Open Source Compliance: the Challenge of Managing Abundance

Open Source Compliance: The Challenge of Managing Abundance

Peter Vescuso Black Duck Software Open Source Compliance: The Challenge of Managing Abundance

Agenda The “abundance” The Challenges Meeting the Challenges: Best Practices Case Studies Summary

Copyright © 2008 Black Duck Software, Inc. All Rights Reserved. The “Abundance” of Open Source Open source projects: – 220,000+ OSS projects – Tens of billions of lines of code From a recently completed study of commercial developer projects: – 22% of typical application/project is open source Avg project size: ~ 700MB of code Cost to develop the OSS used: ~$26M Dozens to hundreds of components

– Sampled hundreds of commercial projects Millions of files Hundreds of GB of code

Rank License 1 GNU General Public License (GPL) 2.0 2 GNU Lesser General Public License (LGPL) 2.1 3 Artistic License (Perl) • Top 10 licenses account 4 BSD License 2.0 5 GNU General Public License (GPL) 3.0 or 93% of OSS projects 6 Apache License 2.0 7 MIT License • Top 20 licenses account 8 Code Project Open 1.02 License for 97% 9 Microsoft Public License (Ms-PL) 10 Mozilla Public License (MPL) 1.1 • Rank by # of OSS 11 Common Public License (CPL) projects using the 12 zlib/libpng License 13 Eclipse Public License (EPL) license 14 GNU Lesser General Public License (LGPL) 3.0 15 Academic Free License 16 Open Software License (OSL) 17 Common Development and Distribution License (CDDL) 18 Mozilla Public License (MPL) 1.0 19 PHP License Version 3.0 20 Ruby License

Source: Black Duck Software Note: The table above illustrates the top 20 licenses that are used in open source projects, according to the Black Duck Software KnowledgeBase. This data is updated daily. See: //www.blackducksoftware.com/oss/licenses#top20

All Projects Trailing 12- Trailing 12- Rank Language - Share Month Share Month (%) (%) Gain/Loss (%) 1C 40.9 40.5 -0.41 • 80% of open source is C, 2C++ 14.0 13.7 -0.25 C++, Java, Shell and 3 Java 10.9 9.8 -1.06 JavaScript 4 Shell 8.8 6.8 -2.06 5 Javascript 5.6 7.3 1.75 • Of the top 5, only 6PHP 4.9 5.0 0.11 JavaScript is gaining in 7Perl 3.2 2.4 -0.72 8Python 2.7 2.7 -0.08 share – up almost 2 points 9SQL 1.6 2.6 1.03 • Overall static languages 10 Assembler 1.2 1.0 -0.27 losing share to dynamic 11 C# 1.2 1.3 0.04 12 Pascal 0.9 0.6 -0.24 languages 13 Ruby 0.8 0.9 0.12 14 Ada 0.4 0.4 0.01 15 TCL 0.4 0.2 -0.15

Source: Black Duck Software. Note: The table above illustrates the top languages used in open source projects. This data is updated daily. See: //www.blackducksoftware.com/oss/licenses#top20

Percent of All Type of Algorithm Algorithms Algorithm RSA 13% Asymmetric DSA* 9% Signature DES 9% Symmetric •“A Guide to Encryption Export MD5* 8% Hash Compliance for Open Source” SHA* 8% Hash www.blackducksoftware.com/export Blowfish 6% Symmetric Diffie‐Hellman 6% Keyman HMAC* 5% Mac ElGamal 5% Asymmetric AES 5% Symmetric sub total 74% Other 26% Total 100% * used for encryption only • Open source projects are allowed to publish software containing encryption under license exception TSU.

Gartner estimates the impact of open source:

$37B in 2009 – Infrastructure Software: $30 billion – Application Software: $ 7 billion $77B by 2012: – Infrastructure software: $58 billion – Application software: $19 billion

Source: Gartner November 2008

“The fundamental economics of software development leads you to open-source software” –David Rivas, Nokia VP for S60 Software

Software development has changed forever – Community/global development – Componentization and re-use – Agile methods OSS has gone mainstream – 85% of enterprises use OSS today – 45% of OSS use is Running Mission-critical applications – 80% of OSS contributors are corporate developers – Microsoft OSS code repository (CodePlex) Large pool of proven, re-usable software

Copyright © 2008 Black Duck Software, Inc. All Rights Reserved. Making Abundance Manageable: What We’re Hearing Goals for reuse/standardization of up to 80%; build / fix / fit 20% Scale – ad hoc use of hundreds of OSS components has led to a management/tracking problem Increase agility, velocity of development Desire to take advantage of the benefits of open source but need to have oversight and control – Manual governance, compliance and approval processes are cumbersome/burdensome to developers, prone to error, often ignored ¾$7800/yr/component to manage OSS components (Source: Black Duck “The Business Case for Automating Open Source Code Management”)

Manual management methods are inadequate, prone to error…when open source usage proliferates – E.g., version proliferation raises complexity and likelihood of errors

When managed poorly, use of open source can introduce risks and challenges: – Legal exposure due to unmet license obligations – Security vulnerabilities – Unsupported open source – Version proliferation

Outsourced Code Development

Internally Developed Commercial Code 3rd-Party Code

Code Open Source Software Individuals Universities Corporate Developers

Obligations Software Application

YOUR COMPANY

Copyright © 2008 Black Duck Software, Inc. All Rights Reserved. Criteria for Making OSS Abundance Manageable 1. Enable Freedom of choice Choose the best code for the job: open, outsourced, proprietary 2. Support & automate making good selections Developer - Find the best code Dev Mgr – Standardization, Reuse, Innovation Cross-functional – Development, Legal, Security, CxO 3. Mitigate/eliminate the challenges Management and automation Compliance – 220,000+ projects using 1,800+ licenses Security 4. Integrate with existing development tools 5. Policy and process must be integrated & automated

Copyright © 2008 Black Duck Software, Inc. All Rights Reserved. 13 Open Source Program Elements 1. Published Policy Created via Cross Functional Team Organization is educated on the policy 2. Open Source Process Owner Keeps the wheels running OSS Policy Resource: FOSSbazaar Grant certain types of approvals 3. Approval Processes Component Review & Approval Sensitive to Use: internal/external/products License Review & Approval Release Plan Review & Approval 4. Monitoring & Tracking Process Component Verification Security Notifications Component Upgrade Notifications Application to contractors/outsource vendors 5. Validation Process Ensure using approved components… and… Meeting the license and business obligations CopyrightCurrent © 2008 Black Duck Software,reporting Inc. All Rights Reserved. for responsive due diligence request Sample Contents of A Concise Open Source Software Policy

Current offering (maturity) Features, frequency and number of releases, bug fixes

Project governance Leadership, structure, charter, goals, strategy

Community participation Number of participants, activity level, frequency of commits

Commercially friendly, viral, dual/ License strategy multi-license

Service, support, extensions, add-ons, Ecosystem training, consulting

Source: Jeff Hammond, Forrester Research, 2009

Landmark Graphics

Reliant Security

Insurance Company

Landmark Graphics supplies software to Oil and Gas industry across a broad variety of applications areas OSS Steward monitors policy compliance Prioritize standardization Restructured release process – Ongoing compliance monitoring – PM assumes responsibility for OSS – Remediate if/as violations are found

Contributes back to OSS community Result: Rapid adoption of the latest models and technologies, with accurate identification of OSS dependencies

Reliant sells PCI compliant in-store systems that include many OSS subsystems. Set a clear policy for OSS use Tuned acquisition policies – OSS first mandate – Prioritized “ilities”

Adjusted dev processes – OSS use identified at design – Developer on the hook for provenance

Result: Significant savings over commercial alternatives

Problem Solution Benefits Identify open source Automated Lowers risk of software in compliance legal issues commercial OEM s/w integrated with Automates manual (company had been build tools; process sued for distributing Automates internal code with GPL license) approval process Control OS use for internal development (compliance)

Easy access to information on open source projects to support development The new pragmatism: multi- source development using open & proprietary code Successful management requires education, policy, automation

Search for open source code to reuse – www.koders.com White Papers (ROI, Agile and OSS, Best Practices) – www.blackducksoftware.com/resources/whitepapers OSS Policy: FOSSbazaar – www.fossbazaar.org Best Practices for Open Source Adoption with Jeff Hammond, Forrester Research – //www.blackducksoftware.com/form/70160000000Hv06