Presented at Sensors Expo and Conference 2015, this session covers: Trends in open source software (OSS); The open source audit and license identification; Developing an OSS process and policy; Compliance; and Legal implications.
The open source revolution is in full swing. It’s been a wonderful tool for software developers. Using open source allows organizations to add tested, proven functionality to their code base, without having to write the code from scratch or purchase third party, proprietary code to add the same functionality.
Estimates now indicate over 90% of all companies now use open source in their commercial software, and that up to 80% of all code in new java applications is from open source components.
If one looks at public repositories, including the Central Repository and SourceForge, over 13 billion downloads occur every year.
This benefit comes with risk, however.
The vast majority of companies using open source have little, if any oversight as to the selection and use of the libraries and their licenses. In addition, millions of OSS components with known vulnerabilities are downloaded for use each year. Managing this process better is possible, and what we will be discussing today.
Mature: Best in class, vetted solutions, leveraged development effort
Mature: Apache, Tomcat, Wildfly, Jakarta Commons, JQuery
Disruptors: Open source is a sandbox for new ideas
Disruptors: OpenStack, Hadoop/Hbase, NodeJS
We are going to focus on 3 risks in open source software, and best practices for assessing and mitigating those risks.
License Risk – Using open source with the wrong license could prevent you from legally distributing an application, or force you to open source your proprietary code.
Security Risk – Like any other software, open source can include vulnerabilities. Even when disclosed and fixed, open source being open source, older, vulnerable builds are still available for download.
Support Risk – While the acquisition cost of open source is low, the total cost of ownership can be high. Much of this depends on the relative maturity of the project’s community.
The takeaway from this is if we are using more and more open source, without putting controls in place, we are inviting unmanaged risk into our applications.
Open source use is certainly beneficial, and the risks can be mitigated. The root of the problem we see with open source usage is a lack of controls over the selection, use, and monitoring of components. That is, if we are using more and more open source, without putting controls in place, we are inviting unmanaged risk into our applications.
Through our research we found that:
76% of the organizations we interviewed admit they have no meaningful controls
80% of the developers state that they can use any open source package they choose, without proving the security of those components
Only 20% claim to track vulnerabilities in OSS over time
This may be true to the extent that publicized problems, such as Heartbleed, are tracked,
but to review, we just learned that 13 billion requests are made each year
I personally, have never talked to a security person who can demonstrate how they track each package used, everywhere in their organization
This leads us to our next topic – getting control over the open source in your organization.
The first step is to document internal policies for open source use. This includes the types of licenses you will allow, any security requirements you may have, and determining how the OSS package will be supported.
These decisions are determined by each organizations primarily by their appetite for risk, compared to the value derived from the open source, for each class of applications. Internet facing applications and those apps that access sensitive information require a higher security standard than some internal applications (with a smaller perceived attack surface).
Good open source practices are good development practices, but we also need to recognize development realities. Open source often enters a code base organically; a developers think about functionality and deadlines. If he requires specific functionality, has used the open source previously, he is inclined to use it again to accelerate productivity.
Finally, we need to institutionalize the policies. While many organizations have some standards, our research shows that those typically are not well managed or enforced. A successful governance program requires a certain level of discipline, and occasional trade-offs. Exceptions to the policies may ultimately be necessary due to design choices, functionality or market pressure, but these should be taken with full awareness by all parties. Most importantly, a successful governance program requires the ability to detect breaches of policy after the review is completed, which we will discuss in a few minutes.
As you develop your best practices for legal, technical business, set up a pipeline via your OSS review board to constantly update your policies.
OSS policies are based on multiple factors. Legal, technical and business are the top three.
From a legal view what risk and practices do you want your team to utilize to ensure compliance and risk avoidance
From a technical/security view as you monitor and update OSS what version and packages do you want to avoid or which version do you want your team to use
From a business view, when is commercial software better? What business issues need to be addressed by OSS. Should you only use supported OSS?
GPLv3 software cannot be included in Apache projects because when an Apache project software becomes a derivative work of some GPLv3 software, then the Apache software would have to be distributed under GPLv3. For example, merely linking to the GPLv2 and GPLv3 may be considered a derivative work, therefore would have the entire project licensed under GPL.
FSF never considered the Apache license to be compatible with GPLv2 because of the patent termination and indemnification provisions.
Indemnification
Patent termination -
Jacobsenv. Katzer - The conditions set forth in the Artistic License are vital to enable the copyright holder to retain the ability to benefit from the work of downstream users. By requiring that users who modify or distribute the copyrighted material retain the reference to the original source files, downstream users are directed to Jacobsen's website. Thus, downstream users know about the collaborative effort to improve and expand the SourceForge project once they learn of the “upstream” project from a “downstream” distribution, and they may join in that effort. The clear language of the Artistic License creates conditions to protect the economic rights at issue in the granting of a public license. These conditions govern the rights to modify and distribute the computer programs and files included in the downloadable software package
Welte – sued Fantec twice, source code availabel for download was incomplete and outdated, german court rejected fantec’s argument that its supplier assured compliance with the GPL terms, court held, can’t rely on suppliers word, must perform audit yourself,
XimpleWare Corp v. Versata
Filed NDCA November 2013
Copyright infringement
Breach of contract
Unjust enrichment
Unfair competition
$150 million + attorney fees
"XML Parser" licensed under GPL v.2
Available on SourceForge.net
1st motion for preliminary injunction
Denied because Versata represented no future sales of products including XML Parser
2nd motion for preliminary injunction
Versata continued to sell products including XML Parser
Motion was pending – Case Settled