Open source software use has exploded in the last 10 years, and the benefits – economic, time to market, security and quality – are well documented. Companies that embrace and encourage the use of open source software are reaping those benefits. However, to fully capitalize on the value of open source software it is essential to manage the risks associated with each individual component using open source policies.
There are four “must have” aspects of sound open source policy management.
- Know the kind of OSS you want: There are millions of open source projects and it is vital to make sure you’re choosing not only the right open source components but also the right open source community to rely on for updates and increased functionality. You should feel confident in the contributors associated with your components and that there is a vibrant community ready and willing to quickly make changes if updates are needed.
- Implement OSS management practices: Processes to accurately identify, track and monitor the open source you’re using are paramount. If you don’t know what you’re using you can’t effectively manage the risks. Cumbersome processes requiring hours of review; or lengthy request and approval times for source adoption will create frustration, and developers will find ways to work around them. The best processes satisfy all the stakeholders, developers and legal alike. Streamlining and automating as much as possible removes many road blocks to integrating open source projects into your application and provide earlier and greater visibility into what you’re using.
- Understand the impacts of OSS Licenses: There are many nuances to managing open source license obligations. Whether it’s a dynamically linked open source library that uses an LGPL license or a SaaS application that contains GPLv2 licenses, or an internal tool you’ve developed with open source components with an AGPL license, it’s important to evaluate what types of applications you’re building, how you use and distribute those applications, and the licensing obligations you’re comfortable with.
- Assess and continuously monitor security impacts of OSS: Effective use of open source software requires a process for identifying, reporting, and addressing known security vulnerabilities. This process extend beyond an initial scan for vulnerability detection and mapping, to include constant monitoring of the open source in use to any newly reported vulnerabilities. And you’ll be in even better shape of if you have selected OSS backed by a community of developers working on and releasing rapid bug fixes.
Automating the continuous identification and monitoring of open source usage in your applications combined with well thought out open source policies allow you to mitigate the risk associated with open source software. New policy management features included in Black Duck Hub 3.0 will enable you to define and configure your open source software policy rules and manage the exceptions to those rules. I encourage you to try Hub 3.0 to see for yourself.
Click below to watch this video and see the new open source policy management in Hub 3.0 in action: