The advantages of using Open Source Software (OSS) are clear. In fact, research shows that usage of OSS is accelerating at an unprecedented rate. Using OSS as part of your solution leads to complexity that many organizations today are still struggling to tame.
There are many elements to using open source effectively that you need to consider as you move forward in integrating open source into your environment.
- Are you in compliance with the license terms and obligations for all of the OSS components you are using?
- Do you know all of the OSS Components you are using and which of your applications are using those components?
- Are you aware of any known security vulnerabilities that your OSS components are exposed to?
- Do you know how to remediate the security and compliance issues you uncover?
Many organizations today are ill-prepared to answer these questions. And worse, they are often facing a skill gap. For example, developers often struggle to understand the OSS license terms and obligations and may select components that put your organization unnecessarily at risk. Lawyers often struggle to understand the subtlety of open source licenses. And maintenance engineers often struggle to remediate security vulnerabilities reported against your OSS components.
Software Tools Surface Risks
Software tools such as Black Duck Hub can certainly help you gather the data and surface potential conflicts and security risks, but if you don’t know the difference between a reciprocal license and a permissive license it will be extremely challenging to reduce your license compliance risk. And if you don’t understand the implications of a high severity vulnerability vs a low severity vulnerability it will be equally challenging to lower your security risk.
Beyond Software Tools
Organizations need more than tools to accomplish the mission. They need skilled employees who can operate the tools, drive change and reduce risk. Unfortunately, most organizations underfund training for their employees — despite clear evidence that increasing skills by just 1/3 increases the likelihood of stakeholders meeting their project objectives from 10% to 90%! [Training Impact on Project Survey, IDC, 2011]. Skilled employees rollout solutions 22% faster, drive hard savings to the bottom line ($70K per year) and are at least 10% more productive [The Value of Training, IBM May 2014].
At Black Duck Software, we offer our customers an all-you-can-eat subscription to training via Black Duck Academy. Not only do we provide “tool training,” we also provide primers on Open Source Software, Open Source License Compliance and Managing Open Source Software. Our customers have access to just-in-time, short courses designed to provide the knowledge and skills we know will drive project success. And some of our most successful customers have taken this a step further by developing customized courses to articulate their OSS policies and procedures to further enable their success.
Invest in Training Your Team
The investment in training your team in the management of OSS can clearly pay dividends. You should set aside at least 5-7% of your project budget to training your team. Our own research shows that customers who invest in training are best-in-class when it comes to mitigating both open source legal and security risk.