The Essentials of Open Source Strategy and Governance

The Essentials Of Open Source Strategy And Governance

Much has been written regarding open source development models and community dynamics. Yet, equally important are the different types of open source business strategies, best practices, and processes that govern the use of code from open source projects and contributions to those projects throughout an organization.

My colleague Greg Olson and I were recently honored by the invitation to contribute to Dr. Karl Popp’s new book, Best Practices for Commercial Use of Open Source Software. The following are excerpts from the chapter Greg and I contributed to this book (Chapter 5 - Tools for Open Source Success):

Open Source Strategy

In Black Duck's consulting practice, we are often asked to help organizations create strategies for optimizing returns on investment (ROI) in open source software. Those investments typically begin with consumption but also encompass community participation and legal and business considerations, and can ultimately extend to building entire businesses on or around open source technology.

OSS Strategy Graphic

Figure 1 – The Elements of an Open Source Strategy

Agreeing upon an open source strategy is an essential first step to enhancing ROI from open source, on a par with having an overall business strategy. At the lowest level, strategy drives tactical concerns, in particular, use cases. Ultimately, companies wishing to monetize open source look to one of four basic business models:

Open Source Business Model Chart

Figure 2 – Core Open Source Business Models / Use Cases


Open Source Governance

Open source governance comprises the policies, processes, procedures and also tradition and culture that surround the creation, development, deployment and maintenance of open source software (OSS). Many treatises focus on the governance of open source projects and the communities that arise around them. Here, instead, we examine governance as applied to OSS as consumed, contributed to, (re)distributed, and also produced by commercial and governmental organizations, and focus on tools that facilitate these activities.

In this vein, open source governance is part of the broader category of IT governance which, according to the IT Governance Institute, helps ensure that IT supports business goals, maximizes business investment in IT, and appropriately manages IT-related risks and opportunities.

The Need for Governance

For many IT, product development and services organizations, the acquisition of open source software has been largely organic and uncontrolled. Individual developers have enjoyed the freedom of searching the abundance of OSS code available on the Internet and used it without a formal acquisition process. However, as organizations increasingly rely on open source for business-critical applications, and OSS has grown to comprise a substantive portion of deployed code, the need for open source governance has evolved from a nicety into an imperative.

A decade ago, technology companies were the first to invest in tools for open source governance. Software vendors, device manufacturers (OEMs) and semiconductor suppliers were among the first to leverage OSS commercially and also the first to be concerned about how compliance with open source licenses might impact their control over technology and intellectual property portfolios.

More recently, enterprise IT (EIT) organizations began taking an interest in governance as well. While not usually redistributing OSS code (and thereby avoiding most open source license compliance requirements), EIT organizations today find themselves developing applications that are both internal and client-facing. They worry about compliance requirements that can accompany provision of services using OSS technologies, especially in the cloud. The primary concern of most EIT organizations with regard to OSS is software and information security; in particular, their focus is on the ability to identify and track software vulnerabilities and reliably manage their remediation. Some organizations also seek to be prepared for IP scrutiny that accompanies mergers and acquisitions.

 Purchase Dr. Karl Michael Popp’s Best Practices for Commercial Use of Open Source Software on Amazon to read more!

Enterprise IT Guide to OSS Management

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


New Vuln in Xen Hypervisors Require Hypervigilance

| Nov 4, 2015

Developers of the Xen Hypervisor recently revealed that a new critical vulnerability had surfaced in this key piece of system software. The first, Venom (CVE-2015-3456) became known in May 2015. Another, CVE-2015-5154 cropped up in July. And now, a new high profile vulnerability, CVE-2015-7835,

| MORE >

You Want Secure Containers? Start With Secure Container Contents

| Oct 22, 2015

Containerization is hot. This form of lightweight virtualization lets more applications run on a single server or cloud instance, and lets IT organizations create and deploy those applications faster and more reliably. Enterprise containerization meets several enterprise IT goals simultaneously:

| MORE >