1Protecode Inc. 2015

Open Source Software: What Are Your Obligations?

Thursday, April 23rd, 2015

Protecode Inc. 2015 2

Agenda

Open Source Software– What is Open Source?– Licence and copyrights overview– Case studies

Open Source Software Management– Controlling the adoption of Open Source – Are we using it? – Open Source attributes. Where are they?– Software package – preapproval– Composite projects– Options – Manual versus automated

Wrap up and Q/A

Martin Callinan,Director,

Source Code Control

Andrew Katz,Managing Partner/Chief

Executive,Moorcrofts LLP

Protecode Inc. 2015 3

Open Source Everywhere

These companies have dedicated OSS Teams

“Every Company Is a Software Company”

– CEO Mendix

Linux dominates every sector of computing

(except desktop)http://www.zdnet.com/article/20-great-years-of-linux-and-supercom-

puters/

By 2016, the vast majority of mainstream IT organisations will

use open source in mission-critical solutions.

https://www.gartner.com/doc/2822619

o 44% of all code created in the world is OSS and increasing80% of newly deployed code is open source

o 31% of OSX is OSS, 75% of Android.o Stats demonstrate OSS more innovative than

proprietaryo 36% lower defects in OSS than comparable

proprietary code

http://transfersummit.com/sites/default/files/materials/rgardler/ts11daffara-notes.pdf

http://www.openforumacademy.org/library/ofa-fellows-reference-library/ofe-fellows-reference-library/Hosted%20Files/first-conference-proceedingsA4.pdf

What is open source?

• Source code is available

• Freedom to use (for any purpose)

• Freedom to study and modify

• Freedom to distribute (original or modifications)

Open source software still has an owner, and to use

it you need a licence.

Open Source Licensing

• There are hundreds of different types of licence.

• They range from very simple to more complex.

• Many licences are easy to comply with

• Some licences are subject to “copyleft”

• ‘Permissive’ or ‘Academic’ licences

• You can do what you want, including building the code into proprietary products.

• Compliance usually limited to incorporating disclaimers and attributions if you distribute.

• Examples: BSD, Apache

Easy compliance

• ‘Reciprocal’, ‘Copyleft’, ‘Sharealike’

• If you distribute the program (as-is, or modified), you must do so under the same terms.

• You can’t incorporate it into proprietary code.

• If you breach, you’re in breach of copyright.

• e.g. GPL, Mozilla, Microsoft Public License

Difficult compliance

Copyleft licences are only relevant on distribution.

But distribution may mean many things:

• Supply to customers

• Transfer to companies within the same group

• Transfer to outsourcing provider

• Use of software over a network (SaaS) (AGPL, OSL)

Distribution?

Distribution in breach of licence is a breach

of copyright.

Non-copyright risk issues

• Patents – know your exposure, know if you need to get a licence (e.g. codecs)

• Bugs (security, in particular)

Why you need to know what code you

are running.

Case Studies

Financial Services

• Compliance driven by regulator

• Pensions providers required to do due diligence on their service providers to assess risk of software failure

• Our client required to undertake an annual audit of code used to provide solutions to pensions providers

M&A Transactions

• Open source due diligence now routine in M&A transactions

• Purchaser/investor will want comfort that the codebase is clean, and that appropriate procedures are in place

Heartbleed• OpenSSL deployed by hundreds of

thousands of end-user companies for encryption in web apps and elsewhere

• Trillions of dollars of transactions depend on it

• Critical bug found

• Companies had to answer to shareholders and regulators

Mitigating risk

• Ensure deep knowledge of your codebase

• Employ appropriate practices and procedures to ensure code cleanliness

• Document provenance

• Test practices and procedures - auditing

Protecode Inc. 2015 24

Martin Callinan – Source Code Control Limited

Open Source Software Management

Protecode Inc. 2015

OSS in Organisations

Shall we use OSS or do we know if we use OSS already?– Risk assessment

• Risk of being involved vs risk of not being involved

– Consideration -> Adoption -> Integral part of business

The most common factors affecting use of OSS in software projects– Concerns regarding intellectual property / licensing– Concerns regarding the security of the software– Service & support– Product capabilities/maturity– Difficulty of adoption / integration– Software quality – end user satisfaction– Software enhancements – innovation over time– Viability of the open source community

25

Protecode Inc. 2015

Licensing Challenges of OSS Produced by large number of developers over time

– Bazaar model: policy of fast and frequent releases, release candidates, possibility of governance impairments

Questionable due diligence efforts of committers– Re-licensing efforts may not have been correctly handled

Code may: – Contain nested packages with their own set of issues– Contain code from books or community websites– Implement patents– Implement specifications that are subject to a license– Contain code generated by a tool where the output

could be a derivative of input– Contain or implement APIs that may have their own obligations

26

Protecode Inc. 2015 27

Compliance is not always clear Open Source projects use open source projects

Composite projects may have multiple licenses– Project license

• A top level license, or top level document listing applicable licenses• Look for website information, LICENSE, COPYING, or README

files

– Subfolder licenses• Indicate sub-level OSS projects• Not always present

– File licenses– Exceptions: subfolder holding binaries or libraries

• Generally do not have a license document• You are on your own to determine the binary or library licenses

– Automated code scanning tools should resolve these cases

Protecode Inc. 2015

License Compatibility

Licenses with unacceptable terms

Licenses with conflicting terms– Not all licenses are compatible– Example: GPL (and its varieties) are incompatible with most

other licenses (See https://www.gnu.org/licenses/license-list.html for a detailed list)

28

Protecode Inc. 2015

Establishing A Baseline

Objective: Identify all 3rd party content

and identify licensing attributes

Tasks:– Inspect all source code and build

ingredients to create Bill of Materials (BoM).– Key files:

• Text files containing license text• Text files that may make reference to licenses• Any other documentation

– Determine the distribution method• Source? Binary? Deployment?

– Assess the fit with the policy

29

Protecode Inc. 2015

Package Pre-Approval

Evaluate OSS before it is used

Workflow Process– Request/Assess/Approve-Reject

Information required for pre-approval– Project & Package Information

• Project name, URL, license, author(s), type, exportability, etc.

– Usage Model• Distribution model

– (binary, source, hosted, internal only, etc.)• Types of derivatives

– (Modified? Linked? Loosely coupled?)• Organization specific information

– Business unit– Business justification

• Maintenance and support

30

Protecode Inc. 2015

Commercial tools are available for building and managing a code Inventory

– Establish Policies, Pre-Approve packages, Establish a baseline

– Scripted Bulk Analysis, Library Analysis, Build Analysis– Developer Assistant real-time desktop analysis

Complete scanning solution– Detect third party projects, files or snippets within a portfolio– Create a Bill of Materials (BoM) of all components– Report on licenses, copyrights, security vulnerabilities, export

control obligations, encryption content– Detect, interpret and create Software Package Data

Exchange (SPDX) files– Report on license obligations and license compatibilities– Concatenate licenses and notices for distribution with a

product– Integrate within a development lifecycle using powerful API’s

Accurate and up to date information– Driven by a reference Global IP Signatures (GIPS) database– Updated and synchronized with National Vulnerability

Database 24x7

Automated OSS Management Tools

Protecode Inc. 2015

Wrap Up

If you do not use Open Source software, you will be left out– Managed adoption of Open Source software is the way to go

Compliance requires– Knowledge of what OSS packages are used

• Creating and maintaining a software Bill of Materials

– Access to OSS package, its licenses, description and notes– Scanning of the package, determination of its composite nature,

declared and hidden licenses– Ensuring the terms of the sublicenses are compatible and acceptable.– Removing any component that is not needed

Prevention works better than correction– Package pre-approval, due diligence during development, and at build

time

Managing Open Source content requires automated tools– Manual methods are expensive, inaccurate and take too long

32

Protecode Inc. 2015 33

Q&A

Please type your questions into the chat box to the right

Protecode Inc. 2015 34

About Moorcrofts

Firm wide focus on corporate, tech and HR law

Tech expertise across the board, such as:– Open source licensing – Software and Hardware agreements– IPR protection– Data security

Work in a range on industries from start ups through to AIM listed business, including:– Lifescience, Biotech and Parma– IT– Financial– New Media

For more information, contact Andrew Katz +44 1628 470003; andrew.katz@moorcrofts.com

Protecode Inc. 2015

• Ease the adoption of Open Source Software

• Software source code audits• Legal risk/licence compliance• Security vulnerabilities• Operational risk

• Enable greater use of OSS across the organisations • Quality code• Secure code• Compliant code

• DevOps services

About Source Code Control Limited

Protecode Inc. 2015 36

About Protecode

Global Supplier of software compliance and security vulnerability management solutions

Reduce IP uncertainties, manage security vulnerabilities and ensure compliance

Complete Set of Solutionsfor

Managed Adoption of Open Source

Protecode Inc. 2015

• Book an individual discussion : source@sourcecodecontol.co • Managing existing OSS projects• Planning for future OSS adoption• Code reviews

• Useful resources• Open Source Initiative

• http://opensource.org/• Free Software Foundation

• http://www.fsf.org/• BCS Open Source Specialist Group

• http://ossg.bcs.org/• For more information about Source Code Control Limited

• http://www.sourcecodecontrol.co• For more information about Moorcrofts

• http://www.moorcrofts.com/• Whitepapers, case studies and educational videos from Protecode

• http://www.protecode.com/resources/

Next Steps

Protecode Inc. 2015 38

info@protecode.comwww.protecode.com