open compliance summit 2013open source risk profile – free service provides information on: •...

© Black Duck 2013

Open Source Compliance Today: From Risk Mitigation to Competitive Advantage

Tim Yeaton Black Duck

Open Compliance Summit 2013

2 © Black Duck 2013

Agenda

• Open Source Industry Trends

• Benefits

• Compliance Challenges

• Best Practices

• Summary


Global Open Source Industry Trends


Open Source at the Tipping Point

From low cost alternatives to new innovation Improving software quality

Fueling trends beyond just FOSS code: •  Changing the Competitive Model: “Super-Communities” •  Internal Social Coding: “Inner-Sourcing” •  Automating Software Supply Chains

Driving faster innovation cycles

Accelerating FOSS

Adoption in new industries


Why is FOSS Important?

27


Changing how Software is Built – Leveraging Communities Deutsche Bank Example

•  FOSS innovation cycles causing a re-think of IT software development •  Despite a 22,000 IT payroll (8,000 employees, 14,000 contractors),

Deutsche Bank doesn’t have all necessary skills •  IT strategy is evolving from building software and solutions to building

frameworks for community engagement •  Leverage FOSS •  Tap the developer ecosystem


Changing Internal Development – “Inner-Sourcing”

“…inner-sourcing - using open source development techniques within the corporation.”

Tim O’Reilly (2000)

79% of respondents ranked open source development methods as an important trend for organizations in next 2-3 years


Financial Services Mobile

Aerospace Polarsys

Healthcare

Changing Entire Industries – Super Communities

The

Foundation

The Apache Foundation

Infrastructure Automotive

57% of respondents agree that their company will collaborate with competitors via Open Source


Benefits of Strategic Use of Open Source


Why Managed Use of OSS

Jeffrey Hammond

Open source is a ‘silver bullet’ that allows simultaneous improvement along all three dimensions of the software ‘iron triangle’ of cost, schedule, features.

Cost

Features Schedule


Moving to Strategic Use of Open Source

29%

80%

Average * Best in class

* Source: Gartner Group


Real World Example: Sony Mobile

“Over 80% of the software in our handsets is open source”

Carl-Eric Mols, Head of OSS, Sony Mobile Communications

13 © Black Duck 2013 13

Create

Adapt

Adopt

•  Adopted FOSS Code is supplied by external communities

•  OEMs control and manage SW builds and Supply Chains to ensure integration and quality

Distribution

Super-Community Example: GENIVI Alliance


Compliance Challenges


The FOSS Ecosystem is Vast and Diverse

•  1 Million Projects, doubling every 2 years

•  100 Billion Lines of Code

•  622,000 Source Code Repositories

•  6000 Web Sites

•  2200 Unique Licenses

•  3 Million Contributors

•  10 Million Person-Years of Development Effort

Source: Black Duck KnowledgeBase


Open Source is Pervasive


Using Deep License Data, We Analyzed 1 Million Projects

40% of industry-wide projects have no declared license

GitHub heavily influences the overall number

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

100%

Non GitHub GitHub

No Declared

93%

7% 77%

23%

60%

40% Declared No-declared

No-Declared vs. Declared


Black Duck’s Experience Analyzing Code

•  99% of code audits find open source.

•  95% of audits find unknown open source

•  75% of audits contain unknown licenses.

•  50% of code audits contain GPL.

•  Audits on average contain 33% open source.

•  5% of M&A deals never materialize due to our findings


Added Complexity in Software Supply Chains

BusyBox Popular utility uses the GPLv2 license

Device OEMs embedded the code in components

HDTV manufacturers used components in their products

Sold the HDTVs

SFLC sued 14 OEMs/retailers

Settlement: Westinghouse assessed monetary damages and legal fees, lost revenue due to injunction, and lost inventory (all HDTVs donated to charity).

20 © Black Duck 2013 20

Challenges Using FOSS at Scale

For Organizations • OSS strategy & policy •  Search, selection, approval • Compliance & governance

management • Management & support • Code proliferation • Consistency across Supply Chain

c%*:>,d%

J88%!"#$%-)>+;,>U%[79(;79(,%eJM:7;:I7;7,N%./%H.EE)-47:;%3+11.-,Uf%

#S%%

work in progress

For Developers • Knowledge of FOSS: understanding

the considerations; making good selections

• Best practices, seeking advice •  Tracking FOSS projects over time


Best Practices – Moving from Risk Mitigation to Competitive Advantage


Open Source Management Maturity Framework

Development-driven Business strategy-driven

Exposed

Measured

Driving

Managed

Participating

Reactive -> Tactical

Proactive -> Strategic

Designed-In Compliance


Key Steps in an Open Source Program

ü Develop OSS strategy, policy, and processes •  For component selection & approval; usage; maintenance/support

ü Appoint an open source steward/review board •  Define and assign cross-functional responsibilities

ü Use technology to automate and manage

ü Educate and train developers

ü Monitor and assess


Key Elements of an Open Source Policy

ü Program administration and management

ü Discovery, acquisition and evaluation

ü Review and approval

ü Software procurement

ü Support and maintenance

ü License compliance

ü Community participation


Automate for Strategic Adoption & Management of FOSS

Black Duck KnowledgeBase

Code Build Test Plan Application development processes

Release

Open source governance processes

Description Version

Vulnerabilities

License Maturity…

Cryptography

Acquire Approve Catalog Audit Monitor


Unmanaged Open Source

Internet Developers Final code

30%

OSS

90%

Custom


Automated, Managed Open Source: Designed-In Compliance, Re-Use, Development Leverage

Black Duck Catalog

Final code Developers

20%

80%

OSS Custom


Additional Best Practices - Software Supply Chains

Subsystems

Device / System

Middleware

Apps

Validated Bill of Materials Policy Management §  Centralized control §  Audit at every stage §  Rejection of policy violations §  Visibility and transparency

Bill of Materials

Policy Conflicts

Policy Conflicts

Bill of Materials

SW Platform/OS

IP Mgmt


Black Duck – This is What We Do

Acquire Approve Catalog Audit Monitor

OSS Strategy Services

OSS Policy, Process, Inner-Sourcing Services

OSS Advocacy & Education

“Enable development organizations to build better software faster with the power of Open Source technologies and methods”


Open Source Risk Profile – Free Service

Provides information on: •  Security vulnerabilities •  Out-of-date and duplicate

versions •  Inactive or poorly

maintained projects •  License conflicts and

obligations

A quick and easy way to assess the risk profile of the open source software you use


Summary

• Open source software is changing the world • It’s ubiquitous and an essential element of software strategy • It’s where innovation is happening • Developing software with open source is different

• Realizing the full benefits while managing the challenges requires:

• Strategy and Policy • Governance Processes • Technology/Automation

open compliance summit 2013open source risk profile – free service provides information on: •...

Documents