Diamond Application Development Crafting Solutions with Precision
Open Source Software: What Are Your Obligations?
1. Protecode Inc. 2015 1
Open Source Software:
What Are Your Obligations?
Thursday, April 23rd, 2015
2. Protecode Inc. 2015
Agenda
Open Source Software
– What is Open Source?
– Licence and copyrights overview
– Case studies
Open Source Software Management
– Controlling the adoption of Open Source – Are we using it?
– Open Source attributes. Where are they?
– Software package – preapproval
– Composite projects
– Options – Manual versus automated
Wrap up and Q/A
2
Martin Callinan,
Director,
Source Code Control
Andrew Katz,
Managing Partner/Chief
Executive,
Moorcrofts LLP
3. Protecode Inc. 2015
Open Source Everywhere
These companies have dedicated OSS Teams
3
“Every Company Is a
Software Company”
– CEO Mendix
4. Linux dominates every
sector of computing
(except desktop)
http://www.zdnet.com/article/20-great-years-of-linux-and-supercomputers/
5. By 2016, the vast majority of
mainstream IT organisations will use
open source in mission-critical
solutions.
https://www.gartner.com/doc/2822619
6. o 44% of all code created in the world is OSS and
increasing
80% of newly deployed code is open source
o 31% of OSX is OSS, 75% of Android.
o Stats demonstrate OSS more innovative than
proprietary
o 36% lower defects in OSS than comparable
proprietary code
http://transfersummit.com/sites/default/files/materials/rgardler/ts11daffara-notes.pdf
http://www.openforumacademy.org/library/ofa-fellows-reference-library/ofe-fellows-reference-
library/Hosted%20Files/first-conference-proceedingsA4.pdf
11. • There are hundreds of different types of licence.
• They range from very simple to more complex.
• Many licences are easy to comply with
• Some licences are subject to “copyleft”
12. • ‘Permissive’ or ‘Academic’ licences
• You can do what you want, including building the
code into proprietary products.
• Compliance usually limited to incorporating
disclaimers and attributions if you distribute.
• Examples: BSD, Apache
Easy compliance
13. • ‘Reciprocal’, ‘Copyleft’, ‘Sharealike’
• If you distribute the program (as-is, or modified),
you must do so under the same terms.
• You can’t incorporate it into proprietary code.
• If you breach, you’re in breach of copyright.
• e.g. GPL, Mozilla, Microsoft Public License
Difficult compliance
14. Copyleft licences are only relevant on distribution.
But distribution may mean many things:
• Supply to customers
• Transfer to companies within the same group
• Transfer to outsourcing provider
• Use of software over a network (SaaS) (AGPL, OSL)
Distribution?
20. Financial Services
• Compliance driven by regulator
• Pensions providers required to do due diligence
on their service providers to assess risk of
software failure
• Our client required to undertake an annual audit
of code used to provide solutions to pensions
providers
21. M&A Transactions
• Open source due diligence now routine in M&A
transactions
• Purchaser/investor will want comfort that the
codebase is clean, and that appropriate
procedures are in place
22. Heartbleed
• OpenSSL deployed by hundreds of thousands of
end-user companies for encryption in web apps
and elsewhere
• Trillions of dollars of transactions depend on it
• Critical bug found
• Companies had to answer to shareholders and
regulators
23. Mitigating risk
• Ensure deep knowledge of your codebase
• Employ appropriate practices and procedures to
ensure code cleanliness
• Document provenance
• Test practices and procedures - auditing
24. Protecode Inc. 2015 24
Martin Callinan – Source Code Control Limited
Open Source Software Management
25. Protecode Inc. 2015
OSS in Organisations
Shall we use OSS or do we know if we use OSS already?
– Risk assessment
• Risk of being involved vs risk of not being involved
– Consideration -> Adoption -> Integral part of business
The most common factors affecting use of OSS in
software projects
– Concerns regarding intellectual property / licensing
– Concerns regarding the security of the software
– Service & support
– Product capabilities/maturity
– Difficulty of adoption / integration
– Software quality – end user satisfaction
– Software enhancements – innovation over time
– Viability of the open source community
25
26. Protecode Inc. 2015
Licensing Challenges of OSS
Produced by large number of developers over time
– Bazaar model: policy of fast and frequent releases, release
candidates, possibility of governance impairments
Questionable due diligence efforts of committers
– Re-licensing efforts may not have been correctly handled
Code may:
– Contain nested packages with their own set of issues
– Contain code from books or community websites
– Implement patents
– Implement specifications that are subject to a license
– Contain code generated by a tool where the output
could be a derivative of input
– Contain or implement APIs that may have their own obligations
26
27. Protecode Inc. 2015
Compliance is not always clear
Open Source projects use open source projects
Composite projects may have multiple licenses
– Project license
• A top level license, or top level document listing applicable licenses
• Look for website information, LICENSE, COPYING, or README
files
– Subfolder licenses
• Indicate sub-level OSS projects
• Not always present
– File licenses
– Exceptions: subfolder holding binaries or libraries
• Generally do not have a license document
• You are on your own to determine the binary or library licenses
– Automated code scanning tools should resolve these cases
27
28. Protecode Inc. 2015
License Compatibility
Licenses with unacceptable terms
Licenses with conflicting terms
– Not all licenses are compatible
– Example: GPL (and its varieties) are incompatible with most
other licenses (See https://www.gnu.org/licenses/license-list.html for a detailed list)
28
29. Protecode Inc. 2015
Establishing A Baseline
Objective: Identify all 3rd party content
and identify licensing attributes
Tasks:
– Inspect all source code and build
ingredients to create Bill of Materials (BoM).
– Key files:
• Text files containing license text
• Text files that may make reference to
licenses
• Any other documentation
– Determine the distribution method
• Source? Binary? Deployment?
– Assess the fit with the policy
29
30. Protecode Inc. 2015
Package Pre-Approval
Evaluate OSS before it is used
Workflow Process
– Request/Assess/Approve-Reject
Information required for pre-approval
– Project & Package Information
• Project name, URL, license, author(s),
type, exportability, etc.
– Usage Model
• Distribution model
– (binary, source, hosted, internal only, etc.)
• Types of derivatives
– (Modified? Linked? Loosely coupled?)
• Organization specific information
– Business unit
– Business justification
• Maintenance and support
30
31. Protecode Inc. 2015
Commercial tools are available for building and
managing a code Inventory
– Establish Policies, Pre-Approve packages, Establish a
baseline
– Scripted Bulk Analysis, Library Analysis, Build Analysis
– Developer Assistant real-time desktop analysis
Complete scanning solution
– Detect third party projects, files or snippets within a portfolio
– Create a Bill of Materials (BoM) of all components
– Report on licenses, copyrights, security vulnerabilities, export
control obligations, encryption content
– Detect, interpret and create Software Package Data Exchange
(SPDX) files
– Report on license obligations and license compatibilities
– Concatenate licenses and notices for distribution with a
product
– Integrate within a development lifecycle using powerful API’s
Accurate and up to date information
– Driven by a reference Global IP Signatures (GIPS) database
– Updated and synchronized with National Vulnerability
Database 24x7
Automated OSS Management Tools
32. Protecode Inc. 2015
Wrap Up
If you do not use Open Source software, you will be left out
– Managed adoption of Open Source software is the way to go
Compliance requires
– Knowledge of what OSS packages are used
• Creating and maintaining a software Bill of Materials
– Access to OSS package, its licenses, description and notes
– Scanning of the package, determination of its composite nature,
declared and hidden licenses
– Ensuring the terms of the sublicenses are compatible and acceptable.
– Removing any component that is not needed
Prevention works better than correction
– Package pre-approval, due diligence during development, and at build
time
Managing Open Source content requires automated tools
– Manual methods are expensive, inaccurate and take too long
32
34. Protecode Inc. 2015
About Moorcrofts
Firm wide focus on corporate, tech and HR law
Tech expertise across the board, such as:
– Open source licensing
– Software and Hardware agreements
– IPR protection
– Data security
Work in a range on industries from start ups through to
AIM listed business, including:
– Lifescience, Biotech and Parma
– IT
– Financial
– New Media
For more information, contact Andrew Katz +44 1628
470003; andrew.katz@moorcrofts.com
34
35. Protecode Inc. 2015
• Ease the adoption of Open Source Software
• Software source code audits
• Legal risk/licence compliance
• Security vulnerabilities
• Operational risk
• Enable greater use of OSS across the organisations
• Quality code
• Secure code
• Compliant code
• DevOps services
About Source Code Control Limited
36. Protecode Inc. 2015
About Protecode
Global Supplier of software compliance and security vulnerability
management solutions
Reduce IP uncertainties, manage security vulnerabilities and ensure compliance
36
Complete Set of Solutions
for
Managed Adoption of Open Source
37. Protecode Inc. 2015
• Book an individual discussion : source@sourcecodecontol.co
• Managing existing OSS projects
• Planning for future OSS adoption
• Code reviews
• Useful resources
• Open Source Initiative
• http://opensource.org/
• Free Software Foundation
• http://www.fsf.org/
• BCS Open Source Specialist Group
• http://ossg.bcs.org/
• For more information about Source Code Control Limited
• http://www.sourcecodecontrol.co
• For more information about Moorcrofts
• http://www.moorcrofts.com/
• Whitepapers, case studies and educational videos from Protecode
• http://www.protecode.com/resources/
Next Steps