Is Shadow Engineering Developing Your Applications?

Shadow Engineering

Do you allow a supplier’s goods and services to be acquired and used by your employees without the approval of your management? Certainly not any more. You’ve probably spent years applying better governance around the acquisitions made by Shadow IT.

However, even before the emergence of shadow IT, your engineers have been making acquisitions from ungoverned suppliers: open source software authors.

Open Source Security & Risk Analysis Report

What's Shadow Engineering?

Shadow IT mostly acquires compute and storage resources for internal use, but “shadow engineering” has been exposing your customers to ungoverned intellectual property by using open source software in your products.

Even though there are no subscription, licensing, or maintenance fees charged by these authors, their effects on your products are significant.

Just as shadow IT has helped organizations be more efficient and elastic, shadow engineering has done the same, but you must better govern what shadow engineering is acquiring.

This post was originally published on the Stairstep Consulting blog.


David Znidarsic is the founder and president of Stairstep Consulting, where he provides intellectual property consultation services ranging from IP forensics, M&A diligence, information security management, open source usage management, and license management. Learn more about David and Stairstep Consulting at





Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


So, You Want to Be a Data Protection Officer

| Feb 22, 2018

The General Data Protection Regulation (GDPR) will be enforced starting on May 25, 2018. One of the requirements of the GDPR is that many companies who handle personal data of EU citizens will need to appoint either an employee or contractor to be their Data Protection Officer. This role is

| MORE >

Assume Every Application is a Cloud Application

| Dec 7, 2017

We feel the need to label applications as either on-premises or cloud. We try to assure ourselves that an application categorized as on-premises will not send or receive data over a public network, and an application categorized as cloud will not install client resources. Sending and Receiving

| MORE >