By Matt Jacobs, General Counsel, Black Duck Software
Overview
The increasing adoption of open source software (OSS) is fundamentally changing many companies' software development processes. Gartner predicts that by 2016, OSS will be included in mission-critical software portfolios in 99 percent of Global 2000 enterprises. More likely than not, your organization is using OSS in internal as well as customer-facing software. To maximize the benefits of open source code to improve agility and speed time to market, companies must develop strategic plans for improving OSS governance, automating management processes, and minimizing security and operational risks.
The following are tips to help your organization create the right balance between management controls and empowering development teams to leverage the abundance of high quality, secure open source code. They're designed to help you establish the best approach for your company to effectively manage the logistics of using OSS as part of its software code base, to drive innovation and lower costs.
1. Develop policies for using external code
The first step in governing the use of OSS is having a policy in place. The absence of a clearly defined and stated policy leads to the uncontrolled use of OSS, which exposes your company to considerable operational, compliance, legal, and security risks. IT development organizations that use externally-sourced code must be certain that all applications are developed and deployed in accordance with these policies. IT executives must work with the legal department to ensure that governance policies for external code use are defined, communicated, and closely managed. This will help minimize the potential risks that can come with the use of external code.
2. Automate the management of OSS usage
Even the best OSS use policy won't be effective unless you establish an environment to facilitate its efficient execution. If you have a strong governance policy that's not implemented efficiently, your development group may not follow the policy, or may avoid using OSS because it's perceived as too difficult. Too often, organizations attempt to implement policies through manual methods that slow down the development process. The key to effective policy implementation is automation. To gain control, you should consider using a management platform that automates the key processes associated with using OSS: search, selection, validation, approval, and monitoring. By automating its management and usage, you can streamline processes, speed up time-to-solution, and provide excellent visibility into external code throughout the development lifecycle.
3. Scan incoming components to ensure developers only use compliant code
Developers can unknowingly introduce external code that fails to comply with corporate policies, contains security vulnerabilities, is not properly licensed, or introduces license conflicts. To ensure that only compliant code is introduced into your organization's development projects, you should consider providing your developers with a management tool that scans incoming code before it is selected for a project, to make sure it complies with your company's policies and to minimize risks.
4. Give developers a single place to search for pre-approved external code and provide scalable search technologies to identify opportunities for source code reuse
Rather than performing random searches for externally-sourced components and their associated metadata, developers benefit from having access to a centralized repository where they can easily search for pre-approved OSS. Developers want fast, efficient searches, and your company benefits from ensuring they can access code that meets its quality, security, and licensing standards and policies. Reusable code, previously approved and housed in an internally-accessible catalog, often provides the most efficient solution.
5. Provide developers with a quick, accurate way to validate code
Developers need a fast, effective way to validate that what has been approved is what's actually built and deployed. Too often, development teams uncover discrepancies between the bill of materials and the source code once an application is built, leading to rework, lost opportunity, and increased costs. Your company will benefit from giving developers an accurate way to identify inconsistencies between the approved bill of materials and what is being built, preferably in real time and with an audit trail, to save time, ensure compliance, and eliminate wasted effort.
6. Establish an automated approval process
It's critical to establish a third-party code approval process within your development organization. Without formal approval processes in place, you risk introducing code that fails to comply with corporate policies, contains security or license vulnerabilities, or includes bugs. Companies should also ensure that approval processes are implemented through automated workflows. Manual approval processes can hamper the use of externally-sourced code, not to mention lengthening development schedules.
7. Monitor externally-sourced code once it's put into use
When development groups integrate external code into their applications and services, problems can arise post-deployment, including the discovery of new security vulnerabilities, new versions, and other problems. It's important to give development organizations an effective way to monitor externally-sourced code once it's put into use. It's also critical to monitor this code on a regular basis to give development managers visibility into which components are deployed where. Monitoring also makes it easier to track down bugs, defects, and security vulnerabilities across multiple code repositories distributed across the enterprise.
8. Integrate OSS tools into your application lifecycle management toolset and internal workflows
Coupling tools and processes through the integration of an OSS toolset into application lifecycle management tools and workflows reduces time to market, saves money, and introduces a best practices approach to software development. These steps help your organization develop and optimize an effective program to search, select, manage, and monitor its use of OSS.
9. Identify encryption code embedded in complex software to comply with applicable international regulations
Governments around the world regulate the commercial export of software containing encryption algorithms. Your company should be aware of the cryptographic content in its software to comply with these regulations. But identifying encryption algorithms within large code bases can be a time-consuming, error-prone process. Automating this process will save time and give your organization more reliable metrics to ensure compliance.
10. When evaluating potential acquisitions or divestitures, make sure to identify OSS and its related provenance and licensing obligations
Depending on your business context, knowing what OSS-related intellectual property you possess will help you:
- Reduce business risk
- Enhance value Accelerate transactions through the enhanced value of due diligence
- Develop more trusted customer relationships
Conclusion
Innovation strategies for software development organizations increasingly include leveraging a complex development process that takes advantage of the increasing availability of OSS components and building blocks. OSS helps companies develop innovative products faster and more securely, while reducing costs. But this is just one piece of the logistical puzzle. To fully leverage their use of OSS, organizations should carefully select tools for managing open source across the application lifecycle (search, selection, approvals, validation and monitoring). And these tools should be integrated within application lifecycle management workflows.
This approach allows development organizations to take control of their OSS usage. It provides unprecedented visibility into which components get used where, without adding extra overhead or burdens on development groups. With these guidelines, your enterprise can gain systematic control over the successful integration of open source into the development and deployment of software.