Open Source Provisioning and Source Code Scanning for the Enterprise

Posted by Jesse Hood on December 5th, 2011 in Scanning & Provisioning

Pin It

Documenting the provisioning channel(s) of open source downloads and ongoing use of open source scanning tools are now industry best practices that minimize the potential of license violations.

So how do enterprises approach this seemingly massive challenge of so many different bits and bytes to choose from and then vet their code weeks or months after making selections?

It’s almost as simple as balancing your checkbook (if anyone even uses those general ledgers any more).  Keep in mind that the first time I tried to balance a checkbook I needed some help from someone who had been doing it for a while.  We all hopefully know exactly where every penny and dollar comes from in our bank accounts and hopefully know exactly where it goes when it leaves.

The same methodology is applied to a corporate open source policy management strategy.  Clearly in today’s globally distributed business world this practice is a bit more complex than your personal finances but the general ideas are the same.  Open source adoption now demands a similar level of attention as your bank account does for both technical and legal reasons.  If you are following the analogy so far, unless bankruptcy is the goal, documenting provisioning and regular source code scanning are critical.

With a little education, understanding, and the right tools in place an organization’s OSS management system will absolutely succeed for the foreseeable future of their industry.

Would you deposit a check into your bank account if you were not 99-100% certain of the origin?  How about accepting a foreign draft or wire transfer?  Didn’t think so…  Cash is the exception, for today’s analogy we will put cash in a category similar to commercially licensed open source products, nothing wrong with cash, I love the stuff!  Easy to use but I rarely find it just lying around, usually have to work hard for it, and know who gave it to me when it comes my way.

This discussion is focused on the community distributions of open source that are under OSS licenses and can be freely downloaded from the net at no cost.  Enterprises are now thinking about their open source adoption strategy in similar context to a bank account.  I have to authorize for money to go into my bank account, even if someone else is depositing it I have to give him or her permission to do so by consenting the account information.

If there is a 1 or 2% chance that I don’t know exactly where the money (code and licenses) is provisioned from, why it’s coming into my bank account (past corporate firewall), and thinking ahead as to what I am budgeting that money for (where, when, why this code will be used) then it probably shouldn’t be there to begin with.

The OLEX repository has enterprise certification criteria that need to be met before any open source code or binary can be provisioned from it as a download.  In a corporate setting with an open source policy in place I can declare in OLEX why I think downloading a specific product is a good idea; what I will be using it for, how I will be using it, and where it will finally end up. By doing so I have quickly documented critical information to help me and my colleagues understand the business need, the usage model, and evaluate the technical and legal sustainability of my new OSS environment.

At some point I will have to spend my money…  In most places in the world we are free to spend our money on just about anything we want.  Similarly today in 80-90% of corporate open source environments the products and license’s can be used in just about any way the end users would like to.  However if I haven’t accurately documented the provisioning of money (code and licenses) into my bank account (corporate data center, SVN/CVS repository, build environments, etc…) then I could easily be setting myself up for disaster.

Regular inventory and source code scanning is a lot like balancing the checkbook; it’s become a long-term strategic initiative for success. Source code scanning ensures that any OSS environment is accurately documented; if we miss something in the provisioning stage we can catch it during the source code scanning exercise and re-evaluate to make good decisions, do some education, and possibly remediation.  Granted the many license types and potential modifications of source code can make source code scanning more like algebra or trigonometry than addition and subtraction but that is why there are highly specialized source code scanning analysis tools and experts to help enterprises get started.

Stay tuned as in a few weeks we’ll explore more technical details of how to successfully approach open source application auditing on a massive amount of valuable legacy code… similar to auditing a massive inheritance of wealth combined in monetary and physical properties.

Please add additional comments below!



View Jesse Hood's LinkedIn profileView Jesse Hood’s profile
Subscribe to Enterprise Open Source by Email


Comments are closed.



Follow Me on Pinterest

*

Learn More About

The Cloud

Governance

Legal & Compliance

Open Source Trends

Scanning & Provisioning

Support

Archives

Categories

About Us

OpenLogic helps enterprises use open source software by providing open source support, scanning, governance, and cloud solutions. For more on OpenLogic, go to www.openlogic.com.