provides software and services that enable enterprises
Live Chat 1-888-673-6564
The Enterprise Open Source Blog
  • Home
  • Search
  • Contact Us
  • Products and Support
  • Services
  • Enterprise OSS Blog
  • Wazi Technical Blog
  • Resources Library
  • Cloud Services
  • Partners
  • Customers
  • Community
  • Company
  • Careers
  • News and Events

Subscribe by Email

Your email:

Most Popular Posts

  • Enterprise Apache Tomcat 7 Clustering - Designing an Efficient, Reliable and Productive Application Server Cluster
  • Open Source Virtual Whiteboards and Dimdim Review
  • An Enterprise Apache Tomcat Clustering Guide
  • Supporting CentOS In The Cloud With Windows Azure
  • VLC License Change: A lesson in perseverance
  • An In-Depth Look at Tomcat’s Clustering Mechanisms
  • Apache HTTP Server: New Features for Version 2.4
  • Why Closed Source is Better Than Open Source
  • Access Serial Ports through Ruby
  • JBoss AS7 Clustering Using mod_cluster and http 2.4 (Part 1)

Connect With Us!

Current Articles | RSS Feed RSS Feed

Building the Business Case for Open Source Code Scanning

Posted by Jesse Hood on Fri, Mar 30, 2012
  
Email This Email Article  
Tweet  
  

I often talk to people who are having a hard time developing the business case for purchasing and implementing a source code scanning tool or purchasing an application audit service.  I respond by describing  that a legitimate and successful business case in 2012 needs to include the following:

    • At minimum, a general understanding of the basics of open source software

    • Both the want and need to find and implement a solution

    • The organizational drivers and resources to develop a solution to a problem or to enhance and compliment an existing system that lacks efficiency or accuracy

    • Cross-functional approvals and resources from multiple departments

    • Accurate and balanced vendor evaluation and selection criteria


Hopefully some of the ideas in this article will resonate to help all of you continue building the business case as you consider how or when to start a scanning and license compliance initiative.

I’m going to start with the “want to” - a company that understands that complying with all licenses for third party code it uses, including open source software, is the right thing to do.  Yet, that company may not have the resources or urgency to make the purchase and implement a plan.  As a result, the “want to” is always harder to sell on than “need to.”

Complying with open source licenses, as requested by the original authors of open source projects, is the responsible approach to using other people’s software.  To quote a colleague of mine on our engineering team, “it’s generally frowned upon to use someone else’s software code without proper attributions.”  Scanning software code is now a pretty important part of ongoing compliance strategies for organizations.  Those that understand this and appreciate the hard work of others want to comply, and are complying, to the best of their ability.

The founding ideology of this industry still exists today for good reason and the organizations in North America and Europe that are interested in ensuring license compliance are doing so to keep open source alive and healthy.  In fact one could present numerous arguments and examples to support the fact that our day-to-day lives now rely on open source software.  Consumer products like smart phones, newer cars, flat screen TV’s, most computers, all ISP’s, probably any cloud computing environment, maybe even a brand new waffle maker, all have open source software embedded in them.  Those open source software components are most likely, if not definitely, being re-used by the company distributing it in their products.  The reality is that if any company intends to keep using open source and selling technology, that has been created because of the history of the open source industry, then respecting the terms of open source licenses is just as important as respecting any commercial software license.

The “need to” category represents potential business risks that turn the "want" into an immediate need.  Below are several examples as to why an organization needs to implement an open source scanning solution:

    • The organization understands and values all of the reasons included in the “want to” category and realizes that every day that passes without implementing some kind of process to proactively vet code bases for open source is increasing the exposure and risk of a “want to” turning into a “need to immediately.”  The final outcome of some of these projects might identify a very low level of risk and exposure.  Nevertheless, not actively addressing this potential (in order to determine risk) is a very dangerous approach to the use of open source software.

    • The organization has unknown exposure to security vulnerabilities in old versions of open source or the organization has already had some kind of breach in security due to an outdated open source environment.

    • There is a product road map or technology release schedule for the organization that has made an intentional  (or unintentional) decision, to distribute open source software in a commercial product or to use open source in a customer facing web site.

    • The organization has been contacted by one of the governing bodies that are interested in enforcing license compliance -or- the individual author of an open source product has contacted the organization directly to inquire about the usage of their copyrighted software.  If this kind of inquiry goes unanswered the worst-case scenario is a suit eventually getting brought against the organization(s) in question for violating the license or copyright.

    • There is a merger and acquisition (or divestiture) planned sometime in the calendar year and the assets to be acquired (or sold) have a known or high probability of including open source components.

    • There has been significant turnover in the personnel that have been involved in the use of open source and collecting any voluntary information about the usage and associated licenses would be impossible.

    • The organization outsources software development to a third party and:

        • The third party either disclaims any OSS usage but wont rep and warrant it in a contract (HUGE RED FLAG)

        • The third party discloses some amount of OSS usage but can not easily and quickly produce a list of components

        • The third party discloses OSS usage and delivers a bill of materials and associated licenses but the nature of the transaction(s) and distribution require additional due diligence.

        • The third party unknowingly includes open source in the product they develop.




The thing is, your company may not "need to" right now, but is it worth waiting until there is an urgent reason and scrambling to find a solution?  The best business case is the case that includes a proactive approach, instead of reactive.

A few other considerations are included in my older blog articles and if there are other valuable reasons that our audience “wants to” or “needs to” start scanning source code to identify the open source please engage in a discussion on the forum below!



Subscribe to The Enterprise Open Source Blog via email

Follow @openlogic
Follow @cloudswing
Follow @JesseH303
View Jesse Hood's LinkedIn profileView Jesse Hood's profile

This work is licensed under a Creative Commons Attribution 3.0 Unported License
Creative Commons License.Follow @openlogic
Follow @OSCloudServices

This work is licensed under a Creative Commons Attribution 3.0 Unported License
Creative Commons License.
Tags: Legal & Compliance, Scanning & Provisioning, Scanning, Compliance, Governance, Open Source Management, Open Source Trends, Legal

Comments

Currently, there are no comments. Be the first to post one!
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics

Loading...
Error sending email
Email sent successfully

Email article
Email To : 
Your name : 
Message : (maximum 200 characters)

schedule-a-deep-discovery-demo

Enterprise OSS Blog Policy

If you read a post on The Enterprise OSS Blog, please leave a comment. Let us know what you think, even if it's just a few words. Comments do not require approval, but they are moderated.OpenLogic reserves the right to remove any comments it deems inappropriate.

 

click-to-chat-with-a-live-open-source-expert

get-a-quote-on-support

download-the-support-evaluation-kit

Browse by Tag

  • 2013 (2)
  • Agile (1)
  • Apache (2)
  • apache tomcat (1)
  • AS 7 (1)
  • as7 (1)
  • Auditing (5)
  • Azure (2)
  • Budget (1)
  • BusyBox (1)
  • CentOS (3)
  • Closed Source Software (1)
  • cloud (4)
  • clustering (1)
  • CMS (1)
  • Code Scanning (1)
  • commercial distribution (1)
  • Community (4)
  • compliance (39)
  • C-Suite (1)
  • Database (1)
  • developers (2)
  • DevOps (15)
  • Drupal (1)
  • enterprise software (2)
  • foss (5)
  • Gitbhub (1)
  • Governance (36)
  • guide (1)
  • Hadoop (2)
  • HBase (2)
  • http 2.4 (1)
  • httpd 2.4 (1)
  • Java (1)
  • javascript (1)
  • jboss (3)
  • JBoss Cluster (1)
  • Joomla (1)
  • Legal (21)
  • Legal & Compliance (62)
  • Legal and Compliance (2)
  • license compliance (1)
  • Licenses (12)
  • Linux (4)
  • lisp code (1)
  • martin fowler (1)
  • Mobile (3)
  • mod_cluster (2)
  • MySQL (1)
  • Neal Ford (1)
  • open source (19)
  • open source compliance (1)
  • open source components (1)
  • open source events (1)
  • Open Source Governance (2)
  • open source legal issues (1)
  • Open Source Licensing (3)
  • Open Source Management (38)
  • Open Source Policy (3)
  • open source software (15)
  • Open Source Software Adoption (4)
  • open source software policy (1)
  • Open Source Training (1)
  • Open Source Trends (337)
  • Open Source vs. Commercial Software (3)
  • OSS (5)
  • OSS Packages (2)
  • PaaS (1)
  • paredit (1)
  • picketlink (1)
  • Policy (4)
  • PostgreSQL (1)
  • Presentations (1)
  • Programming (2)
  • red hat (1)
  • RHEL (1)
  • Ruby (1)
  • Scanning (27)
  • Scanning & Governance (12)
  • Scanning & Provisioning (30)
  • Security (13)
  • Shibboleth (1)
  • software compliance (1)
  • Software Development (2)
  • Software Development Lifecycle (7)
  • software infrastructure (1)
  • Solr (1)
  • Support (48)
  • Support & Services (2)
  • SUSE (1)
  • Technical Governance (1)
  • The Cloud (35)
  • The C-Suite (2)
  • tomcat (4)
  • Training (9)
  • Ubuntu (1)
  • Uncategorized (69)
  • Windows (1)
  • Windows Azure (1)
  • Wordpress (1)
  • Zookeeper (1)
Home | Search | Contact Us | Products and Support | Services | Enterprise OSS Blog | Wazi Technical Blog | Resources Library | Cloud Services | Partners | Customers | Community | Company | Careers | News and Events
Products
OpenLogic Exchange (OLEX)
License Compliance Module
OSS Discovery
OSS Deep Discovery
OpenUpdate
Services
Open Source Support
CentOS Support
Scanning & Compliance
Open Source Training
Professional Services
Solutions
Support & Indemnification
Open Source Governance
Open Source Scanning
Open Source Provisioning
Consulting & Training
Contact Us
1-888-673-6564

© 2013 OpenLogic, Inc. All rights reserved.
Site Map  |  Privacy Policy