open compliance summit 2013open source risk profile – free service provides information on: •...
TRANSCRIPT
© Black Duck 2013
Open Source Compliance Today: From Risk Mitigation to Competitive Advantage
Tim Yeaton Black Duck
Open Compliance Summit 2013
2 © Black Duck 2013
Agenda
• Open Source Industry Trends
• Benefits
• Compliance Challenges
• Best Practices
• Summary
3 © Black Duck 2013
Global Open Source Industry Trends
4 © Black Duck 2013
Open Source at the Tipping Point
From low cost alternatives to new innovation Improving software quality
Fueling trends beyond just FOSS code: • Changing the Competitive Model: “Super-Communities” • Internal Social Coding: “Inner-Sourcing” • Automating Software Supply Chains
Driving faster innovation cycles
Accelerating FOSS
Adoption in new industries
5 © Black Duck 2013
Why is FOSS Important?
27
6 © Black Duck 2013
Changing how Software is Built – Leveraging Communities Deutsche Bank Example
• FOSS innovation cycles causing a re-think of IT software development • Despite a 22,000 IT payroll (8,000 employees, 14,000 contractors),
Deutsche Bank doesn’t have all necessary skills • IT strategy is evolving from building software and solutions to building
frameworks for community engagement • Leverage FOSS • Tap the developer ecosystem
7 © Black Duck 2013
Changing Internal Development – “Inner-Sourcing”
“…inner-sourcing - using open source development techniques within the corporation.”
Tim O’Reilly (2000)
79% of respondents ranked open source development methods as an important trend for organizations in next 2-3 years
8 © Black Duck 2013
Financial Services Mobile
Aerospace Polarsys
Healthcare
Changing Entire Industries – Super Communities
The
Foundation
The Apache Foundation
Infrastructure Automotive
57% of respondents agree that their company will collaborate with competitors via Open Source
9 © Black Duck 2013
Benefits of Strategic Use of Open Source
10 © Black Duck 2013
Why Managed Use of OSS
Jeffrey Hammond
Open source is a ‘silver bullet’ that allows simultaneous improvement along all three dimensions of the software ‘iron triangle’ of cost, schedule, features.
Cost
Features Schedule
11 © Black Duck 2013
Moving to Strategic Use of Open Source
29%
80%
Average * Best in class
* Source: Gartner Group
12 © Black Duck 2013
Real World Example: Sony Mobile
“Over 80% of the software in our handsets is open source”
Carl-Eric Mols, Head of OSS, Sony Mobile Communications
13 © Black Duck 2013 13
Create
Adapt
Adopt
• Adopted FOSS Code is supplied by external communities
• OEMs control and manage SW builds and Supply Chains to ensure integration and quality
Distribution
Super-Community Example: GENIVI Alliance
14 © Black Duck 2013
Compliance Challenges
15 © Black Duck 2013
The FOSS Ecosystem is Vast and Diverse
• 1 Million Projects, doubling every 2 years
• 100 Billion Lines of Code
• 622,000 Source Code Repositories
• 6000 Web Sites
• 2200 Unique Licenses
• 3 Million Contributors
• 10 Million Person-Years of Development Effort
Source: Black Duck KnowledgeBase
16 © Black Duck 2013
Open Source is Pervasive
17 © Black Duck 2013
Using Deep License Data, We Analyzed 1 Million Projects
40% of industry-wide projects have no declared license
GitHub heavily influences the overall number
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
100%
Non GitHub GitHub
No Declared
93%
7% 77%
23%
60%
40% Declared No-declared
No-Declared vs. Declared
18 © Black Duck 2013
Black Duck’s Experience Analyzing Code
• 99% of code audits find open source.
• 95% of audits find unknown open source
• 75% of audits contain unknown licenses.
• 50% of code audits contain GPL.
• Audits on average contain 33% open source.
• 5% of M&A deals never materialize due to our findings
19 © Black Duck 2013
Added Complexity in Software Supply Chains
BusyBox Popular utility uses the GPLv2 license
Device OEMs embedded the code in components
HDTV manufacturers used components in their products
Sold the HDTVs
SFLC sued 14 OEMs/retailers
Settlement: Westinghouse assessed monetary damages and legal fees, lost revenue due to injunction, and lost inventory (all HDTVs donated to charity).
20 © Black Duck 2013 20
Challenges Using FOSS at Scale
For Organizations • OSS strategy & policy • Search, selection, approval • Compliance & governance
management • Management & support • Code proliferation • Consistency across Supply Chain
c%*:>,d%
J88%!"#$%-)>+;,>U%[79(;79(,%eJM:7;:I7;7,N%./%H.EE)-47:;%3+11.-,Uf%
#S%%
work in progress
For Developers • Knowledge of FOSS: understanding
the considerations; making good selections
• Best practices, seeking advice • Tracking FOSS projects over time
21 © Black Duck 2013
Best Practices – Moving from Risk Mitigation to Competitive Advantage
22 © Black Duck 2013
Open Source Management Maturity Framework
Development-driven Business strategy-driven
Exposed
Measured
Driving
Managed
Participating
Reactive -> Tactical
Proactive -> Strategic
Designed-In Compliance
23 © Black Duck 2013
Key Steps in an Open Source Program
ü Develop OSS strategy, policy, and processes • For component selection & approval; usage; maintenance/support
ü Appoint an open source steward/review board • Define and assign cross-functional responsibilities
ü Use technology to automate and manage
ü Educate and train developers
ü Monitor and assess
24 © Black Duck 2013
Key Elements of an Open Source Policy
ü Program administration and management
ü Discovery, acquisition and evaluation
ü Review and approval
ü Software procurement
ü Support and maintenance
ü License compliance
ü Community participation
25 © Black Duck 2013
Automate for Strategic Adoption & Management of FOSS
Black Duck KnowledgeBase
Code Build Test Plan Application development processes
Release
Open source governance processes
Description Version
Vulnerabilities
License Maturity…
Cryptography
Acquire Approve Catalog Audit Monitor
26 © Black Duck 2013
Unmanaged Open Source
Internet Developers Final code
30%
OSS
90%
Custom
27 © Black Duck 2013
Automated, Managed Open Source: Designed-In Compliance, Re-Use, Development Leverage
Black Duck Catalog
Final code Developers
20%
80%
OSS Custom
28 © Black Duck 2013
Additional Best Practices - Software Supply Chains
Subsystems
Device / System
Middleware
Apps
Validated Bill of Materials Policy Management § Centralized control § Audit at every stage § Rejection of policy violations § Visibility and transparency
Bill of Materials
Policy Conflicts
Policy Conflicts
Bill of Materials
SW Platform/OS
IP Mgmt
29 © Black Duck 2013
Black Duck – This is What We Do
Acquire Approve Catalog Audit Monitor
OSS Strategy Services
OSS Policy, Process, Inner-Sourcing Services
OSS Advocacy & Education
“Enable development organizations to build better software faster with the power of Open Source technologies and methods”
30 © Black Duck 2013
Open Source Risk Profile – Free Service
Provides information on: • Security vulnerabilities • Out-of-date and duplicate
versions • Inactive or poorly
maintained projects • License conflicts and
obligations
A quick and easy way to assess the risk profile of the open source software you use
31 © Black Duck 2013
Summary
• Open source software is changing the world • It’s ubiquitous and an essential element of software strategy • It’s where innovation is happening • Developing software with open source is different
• Realizing the full benefits while managing the challenges requires:
• Strategy and Policy • Governance Processes • Technology/Automation