When I look at the landscape of open source governance and compliance, I am reminded how much fear drives the industry today. We often see the pitch of governance and compliance services as a way to root out unfavorable licenses, especially licenses from the GPL family. Sometimes in discussions, open source scanning is compared to computer virus scanning. Unfortunately, too many people seem to feel this is an appropriate comparison, and approach open source compliance as a search-and-destroy mission. Despite the term "viral," used for copyleft license models, open source is not a virus to be hunted down and exterminated.
Open source software is everywhere, literally. Unless you write 100% of all the code used in your application from scratch, there is a very good chance you have open source software. And, unfortunately, your use of open source is not necessarily intentional. In 2008 Gartner predicted that by now 80% of commercial apps would include open source software. And more recently, in 2011, Gartner predicted that 99% of the Global 2000 enterprise would include Open Source Software (OSS) in their mission-critical software portfolios by 2016 Read more at Business 2 Community.
At a basic level, OSS scanners, such as OpenLogic's OSS Deep Discovery, analyze software development projects looking for components that come from OSS projects. They tie their results to in-depth information about the open source projects, licensing information and even project support. If you're a developer or a project manager here are some reasons you might want to run one on your project.
Companies can increase the usage of some of the most innovative technology in the world, open source software, and manage the risk that comes along with it by creating policies that effectively build awareness, provide control mechanisms and promote low overhead compliance.
In my last article, Open Source Software Compliance: How Well Are You Rating Risk?, we took a look at the key factors in determining risk associated with the use of Open Source Software (OSS). In this article I will be discussing how you can use those factors to develop a risk matrix to assist you in assessing your overall risk.
A critical consideration of a corporate open source software provisioning strategy revolves around the maturity of the community and longevity of that community continuing to develop their project.
Without an effective internal OSS governance strategy, enterprises both large and small are susceptible to problems and risks that can surface quickly when there is a lack of understanding and acceptance of open source software issues.
Many organizations have begun to adopt a “risk rating” as part of their open source software compliance and usage discussion. Some of the information gathering requirements to assess risk will be relatively easy to meet, while others require much more effort. There are many factors to consider when assessing risk and as you decide which factors are important to your organization you will need to examine the size of the time investment needed to research and obtain the information associated with each factor.
The real world example for this level of diligence goes back to having and managing an actionable open source policy. Open source review boards that have monthly, bi -monthly, weekly, or even impromptu daily meetings about what can and cannot be used and under what conditions need the ability to quickly identify and document these occurrences, make decisions, implement critical policy rule changes and communicate all of this easily to the organization. One new or changed file can make a big difference in protecting millions of dollars of development and intellectual property.
If you read a post on The Enterprise OSS Blog, please leave a comment. Let us know what you think, even if it's just a few words. Comments do not require approval, but they are moderated.OpenLogic reserves the right to remove any comments it deems inappropriate.