Four Open Source Policies You Can’t Live Without

Four Open Source Policies You Can’t Live Without

Open source software use has exploded in the last 10 years, and the benefits –  economic, time to market, security and quality – are well documented. Companies that embrace and encourage the use of open source software are reaping those benefits. However, to fully capitalize on the value of open source software it is essential to  manage the risks associated with each individual component using open source policies.

Watch a brief demo of the Black Duck HubOpen Source Policies

There are four “must have” aspects of sound open source policy management.

  1. Know the kind of OSS you want: There are millions of open source projects and it is vital to make sure you’re choosing not only the right open source components but also the right open source community to rely on for updates and increased functionality. You should feel confident in the contributors associated with your components and that there is a vibrant community ready and willing to quickly make changes if updates are needed.
  2. Implement OSS management practices: Processes to accurately identify, track and monitor the open source you’re using are paramount. If you don’t know what you’re using you can’t effectively manage the risks. Cumbersome processes requiring hours of review; or lengthy request and approval times for source adoption will create frustration, and developers will find ways to work around them. The best processes satisfy all the stakeholders, developers and legal alike. Streamlining and automating as much as possible removes many road blocks to integrating open source projects into your application and provide earlier and greater visibility into what you’re using.
  3. Understand the impacts of OSS Licenses: There are many nuances to managing open source license obligations. Whether it’s a dynamically linked open source library that uses an LGPL license or a SaaS application that contains GPLv2 licenses, or an internal tool you’ve developed with open source components with an AGPL license, it’s important to evaluate what types of applications you’re building, how you use and distribute those applications, and the licensing obligations you’re comfortable with.
  4. Assess and continuously monitor security impacts of OSS: Effective use of open source software requires a process for identifying, reporting, and addressing known security vulnerabilities. This process extend beyond  an initial scan for vulnerability detection and mapping, to include constant monitoring of the open source in use  to any newly reported vulnerabilities. And you’ll be in even better shape of if you have selected OSS backed by a community of developers working on and releasing rapid bug fixes.

Automating the continuous identification and monitoring of open source usage in your applications combined with well thought out open source policies allow you to mitigate the risk associated with open source software. New policy management features included in Black Duck Hub 3.0 will enable you to define and configure your open source software policy rules and manage the exceptions to those rules. I encourage you to try Hub 3.0 to see for yourself.

Click below to watch this video and see the new open source policy management in Hub 3.0 in action:

Black Duck Hub 3.0: Open Source Policy Management

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


The True Cost of a Cyber-Attack: Reflections from HPE Protect

| Sep 16, 2016

This past week I had the opportunity to attend the HPE Protect 2016 conference. For three days I talked with HPE employees, industry leading security vendors, and more security professionals than I could possibly meet. But for me, the best part of the event was the breakout sessions. They were

| MORE >

RSA Conference: What You Don’t Know Can Hurt You

| Mar 9, 2016

This week I got a break from focusing all my energy on roadmaps, feature designs, and release planning for our Black Duck Hub product. Instead, I was fortunate enough to spend three days at the RSA Conference in San Francisco, talking about securing the open source used in applications and

| MORE >