This track examined strategies on how general counsels and legal firms can proactively help clients understand code integrity, identify applicable open source licenses and surface security vulnerabilities. The topics and interactive sessions were far ranging and brought many new insights for attendees in open source legal compliance issues. Gleaned from two days in the Legal and Compliance track at Black Duck Flight16, I've compiled eight insights from eight sessions.
1. There's Big Math Out There
There's a growing need for legal support of open source use, especially in large organizations who have an ever-growing number of applications. These organizations need to be aware of the explosion of open source use, and monitor accordingly. A typical application has between 30 and 80 open source projects relating to its code base, and large organizations can have hundreds, or even thousands of applications. That’s big math, and creates big need.
2. Not All Vulnerabilities Are The Same
It’s important to understand that application vulnerabilities fall into two categories: flaws in code and bugs in code. The distinction is that simply scanning for a particular high profile published bug (maliciously created or otherwise), relies on the fact that you know what you are looking for. However, scanning for a high profile bug doesn't give you the whole story. What about vulnerabilities created by flaws in the code? While not malicious, they present the same risk. That's why it's important to know exactly what is in your code and where to locate it, which is far better than just trying locate a high profile vulnerability after it has been announced.
3. The Two-Sided M&A Coin
Addressing open source software risk in M&A due diligence is now a mainstream activity. It impacts both the buy and sell sides of any deal where software is a key asset. And frankly, almost every company is now a software company, whether in its products or operations. On the sell side, the benefits of knowing what open source software you have prior to a possible transaction can save huge headaches. The potential for an acquired company’s feet being held to the fire through holdbacks, escrow, warranties and so one is ever-present. On the buy side it's critical not to unknowingly absorb risk; being aware of any issues can increase the acquirers' leverage in negotiations.
4. B2B Open Source
Traditionally, proper adherence to open source licensing has been community policed. Most companies and organization try to comply, but when issues arise, it's been the open source community with support from community-based legal organizations that call these companies to task. Open source has become so mainstream now that commercial to commercial legal interactions have begun to appear. Companies involved in contributions to open source projects also have a vested interest in not seeing code improperly licensed by other, potentially competitive, commercial entities. In fact, B2B litigation over open source licensing is now happening. This is extended into the new practice called dual licensing, where the same code is licensed for general public use under the GPL and another open source license for commercial use.
5. You Won't Gain With Pain
Management support in your organization is an important factor in creating a comprehensive approach to addressing security and compliance risk in open source. Board members and senior executives are now more motivated to support open source as a strategic initiative. Improved time to market, lower costs and innovation open the door to positive strategy, while control of licensing and vulnerabilities further support a companywide program. It may be difficult to motivate the C-Suite based on license and security issues, but once the strategic benefits of open source get attention, it's easier to support ongoing interest and support for open source use.
6. Foot Fouling Costs
Risk is not always manifested in major violations. Most companies work to protect themselves from major exposure, and open source risk remediation is no different. However, minor violations can hurt you as well. For example, an individual in Germany has begun to exploit the complexities of German law and provide (sometimes dubious) open source contributions to the Linux project. Then this individual approaches vulnerable companies with tiny foot foul licensing transgressions. He is extracting small amounts of settlements, perhaps 10K Euros for a violation and then presumably going away. But once a company pays him off they have established a pattern and thus he can go back to the well for potentially hundreds of tiny violations all at the 10K amount. It’s one thing to address big issues, but you need to understand your use of open source code in an environment of minor violations as well.
7. The Open Source Way
The fact is that a frictionless environment gives private companies the edge in creativity and ability to address challenges. We're dependent on individuals who understand the technology well enough to build and and create. Building a value system where developers are rewarded for their integrity and creativity should be a priority. If world governments can't respond to technology challenges, we must rely on private companies to carry us forward. If the expertise necessary to respond is available only inside corporations, we must establish rules that enable experts to help us respond to challenges quickly. The community works to create open source code together, and we rely on security researchers to help us uncover vulnerabilities.
8. Keeping The Lid On Containers
Lawyers also need to pay attention to the unique aspects of container security. Banyan Ops found that over 30% of Docker Hub images contain "high priority" security vulnerabilities (Banyan, 2015). By their nature, containers both require and facilitate an automated approach to handling security. Tools can prevent starting and or building with a container that violates security policy, and lawyers need to be aware of this as container technology further integrates into their organizations. It's essential to verify where the container image comes and what's inside the container itself.
The Legal and Compliance track covered a wide variety of topics, highlighting the essential truth that open source is everywhere. General counsels and legal firms need to be hyper-aware of open source legal compliance issues because open source has never been more critical to the protection and ultimate success of business.