Upload
source-code-control-limited
View
78
Download
0
Tags:
Embed Size (px)
Citation preview
1Protecode Inc. 2015
Open Source Software: What Are Your Obligations?
Thursday, April 23rd, 2015
Protecode Inc. 2015 2
Agenda
Open Source Software– What is Open Source?– Licence and copyrights overview– Case studies
Open Source Software Management– Controlling the adoption of Open Source – Are we using it? – Open Source attributes. Where are they?– Software package – preapproval– Composite projects– Options – Manual versus automated
Wrap up and Q/A
Martin Callinan,Director,
Source Code Control
Andrew Katz,Managing Partner/Chief
Executive,Moorcrofts LLP
Protecode Inc. 2015 3
Open Source Everywhere
These companies have dedicated OSS Teams
“Every Company Is a Software Company”
– CEO Mendix
Linux dominates every sector of computing
(except desktop)http://www.zdnet.com/article/20-great-years-of-linux-and-supercom-
puters/
By 2016, the vast majority of mainstream IT organisations will
use open source in mission-critical solutions.
https://www.gartner.com/doc/2822619
o 44% of all code created in the world is OSS and increasing80% of newly deployed code is open source
o 31% of OSX is OSS, 75% of Android.o Stats demonstrate OSS more innovative than
proprietaryo 36% lower defects in OSS than comparable
proprietary code
http://transfersummit.com/sites/default/files/materials/rgardler/ts11daffara-notes.pdf
http://www.openforumacademy.org/library/ofa-fellows-reference-library/ofe-fellows-reference-library/Hosted%20Files/first-conference-proceedingsA4.pdf
What is open source?
• Source code is available
• Freedom to use (for any purpose)
• Freedom to study and modify
• Freedom to distribute (original or modifications)
Open source software still has an owner, and to use
it you need a licence.
Open Source Licensing
• There are hundreds of different types of licence.
• They range from very simple to more complex.
• Many licences are easy to comply with
• Some licences are subject to “copyleft”
• ‘Permissive’ or ‘Academic’ licences
• You can do what you want, including building the code into proprietary products.
• Compliance usually limited to incorporating disclaimers and attributions if you distribute.
• Examples: BSD, Apache
Easy compliance
• ‘Reciprocal’, ‘Copyleft’, ‘Sharealike’
• If you distribute the program (as-is, or modified), you must do so under the same terms.
• You can’t incorporate it into proprietary code.
• If you breach, you’re in breach of copyright.
• e.g. GPL, Mozilla, Microsoft Public License
Difficult compliance
Copyleft licences are only relevant on distribution.
But distribution may mean many things:
• Supply to customers
• Transfer to companies within the same group
• Transfer to outsourcing provider
• Use of software over a network (SaaS) (AGPL, OSL)
Distribution?
Distribution in breach of licence is a breach
of copyright.
Non-copyright risk issues
• Patents – know your exposure, know if you need to get a licence (e.g. codecs)
• Bugs (security, in particular)
Why you need to know what code you
are running.
Case Studies
Financial Services
• Compliance driven by regulator
• Pensions providers required to do due diligence on their service providers to assess risk of software failure
• Our client required to undertake an annual audit of code used to provide solutions to pensions providers
M&A Transactions
• Open source due diligence now routine in M&A transactions
• Purchaser/investor will want comfort that the codebase is clean, and that appropriate procedures are in place
Heartbleed• OpenSSL deployed by hundreds of
thousands of end-user companies for encryption in web apps and elsewhere
• Trillions of dollars of transactions depend on it
• Critical bug found
• Companies had to answer to shareholders and regulators
Mitigating risk
• Ensure deep knowledge of your codebase
• Employ appropriate practices and procedures to ensure code cleanliness
• Document provenance
• Test practices and procedures - auditing
Protecode Inc. 2015 24
Martin Callinan – Source Code Control Limited
Open Source Software Management
Protecode Inc. 2015
OSS in Organisations
Shall we use OSS or do we know if we use OSS already?– Risk assessment
• Risk of being involved vs risk of not being involved
– Consideration -> Adoption -> Integral part of business
The most common factors affecting use of OSS in software projects– Concerns regarding intellectual property / licensing– Concerns regarding the security of the software– Service & support– Product capabilities/maturity– Difficulty of adoption / integration– Software quality – end user satisfaction– Software enhancements – innovation over time– Viability of the open source community
25
Protecode Inc. 2015
Licensing Challenges of OSS Produced by large number of developers over time
– Bazaar model: policy of fast and frequent releases, release candidates, possibility of governance impairments
Questionable due diligence efforts of committers– Re-licensing efforts may not have been correctly handled
Code may: – Contain nested packages with their own set of issues– Contain code from books or community websites– Implement patents– Implement specifications that are subject to a license– Contain code generated by a tool where the output
could be a derivative of input– Contain or implement APIs that may have their own obligations
26
Protecode Inc. 2015 27
Compliance is not always clear Open Source projects use open source projects
Composite projects may have multiple licenses– Project license
• A top level license, or top level document listing applicable licenses• Look for website information, LICENSE, COPYING, or README
files
– Subfolder licenses• Indicate sub-level OSS projects• Not always present
– File licenses– Exceptions: subfolder holding binaries or libraries
• Generally do not have a license document• You are on your own to determine the binary or library licenses
– Automated code scanning tools should resolve these cases
Protecode Inc. 2015
License Compatibility
Licenses with unacceptable terms
Licenses with conflicting terms– Not all licenses are compatible– Example: GPL (and its varieties) are incompatible with most
other licenses (See https://www.gnu.org/licenses/license-list.html for a detailed list)
28
Protecode Inc. 2015
Establishing A Baseline
Objective: Identify all 3rd party content
and identify licensing attributes
Tasks:– Inspect all source code and build
ingredients to create Bill of Materials (BoM).– Key files:
• Text files containing license text• Text files that may make reference to licenses• Any other documentation
– Determine the distribution method• Source? Binary? Deployment?
– Assess the fit with the policy
29
Protecode Inc. 2015
Package Pre-Approval
Evaluate OSS before it is used
Workflow Process– Request/Assess/Approve-Reject
Information required for pre-approval– Project & Package Information
• Project name, URL, license, author(s), type, exportability, etc.
– Usage Model• Distribution model
– (binary, source, hosted, internal only, etc.)• Types of derivatives
– (Modified? Linked? Loosely coupled?)• Organization specific information
– Business unit– Business justification
• Maintenance and support
30
Protecode Inc. 2015
Commercial tools are available for building and managing a code Inventory
– Establish Policies, Pre-Approve packages, Establish a baseline
– Scripted Bulk Analysis, Library Analysis, Build Analysis– Developer Assistant real-time desktop analysis
Complete scanning solution– Detect third party projects, files or snippets within a portfolio– Create a Bill of Materials (BoM) of all components– Report on licenses, copyrights, security vulnerabilities, export
control obligations, encryption content– Detect, interpret and create Software Package Data
Exchange (SPDX) files– Report on license obligations and license compatibilities– Concatenate licenses and notices for distribution with a
product– Integrate within a development lifecycle using powerful API’s
Accurate and up to date information– Driven by a reference Global IP Signatures (GIPS) database– Updated and synchronized with National Vulnerability
Database 24x7
Automated OSS Management Tools
Protecode Inc. 2015
Wrap Up
If you do not use Open Source software, you will be left out– Managed adoption of Open Source software is the way to go
Compliance requires– Knowledge of what OSS packages are used
• Creating and maintaining a software Bill of Materials
– Access to OSS package, its licenses, description and notes– Scanning of the package, determination of its composite nature,
declared and hidden licenses– Ensuring the terms of the sublicenses are compatible and acceptable.– Removing any component that is not needed
Prevention works better than correction– Package pre-approval, due diligence during development, and at build
time
Managing Open Source content requires automated tools– Manual methods are expensive, inaccurate and take too long
32
Protecode Inc. 2015 33
Q&A
Please type your questions into the chat box to the right
Protecode Inc. 2015 34
About Moorcrofts
Firm wide focus on corporate, tech and HR law
Tech expertise across the board, such as:– Open source licensing – Software and Hardware agreements– IPR protection– Data security
Work in a range on industries from start ups through to AIM listed business, including:– Lifescience, Biotech and Parma– IT– Financial– New Media
For more information, contact Andrew Katz +44 1628 470003; [email protected]
Protecode Inc. 2015
• Ease the adoption of Open Source Software
• Software source code audits• Legal risk/licence compliance• Security vulnerabilities• Operational risk
• Enable greater use of OSS across the organisations • Quality code• Secure code• Compliant code
• DevOps services
About Source Code Control Limited
Protecode Inc. 2015 36
About Protecode
Global Supplier of software compliance and security vulnerability management solutions
Reduce IP uncertainties, manage security vulnerabilities and ensure compliance
Complete Set of Solutionsfor
Managed Adoption of Open Source
Protecode Inc. 2015
• Book an individual discussion : [email protected] • Managing existing OSS projects• Planning for future OSS adoption• Code reviews
• Useful resources• Open Source Initiative
• http://opensource.org/• Free Software Foundation
• http://www.fsf.org/• BCS Open Source Specialist Group
• http://ossg.bcs.org/• For more information about Source Code Control Limited
• http://www.sourcecodecontrol.co• For more information about Moorcrofts
• http://www.moorcrofts.com/• Whitepapers, case studies and educational videos from Protecode
• http://www.protecode.com/resources/
Next Steps
Protecode Inc. 2015 38