Open Source Compliance: The Challenge of Managing Abundance
Peter Vescuso Black Duck Software Open Source Compliance: The Challenge of Managing Abundance
Agenda The “abundance” The Challenges Meeting the Challenges: Best Practices Case Studies Summary
Copyright © 2008 Black Duck Software, Inc. All Rights Reserved. The “Abundance” of Open Source Open source projects: – 220,000+ OSS projects – Tens of billions of lines of code From a recently completed study of commercial developer projects: – 22% of typical application/project is open source Avg project size: ~ 700MB of code Cost to develop the OSS used: ~$26M Dozens to hundreds of components
– Sampled hundreds of commercial projects Millions of files Hundreds of GB of code
Copyright © 2008 Black Duck Software, Inc. All Rights Reserved. Top 20 Most Commonly Used Licenses in Open Source Projects
Rank License 1 GNU General Public License (GPL) 2.0 2 GNU Lesser General Public License (LGPL) 2.1 3 Artistic License (Perl) • Top 10 licenses account 4 BSD License 2.0 5 GNU General Public License (GPL) 3.0 or 93% of OSS projects 6 Apache License 2.0 7 MIT License • Top 20 licenses account 8 Code Project Open 1.02 License for 97% 9 Microsoft Public License (Ms-PL) 10 Mozilla Public License (MPL) 1.1 • Rank by # of OSS 11 Common Public License (CPL) projects using the 12 zlib/libpng License 13 Eclipse Public License (EPL) license 14 GNU Lesser General Public License (LGPL) 3.0 15 Academic Free License 16 Open Software License (OSL) 17 Common Development and Distribution License (CDDL) 18 Mozilla Public License (MPL) 1.0 19 PHP License Version 3.0 20 Ruby License
Source: Black Duck Software Note: The table above illustrates the top 20 licenses that are used in open source projects, according to the Black Duck Software KnowledgeBase. This data is updated daily. See: //www.blackducksoftware.com/oss/licenses#top20
Copyright © 2008 Black Duck Software, Inc. All Rights Reserved. Top Programming Languages Used By Open Source Projects (Share is calculated based on lines of code)
All Projects Trailing 12- Trailing 12- Rank Language - Share Month Share Month (%) (%) Gain/Loss (%) 1C 40.9 40.5 -0.41 • 80% of open source is C, 2C++ 14.0 13.7 -0.25 C++, Java, Shell and 3 Java 10.9 9.8 -1.06 JavaScript 4 Shell 8.8 6.8 -2.06 5 Javascript 5.6 7.3 1.75 • Of the top 5, only 6PHP 4.9 5.0 0.11 JavaScript is gaining in 7Perl 3.2 2.4 -0.72 8Python 2.7 2.7 -0.08 share – up almost 2 points 9SQL 1.6 2.6 1.03 • Overall static languages 10 Assembler 1.2 1.0 -0.27 losing share to dynamic 11 C# 1.2 1.3 0.04 12 Pascal 0.9 0.6 -0.24 languages 13 Ruby 0.8 0.9 0.12 14 Ada 0.4 0.4 0.01 15 TCL 0.4 0.2 -0.15
Source: Black Duck Software. Note: The table above illustrates the top languages used in open source projects. This data is updated daily. See: //www.blackducksoftware.com/oss/licenses#top20
Copyright © 2008 Black Duck Software, Inc. All Rights Reserved. Top 10 Encryption Algorithms Used in Open Source Projects
Percent of All Type of Algorithm Algorithms Algorithm RSA 13% Asymmetric DSA* 9% Signature DES 9% Symmetric •“A Guide to Encryption Export MD5* 8% Hash Compliance for Open Source” SHA* 8% Hash www.blackducksoftware.com/export Blowfish 6% Symmetric Diffie‐Hellman 6% Keyman HMAC* 5% Mac ElGamal 5% Asymmetric AES 5% Symmetric sub total 74% Other 26% Total 100% * used for encryption only • Open source projects are allowed to publish software containing encryption under license exception TSU.
See: //www.blackducksoftware.com/oss/projects#encryption Copyright © 2008 Black Duck Software, Inc. All Rights Reserved. Potential of Open Source
Gartner estimates the impact of open source:
$37B in 2009 – Infrastructure Software: $30 billion – Application Software: $ 7 billion $77B by 2012: – Infrastructure software: $58 billion – Application software: $19 billion
Source: Gartner November 2008
“The fundamental economics of software development leads you to open-source software” –David Rivas, Nokia VP for S60 Software
Copyright © 2008 Black Duck Software, Inc. All Rights Reserved. The Future of Software Development is Open
Software development has changed forever – Community/global development – Componentization and re-use – Agile methods OSS has gone mainstream – 85% of enterprises use OSS today – 45% of OSS use is Running Mission-critical applications – 80% of OSS contributors are corporate developers – Microsoft OSS code repository (CodePlex) Large pool of proven, re-usable software
Copyright © 2008 Black Duck Software, Inc. All Rights Reserved. Making Abundance Manageable: What We’re Hearing Goals for reuse/standardization of up to 80%; build / fix / fit 20% Scale – ad hoc use of hundreds of OSS components has led to a management/tracking problem Increase agility, velocity of development Desire to take advantage of the benefits of open source but need to have oversight and control – Manual governance, compliance and approval processes are cumbersome/burdensome to developers, prone to error, often ignored ¾$7800/yr/component to manage OSS components (Source: Black Duck “The Business Case for Automating Open Source Code Management”)
Copyright © 2008 Black Duck Software, Inc. All Rights Reserved. Challenges of Using Open Source at Scale
Manual management methods are inadequate, prone to error…when open source usage proliferates – E.g., version proliferation raises complexity and likelihood of errors
When managed poorly, use of open source can introduce risks and challenges: – Legal exposure due to unmet license obligations – Security vulnerabilities – Unsupported open source – Version proliferation
Copyright © 2008 Black Duck Software, Inc. All Rights Reserved. Meeting the Challenges The New Pragmatism: Multi-Source Development with Open Source
Outsourced Code Development
Internally Developed Commercial Code 3rd-Party Code
Code Open Source Software Individuals Universities Corporate Developers
Obligations Software Application
YOUR COMPANY
Copyright © 2008 Black Duck Software, Inc. All Rights Reserved. Criteria for Making OSS Abundance Manageable 1. Enable Freedom of choice Choose the best code for the job: open, outsourced, proprietary 2. Support & automate making good selections Developer - Find the best code Dev Mgr – Standardization, Reuse, Innovation Cross-functional – Development, Legal, Security, CxO 3. Mitigate/eliminate the challenges Management and automation Compliance – 220,000+ projects using 1,800+ licenses Security 4. Integrate with existing development tools 5. Policy and process must be integrated & automated
Copyright © 2008 Black Duck Software, Inc. All Rights Reserved. 13 Open Source Program Elements 1. Published Policy Created via Cross Functional Team Organization is educated on the policy 2. Open Source Process Owner Keeps the wheels running OSS Policy Resource: FOSSbazaar Grant certain types of approvals 3. Approval Processes Component Review & Approval Sensitive to Use: internal/external/products License Review & Approval Release Plan Review & Approval 4. Monitoring & Tracking Process Component Verification Security Notifications Component Upgrade Notifications Application to contractors/outsource vendors 5. Validation Process Ensure using approved components… and… Meeting the license and business obligations CopyrightCurrent © 2008 Black Duck Software,reporting Inc. All Rights Reserved. for responsive due diligence request Sample Contents of A Concise Open Source Software Policy
Copyright © 2008 Black Duck Software, Inc. All Rights Reserved. Evaluating OSS Projects
Current offering (maturity) Features, frequency and number of releases, bug fixes
Project governance Leadership, structure, charter, goals, strategy
Community participation Number of participants, activity level, frequency of commits
Commercially friendly, viral, dual/ License strategy multi-license
Service, support, extensions, add-ons, Ecosystem training, consulting
Source: Jeff Hammond, Forrester Research, 2009
Copyright © 2008 Black Duck Software, Inc. All Rights Reserved. Case Studies
Landmark Graphics
Reliant Security
Insurance Company
Copyright © 2008 Black Duck Software, Inc. All Rights Reserved. Case Study: Landmark Graphics
Landmark Graphics supplies software to Oil and Gas industry across a broad variety of applications areas OSS Steward monitors policy compliance Prioritize standardization Restructured release process – Ongoing compliance monitoring – PM assumes responsibility for OSS – Remediate if/as violations are found
Contributes back to OSS community Result: Rapid adoption of the latest models and technologies, with accurate identification of OSS dependencies
Copyright © 2008 Black Duck Software, Inc. All Rights Reserved. Case Study: Reliant Security
Reliant sells PCI compliant in-store systems that include many OSS subsystems. Set a clear policy for OSS use Tuned acquisition policies – OSS first mandate – Prioritized “ilities”
Adjusted dev processes – OSS use identified at design – Developer on the hook for provenance
Result: Significant savings over commercial alternatives
Copyright © 2008 Black Duck Software, Inc. All Rights Reserved. Case Study: Fortune 100 Insurance Company
Problem Solution Benefits Identify open source Automated Lowers risk of software in compliance legal issues commercial OEM s/w integrated with Automates manual (company had been build tools; process sued for distributing Automates internal code with GPL license) approval process Control OS use for internal development (compliance)
Copyright © 2008 Black Duck Software, Inc. All Rights Reserved. Summary – Making Abundance Manageable
Easy access to information on open source projects to support development The new pragmatism: multi- source development using open & proprietary code Successful management requires education, policy, automation
Copyright © 2008 Black Duck Software, Inc. All Rights Reserved. Resources
Search for open source code to reuse – www.koders.com White Papers (ROI, Agile and OSS, Best Practices) – www.blackducksoftware.com/resources/whitepapers OSS Policy: FOSSbazaar – www.fossbazaar.org Best Practices for Open Source Adoption with Jeff Hammond, Forrester Research – //www.blackducksoftware.com/form/70160000000Hv06
Copyright © 2008 Black Duck Software, Inc. All Rights Reserved.