In Tip 1 of our Software Supply Chain Optimization series we talked about consolidating software operations – now we’ll discuss how companies should track and manage their use of Open Source Software (OSS) and 3rd-party components.
Almost every developer is using OSS. 50-90% of the code found in commercial software packages is open source and 9 out of 10 IoT developers rely on it. Yet, the actual use of OSS is often unknown or unmanaged. This can result in license compliance issues and security vulnerabilities.
Open Source is free to use, but not free of obligations
Most organizations don’t know exactly which open source components they’re using and have difficulty producing an accurate Bill of Materials (BOM) for use of all OSS and 3rd party components in their products. Research from the Flexera Composition Analysis team shows that developers generally use 20 times more than they are aware of. This can lead to serious license compliance issues because many open source licenses come with obligations like passing along the text of the license, preserving copyright statements, providing attribution or making your proprietary source code available if you distribute your product. Here are just some examples:
- AGPL 3.0 – Must Must release your source if you provide network access to your application
- GPL v3 – Must release your source if you distribute your product, must allow user to modify source if used in “User Product” (consumer product)
- GPL v2 – Must release your source if you distribute your product
Managing OSS compliance should be a team effort and can’t be done by engineering alone. Many organizations are establishing an open source review board of subject matter experts with representation form engineering, legal, IT and management to help manage OSS and other 3rd party component use more diligently.
Manage Security Vulnerabilities
The more OSS and 3rd party components you are using, the more at risk you are from a security perspective. If you are unaware of all OSS and 3rd party component in use, you are potentially leaving the door open to hackers. It is important to automate the scanning of all your code to understand what is being used and be alerted of vulnerabilities so that you can remediate vulnerabilities immediately. You should also consider implementing automated processes that enable you to alert affected customers when a vulnerability occurs and to distribute updates and patches as soon as they become available.
In Tip #3 we’ll discuss why it is important to enable flexible monetization models and offer the right products at the right price point. Stay tuned!