Much has been written regarding open source development models and community dynamics. Yet, equally important are the different types of open source business strategies, best practices, and processes that govern the use of code from open source projects and contributions to those projects throughout an organization.
My colleague Greg Olson and I were recently honored by the invitation to contribute to Dr. Karl Popp’s new book, Best Practices for Commercial Use of Open Source Software. The following are excerpts from the chapter Greg and I contributed to this book (Chapter 5 - Tools for Open Source Success):
Open Source Strategy
In Black Duck's consulting practice, we are often asked to help organizations create strategies for optimizing returns on investment (ROI) in open source software. Those investments typically begin with consumption but also encompass community participation and legal and business considerations, and can ultimately extend to building entire businesses on or around open source technology.
Figure 1 – The Elements of an Open Source Strategy
Agreeing upon an open source strategy is an essential first step to enhancing ROI from open source, on a par with having an overall business strategy. At the lowest level, strategy drives tactical concerns, in particular, use cases. Ultimately, companies wishing to monetize open source look to one of four basic business models:
Figure 2 – Core Open Source Business Models / Use Cases
Open Source Governance
Open source governance comprises the policies, processes, procedures and also tradition and culture that surround the creation, development, deployment and maintenance of open source software (OSS). Many treatises focus on the governance of open source projects and the communities that arise around them. Here, instead, we examine governance as applied to OSS as consumed, contributed to, (re)distributed, and also produced by commercial and governmental organizations, and focus on tools that facilitate these activities.
In this vein, open source governance is part of the broader category of IT governance which, according to the IT Governance Institute, helps ensure that IT supports business goals, maximizes business investment in IT, and appropriately manages IT-related risks and opportunities.
The Need for Governance
For many IT, product development and services organizations, the acquisition of open source software has been largely organic and uncontrolled. Individual developers have enjoyed the freedom of searching the abundance of OSS code available on the Internet and used it without a formal acquisition process. However, as organizations increasingly rely on open source for business-critical applications, and OSS has grown to comprise a substantive portion of deployed code, the need for open source governance has evolved from a nicety into an imperative.
A decade ago, technology companies were the first to invest in tools for open source governance. Software vendors, device manufacturers (OEMs) and semiconductor suppliers were among the first to leverage OSS commercially and also the first to be concerned about how compliance with open source licenses might impact their control over technology and intellectual property portfolios.
More recently, enterprise IT (EIT) organizations began taking an interest in governance as well. While not usually redistributing OSS code (and thereby avoiding most open source license compliance requirements), EIT organizations today find themselves developing applications that are both internal and client-facing. They worry about compliance requirements that can accompany provision of services using OSS technologies, especially in the cloud. The primary concern of most EIT organizations with regard to OSS is software and information security; in particular, their focus is on the ability to identify and track software vulnerabilities and reliably manage their remediation. Some organizations also seek to be prepared for IP scrutiny that accompanies mergers and acquisitions.