice recommendations for utilizing open source software (from a lega...Rogue Wave Software
 
Managing Open Source software in the Docker era
Managing Open Source software in the Docker era Managing Open Source software in the Docker era
Managing Open Source software in the Docker era nexB Inc.
 
Performing an audit - Open source compliance seminar
Performing an audit - Open source compliance seminar Performing an audit - Open source compliance seminar
Performing an audit - Open source compliance seminar Rogue Wave Software
 
Managing OSS license obligations
Managing OSS license obligationsManaging OSS license obligations
Managing OSS license obligationsnexB Inc.
 
The GPL: What It Means (And What It Doesn't) - WC Udaipur
The GPL: What It Means (And What It Doesn't) - WC UdaipurThe GPL: What It Means (And What It Doesn't) - WC Udaipur
The GPL: What It Means (And What It Doesn't) - WC UdaipurNancy Thanki
 
Open Source By The Numbers
Open Source By The NumbersOpen Source By The Numbers
Open Source By The NumbersBlack Duck by Synopsys
 
Open Source as an Element of Corporate Strategy
Open Source as an Element of Corporate StrategyOpen Source as an Element of Corporate Strategy
Open Source as an Element of Corporate StrategyBlack Duck by Synopsys
 
The 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementThe 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementBlack Duck by Synopsys
 
GNU GPL, LGPL, Apache licence Types and Differences
GNU GPL, LGPL, Apache licence Types and DifferencesGNU GPL, LGPL, Apache licence Types and Differences
GNU GPL, LGPL, Apache licence Types and DifferencesIresha Rubasinghe
 
OSS Governance
OSS GovernanceOSS Governance
OSS GovernancefOSSa - Free Open Source Software Academia Conference
 
OPEN SOURCE SEMINAR PRESENTATION
OPEN SOURCE SEMINAR PRESENTATIONOPEN SOURCE SEMINAR PRESENTATION
OPEN SOURCE SEMINAR PRESENTATIONRitwick Halder
 
Open Source Software: The Governance Makes the Difference
Open Source Software: The Governance Makes the DifferenceOpen Source Software: The Governance Makes the Difference
Open Source Software: The Governance Makes the DifferenceOW2
 
Introduction To Open Source Licenses
Introduction To Open Source LicensesIntroduction To Open Source Licenses
Introduction To Open Source LicensesHarley Pascua
 
2016 Future of Open Source Survey Results
2016 Future of Open Source Survey Results2016 Future of Open Source Survey Results
2016 Future of Open Source Survey ResultsBlack Duck by Synopsys
 
Why I Don't Use The GPL
Why I Don't Use The GPLWhy I Don't Use The GPL
Why I Don't Use The GPLShane Curcuru
 
Adam boczek 2015 agile architecture in 10 steps v1.0
Adam boczek 2015 agile architecture in 10 steps v1.0Adam boczek 2015 agile architecture in 10 steps v1.0
Adam boczek 2015 agile architecture in 10 steps v1.0iasaglobal
 
Adam boczek 2015 agile architecture in 10 steps v1.0
Adam boczek 2015 agile architecture in 10 steps v1.0Adam boczek 2015 agile architecture in 10 steps v1.0
Adam boczek 2015 agile architecture in 10 steps v1.0iasaglobal
 
Adam boczek 2013 bitkom software summit agile architecture v1.3
Adam boczek 2013 bitkom software summit agile architecture v1.3Adam boczek 2013 bitkom software summit agile architecture v1.3
Adam boczek 2013 bitkom software summit agile architecture v1.3iasaglobal
 
Essentials of enterprise architecture tools
Essentials of enterprise architecture toolsEssentials of enterprise architecture tools
Essentials of enterprise architecture toolsiasaglobal
 
Understanding business strategy cutting edge paradigm
Understanding business strategy cutting edge paradigmUnderstanding business strategy cutting edge paradigm
Understanding business strategy cutting edge paradigmiasaglobal
 
Information and data relevance to business
Information and data relevance to businessInformation and data relevance to business
Information and data relevance to businessiasaglobal
 
Case study value of it strategy in hi tech industry
Case study value of it strategy in hi tech industryCase study value of it strategy in hi tech industry
Case study value of it strategy in hi tech industryiasaglobal
 
Max Poliashenko - Enterprise Product Architecture
Max Poliashenko - Enterprise Product ArchitectureMax Poliashenko - Enterprise Product Architecture
Max Poliashenko - Enterprise Product Architectureiasaglobal
 

More Related Content

Viewers also liked

Managing Open Source software in the Docker era
Managing Open Source software in the Docker era Managing Open Source software in the Docker era
Managing Open Source software in the Docker era nexB Inc.
 
Performing an audit - Open source compliance seminar
Performing an audit - Open source compliance seminar Performing an audit - Open source compliance seminar
Performing an audit - Open source compliance seminar Rogue Wave Software
 
Managing OSS license obligations
Managing OSS license obligationsManaging OSS license obligations
Managing OSS license obligationsnexB Inc.
 
The GPL: What It Means (And What It Doesn't) - WC Udaipur
The GPL: What It Means (And What It Doesn't) - WC UdaipurThe GPL: What It Means (And What It Doesn't) - WC Udaipur
The GPL: What It Means (And What It Doesn't) - WC UdaipurNancy Thanki
 
Open Source as an Element of Corporate Strategy
Open Source as an Element of Corporate StrategyOpen Source as an Element of Corporate Strategy
Open Source as an Element of Corporate StrategyBlack Duck by Synopsys
 
The 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementThe 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementBlack Duck by Synopsys
 
GNU GPL, LGPL, Apache licence Types and Differences
GNU GPL, LGPL, Apache licence Types and DifferencesGNU GPL, LGPL, Apache licence Types and Differences
GNU GPL, LGPL, Apache licence Types and DifferencesIresha Rubasinghe
 
OPEN SOURCE SEMINAR PRESENTATION
OPEN SOURCE SEMINAR PRESENTATIONOPEN SOURCE SEMINAR PRESENTATION
OPEN SOURCE SEMINAR PRESENTATIONRitwick Halder
 
Open Source Software: The Governance Makes the Difference
Open Source Software: The Governance Makes the DifferenceOpen Source Software: The Governance Makes the Difference
Open Source Software: The Governance Makes the DifferenceOW2
 
Introduction To Open Source Licenses
Introduction To Open Source LicensesIntroduction To Open Source Licenses
Introduction To Open Source LicensesHarley Pascua
 
2016 Future of Open Source Survey Results
2016 Future of Open Source Survey Results2016 Future of Open Source Survey Results
2016 Future of Open Source Survey ResultsBlack Duck by Synopsys
 
Why I Don't Use The GPL
Why I Don't Use The GPLWhy I Don't Use The GPL
Why I Don't Use The GPLShane Curcuru
 

Viewers also liked (14)

Managing Open Source software in the Docker era
Managing Open Source software in the Docker era Managing Open Source software in the Docker era
Managing Open Source software in the Docker era
 
Performing an audit - Open source compliance seminar
Performing an audit - Open source compliance seminar Performing an audit - Open source compliance seminar
Performing an audit - Open source compliance seminar
 
Managing OSS license obligations
Managing OSS license obligationsManaging OSS license obligations
Managing OSS license obligations
 
The GPL: What It Means (And What It Doesn't) - WC Udaipur
The GPL: What It Means (And What It Doesn't) - WC UdaipurThe GPL: What It Means (And What It Doesn't) - WC Udaipur
The GPL: What It Means (And What It Doesn't) - WC Udaipur
 
Open Source By The Numbers
Open Source By The NumbersOpen Source By The Numbers
Open Source By The Numbers
 
Open Source as an Element of Corporate Strategy
Open Source as an Element of Corporate StrategyOpen Source as an Element of Corporate Strategy
Open Source as an Element of Corporate Strategy
 
The 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk ManagementThe 4 Levels of Open Source Risk Management
The 4 Levels of Open Source Risk Management
 
GNU GPL, LGPL, Apache licence Types and Differences
GNU GPL, LGPL, Apache licence Types and DifferencesGNU GPL, LGPL, Apache licence Types and Differences
GNU GPL, LGPL, Apache licence Types and Differences
 
OSS Governance
OSS GovernanceOSS Governance
OSS Governance
 
OPEN SOURCE SEMINAR PRESENTATION
OPEN SOURCE SEMINAR PRESENTATIONOPEN SOURCE SEMINAR PRESENTATION
OPEN SOURCE SEMINAR PRESENTATION
 
Open Source Software: The Governance Makes the Difference
Open Source Software: The Governance Makes the DifferenceOpen Source Software: The Governance Makes the Difference
Open Source Software: The Governance Makes the Difference
 
Introduction To Open Source Licenses
Introduction To Open Source LicensesIntroduction To Open Source Licenses
Introduction To Open Source Licenses
 
2016 Future of Open Source Survey Results
2016 Future of Open Source Survey Results2016 Future of Open Source Survey Results
2016 Future of Open Source Survey Results
 
Why I Don't Use The GPL
Why I Don't Use The GPLWhy I Don't Use The GPL
Why I Don't Use The GPL
 

More from iasaglobal

Adam boczek 2015 agile architecture in 10 steps v1.0
Adam boczek 2015 agile architecture in 10 steps v1.0Adam boczek 2015 agile architecture in 10 steps v1.0
Adam boczek 2015 agile architecture in 10 steps v1.0iasaglobal
 
Adam boczek 2015 agile architecture in 10 steps v1.0
Adam boczek 2015 agile architecture in 10 steps v1.0Adam boczek 2015 agile architecture in 10 steps v1.0
Adam boczek 2015 agile architecture in 10 steps v1.0iasaglobal
 
Adam boczek 2013 bitkom software summit agile architecture v1.3
Adam boczek 2013 bitkom software summit agile architecture v1.3Adam boczek 2013 bitkom software summit agile architecture v1.3
Adam boczek 2013 bitkom software summit agile architecture v1.3iasaglobal
 
Essentials of enterprise architecture tools
Essentials of enterprise architecture toolsEssentials of enterprise architecture tools
Essentials of enterprise architecture toolsiasaglobal
 
Understanding business strategy cutting edge paradigm
Understanding business strategy cutting edge paradigmUnderstanding business strategy cutting edge paradigm
Understanding business strategy cutting edge paradigmiasaglobal
 
Information and data relevance to business
Information and data relevance to businessInformation and data relevance to business
Information and data relevance to businessiasaglobal
 
Case study value of it strategy in hi tech industry
Case study value of it strategy in hi tech industryCase study value of it strategy in hi tech industry
Case study value of it strategy in hi tech industryiasaglobal
 
Max Poliashenko - Enterprise Product Architecture
Max Poliashenko - Enterprise Product ArchitectureMax Poliashenko - Enterprise Product Architecture
Max Poliashenko - Enterprise Product Architectureiasaglobal
 
Michael Gonzalez - Do The Sum of The Parts Equal the Whole
Michael Gonzalez - Do The Sum of The Parts Equal the WholeMichael Gonzalez - Do The Sum of The Parts Equal the Whole
Michael Gonzalez - Do The Sum of The Parts Equal the Wholeiasaglobal
 
Michael Jay Freer - Information Obfuscation
Michael Jay Freer - Information ObfuscationMichael Jay Freer - Information Obfuscation
Michael Jay Freer - Information Obfuscationiasaglobal
 
Creating Enterprise Value from Business Architecture
Creating Enterprise Value from Business ArchitectureCreating Enterprise Value from Business Architecture
Creating Enterprise Value from Business Architectureiasaglobal
 
Scott Whitmire - Just What is Architecture Anyway
Scott Whitmire - Just What is Architecture AnywayScott Whitmire - Just What is Architecture Anyway
Scott Whitmire - Just What is Architecture Anywayiasaglobal
 
Board of Education Vision 2013-2014
Board of Education Vision 2013-2014Board of Education Vision 2013-2014
Board of Education Vision 2013-2014iasaglobal
 
Sean Kenney - Solving Parallel Software Challenges with Patterns
Sean Kenney - Solving Parallel Software Challenges with PatternsSean Kenney - Solving Parallel Software Challenges with Patterns
Sean Kenney - Solving Parallel Software Challenges with Patternsiasaglobal
 
Sheila Jeffrey - Well Behaved Data - It's a Matter of Principles
Sheila Jeffrey - Well Behaved Data - It's a Matter of PrinciplesSheila Jeffrey - Well Behaved Data - It's a Matter of Principles
Sheila Jeffrey - Well Behaved Data - It's a Matter of Principlesiasaglobal
 
Stephen Cohen - The Impact of Ethics on the Architect
Stephen Cohen - The Impact of Ethics on the ArchitectStephen Cohen - The Impact of Ethics on the Architect
Stephen Cohen - The Impact of Ethics on the Architectiasaglobal
 
William Martinez - Evolution Game
William Martinez - Evolution GameWilliam Martinez - Evolution Game
William Martinez - Evolution Gameiasaglobal
 
Paul Preiss - Enterprise Architecture in Transformation
Paul Preiss - Enterprise Architecture in TransformationPaul Preiss - Enterprise Architecture in Transformation
Paul Preiss - Enterprise Architecture in Transformationiasaglobal
 
Nina Grantcharova - Approach to Separation of Concerns via Design Patterns
Nina Grantcharova - Approach to Separation of Concerns via Design PatternsNina Grantcharova - Approach to Separation of Concerns via Design Patterns
Nina Grantcharova - Approach to Separation of Concerns via Design Patternsiasaglobal
 
Roger Sessions - The Snowman Architecture
Roger Sessions - The Snowman ArchitectureRoger Sessions - The Snowman Architecture
Roger Sessions - The Snowman Architectureiasaglobal
 

More from iasaglobal (20)

Adam boczek 2015 agile architecture in 10 steps v1.0
Adam boczek 2015 agile architecture in 10 steps v1.0Adam boczek 2015 agile architecture in 10 steps v1.0
Adam boczek 2015 agile architecture in 10 steps v1.0
 
Adam boczek 2015 agile architecture in 10 steps v1.0
Adam boczek 2015 agile architecture in 10 steps v1.0Adam boczek 2015 agile architecture in 10 steps v1.0
Adam boczek 2015 agile architecture in 10 steps v1.0
 
Adam boczek 2013 bitkom software summit agile architecture v1.3
Adam boczek 2013 bitkom software summit agile architecture v1.3Adam boczek 2013 bitkom software summit agile architecture v1.3
Adam boczek 2013 bitkom software summit agile architecture v1.3
 
Essentials of enterprise architecture tools
Essentials of enterprise architecture toolsEssentials of enterprise architecture tools
Essentials of enterprise architecture tools
 
Understanding business strategy cutting edge paradigm
Understanding business strategy cutting edge paradigmUnderstanding business strategy cutting edge paradigm
Understanding business strategy cutting edge paradigm
 
Information and data relevance to business
Information and data relevance to businessInformation and data relevance to business
Information and data relevance to business
 
Case study value of it strategy in hi tech industry
Case study value of it strategy in hi tech industryCase study value of it strategy in hi tech industry
Case study value of it strategy in hi tech industry
 
Max Poliashenko - Enterprise Product Architecture
Max Poliashenko - Enterprise Product ArchitectureMax Poliashenko - Enterprise Product Architecture
Max Poliashenko - Enterprise Product Architecture
 
Michael Gonzalez - Do The Sum of The Parts Equal the Whole
Michael Gonzalez - Do The Sum of The Parts Equal the WholeMichael Gonzalez - Do The Sum of The Parts Equal the Whole
Michael Gonzalez - Do The Sum of The Parts Equal the Whole
 
Michael Jay Freer - Information Obfuscation
Michael Jay Freer - Information ObfuscationMichael Jay Freer - Information Obfuscation
Michael Jay Freer - Information Obfuscation
 
Creating Enterprise Value from Business Architecture
Creating Enterprise Value from Business ArchitectureCreating Enterprise Value from Business Architecture
Creating Enterprise Value from Business Architecture
 
Scott Whitmire - Just What is Architecture Anyway
Scott Whitmire - Just What is Architecture AnywayScott Whitmire - Just What is Architecture Anyway
Scott Whitmire - Just What is Architecture Anyway
 
Board of Education Vision 2013-2014
Board of Education Vision 2013-2014Board of Education Vision 2013-2014
Board of Education Vision 2013-2014
 
Sean Kenney - Solving Parallel Software Challenges with Patterns
Sean Kenney - Solving Parallel Software Challenges with PatternsSean Kenney - Solving Parallel Software Challenges with Patterns
Sean Kenney - Solving Parallel Software Challenges with Patterns
 
Sheila Jeffrey - Well Behaved Data - It's a Matter of Principles
Sheila Jeffrey - Well Behaved Data - It's a Matter of PrinciplesSheila Jeffrey - Well Behaved Data - It's a Matter of Principles
Sheila Jeffrey - Well Behaved Data - It's a Matter of Principles
 
Stephen Cohen - The Impact of Ethics on the Architect
Stephen Cohen - The Impact of Ethics on the ArchitectStephen Cohen - The Impact of Ethics on the Architect
Stephen Cohen - The Impact of Ethics on the Architect
 
William Martinez - Evolution Game
William Martinez - Evolution GameWilliam Martinez - Evolution Game
William Martinez - Evolution Game
 
Paul Preiss - Enterprise Architecture in Transformation
Paul Preiss - Enterprise Architecture in TransformationPaul Preiss - Enterprise Architecture in Transformation
Paul Preiss - Enterprise Architecture in Transformation
 
Nina Grantcharova - Approach to Separation of Concerns via Design Patterns
Nina Grantcharova - Approach to Separation of Concerns via Design PatternsNina Grantcharova - Approach to Separation of Concerns via Design Patterns
Nina Grantcharova - Approach to Separation of Concerns via Design Patterns
 
Roger Sessions - The Snowman Architecture
Roger Sessions - The Snowman ArchitectureRoger Sessions - The Snowman Architecture
Roger Sessions - The Snowman Architecture
 

Introduction to Open Source Governance and Compliance

  • 1. INTRODUCTION TO OPEN SOURCE GOVERNANCE AND COMPLIANCE GUIDE BOOK © 2012 Black Duck®, Know Your Code®, Ohloh®, SpikeSource®, Spike® and the Black Duck logo are registered trademarks of Black Duck Software, Inc. in the United States and/or other jurisdictions. Koders™ is a trademark of Black Duck Software, Inc. All other trademarks are the property of their respective holders. All Rights Reserved.
  • 2. Why open source? Open source software (OSS) is pervasive in today’s software lifecycle and supply chain. Gartner estimates that by 2016, open source will be included in mission-critical software packages in 99 percent of global enterprises. Open source is used to build applications, products and services and offers hundreds of thousands of freely downloadable code components that can be leveraged to speed development and slash budgets by thousands, or even millions, of dollars. While cloud computing, mobile and distributed development trends are ramping up the intensity and pace of application development, development managers are under even more pressure to improve time to solution with fewer resources and under tighter budget restrictions. For mobile application development in particular, the benefits of OSS are extremely practical. For example, financial services firms face tremendous pressure to quickly deploy high-quality mobile applications, and OSS components are already proven in the mobile world. According to Eric Newcomer, former Chief Architect of Credit Suisse, “Banks worldwide are seeing universal interest in online interactions by customers via mobile devices, and it doesn’t take a lot of research to discover that most of the components used in mobile applications are open source.” Open source is the most practical and logical way of leveraging IT resources to respond to the emerging industry trends that are driving the accelerated development of mobile applications. The fastest growing and most agile companies are built on open source, from Facebook with 800+ million users and Twitter with 500+ million users to Amazon, YouTube and Google. Apple, the most valuable company in the world, built its iPhone, iPad and MacBook products with open source. The benefits are clear: the industry-standard cost per line of code (LoC) ranges from $10 to $20 and the average component used by a Global 2000 organization contains 50,000 LoC per component. Therefore, the use of OSS could save from $500K to $1M per project. 2 Growing popularity of open source in the enterprise
  • 3. 3 Open Source in the Code Base IDC recently reported that IT organizations have about 30 percent open source in their deployed code base. In Black Duck’s experience, our “best-in-class” customers use up to, and even over, 80 percent open source. These development organizations are taking advantage of code that already exists, not reinventing the wheel, and are producing more while coding less. Open source communities have demonstrated heightened levels of innovation and speed, and IT organizations are taking notice. The use of OSS methods and technologies combined with community best practices for development has become a strategic imperative for accelerating software development, controlling IT costs and remaining competitive. Established IT organizations are at risk of being outpaced by this new approach unless they consider proactively using OSS components and development methodologies as part of their business strategy. Given the increasing need to swiftly deploy high-quality products and applications, many IT executives believe that the adoption of OSS is inevitable because of its price and performance advantages. However, the benefits of OSS are fully realized only when its use is accompanied by an automated governance program that provides developers with control and visibility.
  • 4. 4 Why are governance and compliance essential? OSS empowers developers to increase innovation, efficiency and competitiveness, but as open source becomes more and more pervasive, the need for a governance and compliance solutions increases exponentially. Gartner predicts that by 2014, “50 percent of organizations will experience technology, cost and security challenges due to a lack of open source governance,” and through 2015, “less than 50 percent of IT organizations will have effective open source governance programs in place.” Poor OSS governance can create quality, security and business challenges, putting an organization’s software assets and intellectual property (IP) at risk. The key to avoiding the consequences of improperly using open source components is to develop policies and procedures based on best practices while automating the management of OSS component use. Business and IT leaders need to understand the obligations associated with OSS licenses and foster the development of cross-departmental policies that will prevent the organization from violating software license obligations. Many IT executives, enterprise architects and development managers have gained control over open source component use by automating the governance and compliance process as an integral part of their application development cycle. And they’ve done so without slowing the development process or adding overhead to the development team. Legal Obligations “Free code” does not mean “free of obligations,” and open source brings with it unique and sometimes complex legal requirements. Once a mere matter of proper attribution between developers and businesses, open source license disputes can ultimately threaten the reputation of a brand now that these issues have moved into the realm of the courts. Improperly managed open source code can result in bad publicity, copyright infringement and even stop shipment orders, damaging company reputations and immediately impacting product revenue streams.
  • 5. How do you get started? A prudent first step towards managing OSS is to understand how much you have and where it’s used. Thanks to advances in technology, you can now acquire software that will automatically scan and audit a code base. It’s important to note that audits should not be a one-time event; it’s wise to audit code on an on-going basis to ensure long-term compliance as part of a continuous integration process with both the company’s risk management policies as well as external license obligations. Next, you should establish and implement a governance program that encompasses all third-party code, whether from a commercial vendor, an OSS project or an outsourced supplier. The diagram below illustrates a management maturity model showing five levels of open source adoption. Organizations with mature processes and policies don’t worry about compliance; compliance is built-in. They can instead focus on leveraging open source for strategic advantage and maximizing its value. 5 Stages of OS Adoption
  • 6. 6 An effective governance program has four main elements: Organizational leaders should develop governance strategies focusing on the specific issues related to the acquisition, use and management of OSS that ultimately align with their growth goals, business objectives and internal policies. They need to establish policies that serve as the rules for evaluating, approving, using, reusing and releasing open source code, as well as for participating in open source communities. These policies should encourage developers to leverage the benefits of open source, and they should be created and managed by key stakeholders.
  • 7. 7 Case Study: SITA Builds Path to Success with Open Source Software Strategy SITA, the world’s leading specialist in air transport communications and IT solutions, delivers business solutions for airline, airport and government customers over the world’s most extensive network. As the backbone of the global air transport industry, SITA is constantly searching for new ways to improve development processes and enhance innovative capabilities. Questions How much OSS is currently part of our code base? How can we maximize and streamline our OSS use? What are the licensing details of each OSS component? Governance Objectives Enable greater use of OSS across the organization to improve software development efficiency and quality. Ensure compliance with OSS licenses and distribution requirements. Results SITA’s open source governance program plays a fundamental role in the ongoing development of the Horizon project, allowing SITA’s development teams to search, discover and use pre-approved OSS and components within this ground-breaking reservation system. SITA’s Horizon program has already captured headlines as a major innovation ushering in the next generation of passenger management systems for the airline industry. “ We couldn’t have designed and implemented our current open source governance program without the Black Duck® Suite, and the benefits are immediately apparent. Now that we can constantly scan and establish a clean bill of materials across all projects with our automated governance program, we can combine the best of proprietary and open source software components to bring ground-breaking and innovative solutions like Horizon to market better, faster and more cost-effectively than ever before.” –Patrick Holden, Senior Programme Manager, Software Development, SITA SITA Horizon – The NextGen Passenger Management System that connects airlines with their customers
  • 8. In Conclusion By using OSS strategically, you can gain significant management control with processes and technology while simultaneously helping your organization benefit from accelerated time-to-solution and cost advantages. In order to maximize the benefits of integrating open source components into your code base, it’s critical to implement a comprehensive, automated approach to governance and compliance that integrates across the application development lifecycle. A proactive strategy is the best approach, and the Black Duck team works with customers at all levels of adoption to ensure open source success. The Black Duck® Suite provides a comprehensive set of governance and compliance automation tools that enable development organizations to maximize the power of open source technologies and methods. Black Duck Consulting offers a quick and easy way to learn about industry best practices and assess organizational readiness and governance maturity. The easy-to-use, complementary Open Source Management Assessment (OSMA) begins with a self-guided survey and includes a phone consultation. The assessment is designed to help clients accelerate the implementation of a governance program. Visit www.blackducksoftware.com/OSMA to complete a free OSMA today and quickly benchmark your organization’s use of OSS. About Black Duck Offering award-winning software and consulting, Black Duck is the partner of choice for open source software adoption, governance and management. Enterprises of every size depend on Black Duck to harness the power of open source technologies and methods. As part of the greater OSS community, Black Duck connects developers to comprehensive OSS resources through Ohloh.net, and to the latest commentary from industry experts through the Open Source Delivers blog. Black Duck also hosts the Open Source Think Tank, an international event where thought leaders collaborate on the future of open source. Black Duck is headquartered near Boston and has offices in San Mateo, St. Louis, London, Paris, Frankfurt, Hong Kong, Tokyo, Seoul and Beijing. For more information about how to leverage open source to deliver faster innovation, greater creativity and improved efficiency, visit www.blackducksoftware.com and follow us at @black_duck_sw. Contact To learn more, please contact: sales@blackducksoftware.com or 1.781.891.5100 Additional information is available at: www.blackducksoftware.com GD-INTRO_OSGC-UL-1013