INTRODUCTION TO OPEN SOURCE

GOVERNANCE AND COMPLIANCE

GUIDE BOOK© 2012 Black Duck®, Know Your Code®, Ohloh®, SpikeSource®, Spike® and the Black Duck logo are registered trademarks of Black Duck Software, Inc. in the United States and/or other jurisdictions. Koders™ is a trademark of Black Duck Software, Inc. All other trademarks are the property of their respective holders. All Rights Reserved.

Why OPEN SOURCE? Open source software (OSS) is pervasive in today’s software lifecycle and supply chain. Gartner estimates that by 2016, open source will be included in mission-critical software packages in 99 percent of global enterprises. Open source is used to build applications, products and services and offers hundreds of thousands of freely downloadable code components that can be leveraged to speed development and slash budgets by thousands, or even millions, of dollars.

While cloud computing, mobile and distributed development trends are ramping up the intensity and pace of application development, development managers are under even more pressure to improve time to solution with fewer resources and under tighter budget restrictions. For mobile application development in particular, the benefits of OSS are extremely practical. For example, financial services firms face tremendous pressure to quickly deploy high-quality mobile applications, and OSS components are already proven in the mobile world.

According to Eric Newcomer, former Chief Architect of Credit Suisse, “Banks worldwide are seeing universal interest in online interactions by customers via mobile devices, and it doesn’t take a lot of research to discover that most of the components used in mobile applications are open source.”

Open source is the most practical and logical way of leveraging IT resources to respond to the emerging industry trends that are driving the accelerated development of mobile applications.

The fastest growing and most agile companies are built on open source, from Facebook with 800+ million users and Twitter with 500+ million users to Amazon, YouTube and Google. Apple, the most valuable company in the world, built its iPhone, iPad and MacBook products with open source. The benefits are clear: the industry-standard cost per line of code (LoC) ranges from $10 to $20 and the average component used by a Global 2000 organization contains 50,000 LoC per component. Therefore, the use of OSS could save from $500K to $1M per project.

2

Growing popularity of open source in the enterprise

3

IDC recently reported that IT organizations have about 30 percent open source in their deployed code base. In Black Duck’s experience, our “best-in-class” customers use up to, and even over, 80 percent open source. These development organizations are taking advantage of code that already exists, not reinventing the wheel, and are producing more while coding less.

Open source communities have demonstrated heightened levels of innovation and speed, and IT organizations are taking notice. The use of OSS methods and technologies combined with community best practices for development has become a strategic imperative for accelerating software development,

controlling IT costs and remaining competitive. Established IT organizations are at risk of being outpaced by this new approach unless they consider proactively using OSS components and development methodologies as part of their business strategy.

Given the increasing need to swiftly deploy high-quality products and applications, many IT executives believe that the adoption of OSS is inevitable because of its price and performance advantages. However, the benefits of OSS are fully realized only when its use is accompanied by an automated governance program that provides developers with control and visibility.

Open Source in the Code Base

4

Why ARE GOVERNANCE AND COMPLIANCE ESSENTIAL?OSS empowers developers to increase innovation, efficiency and competitiveness, but as open source becomes more and more pervasive, the need for a governance and compliance solutions increases exponentially.

Gartner predicts that by 2014, “50 percent of organizations will experience technology, cost and security challenges due to a lack of open source governance,” and through 2015, “less than 50 percent of IT organizations will have effective open source governance programs in place.”

Poor OSS governance can create quality, security and business challenges, putting an organization’s software assets and intellectual property (IP) at risk. The key to avoiding the consequences of improperly using open source components is to develop policies and procedures based on best practices while automating the management of OSS component use.

Business and IT leaders need to understand the obligations associated with OSS licenses and foster the development of cross-departmental policies that will prevent the organization from violating software license obligations. Many IT executives, enterprise architects and development managers have gained control over open source component use by automating the governance and compliance process as an integral part of their application development

cycle. And they’ve done so without slowing the development process or adding overhead to the development team.

LegaL ObLigatiOns“Free code” does not mean “free of obligations,” and open source brings with it unique and sometimes complex legal requirements. Once a mere matter of proper attribution between developers and businesses, open source license disputes can ultimately threaten the reputation of a brand now that these issues have moved into the realm of the courts. Improperly managed open source code can result in bad publicity, copyright infringement and even stop shipment orders, damaging company reputations and immediately impacting product revenue streams.

hOW DO yOU GET STARTED? A prudent first step towards managing OSS is to understand how much you have and where it’s used. Thanks to advances in technology, you can now acquire software that will automatically scan and audit a code base. It’s important to note that audits should not be a one-time event; it’s wise to audit code on an on-going basis to ensure long-term compliance as part of a continuous integration process with both the company’s risk management policies as well as external license obligations. Next, you should establish and implement a governance program that encompasses all third-party code, whether from a commercial vendor, an OSS project or an outsourced supplier.

The diagram below illustrates a management maturity model showing five levels of open source adoption. Organizations with mature processes and policies don’t worry about compliance; compliance is built-in. They can instead focus on leveraging open source for strategic advantage and maximizing its value.

5

Stages of OS Adoption

6

An effective governance program has four main elements:

Organizational leaders should develop governance strategies focusing on the specific issues related to the acquisition, use and management of OSS that ultimately align with their growth goals, business objectives and internal policies. They need to establish policies that serve as the rules for evaluating, approving, using, reusing and releasing open source code, as well as for participating in open source communities.

These policies should encourage developers to leverage the benefits of open source, and they should be created and managed by key stakeholders.

7

CASE STUDy: SITA BUILDS PATh TO SUCCESSWITh OPEN SOURCE SOfTWARE STRATEGySITA, the world’s leading specialist in air transport communications and IT solutions, delivers business solutions for airline, airport and government customers over the world’s most extensive network. As the backbone of the global air transport industry, SITA is constantly searching for new ways to improve development processes and enhance innovative capabilities.

QUESTIONSHow much OSS is currently part of our code base?

How can we maximize and streamline our OSS use?

What are the licensing details of each OSS component?

GOVERNANCE OBjECTIVESEnable greater use of OSS across the organization to improve software development efficiency and quality.

Ensure compliance with OSS licenses and distribution requirements.

ResuLtsSITA’s open source governance program plays a fundamental role in the ongoing development of the Horizon project, allowing SITA’s development teams to search, discover and use pre-approved OSS and components within this ground-breaking reservation system. SITA’s Horizon program has already captured headlines as a major innovation ushering in the next generation of passenger management systems for the airline industry.

“ We couldn’t have designed and implemented our current open source governance program without the Black Duck® Suite, and the benefits are immediately apparent. Now that we can constantly scan and establish a clean bill of materials across all projects with our automated governance program, we can combine the best of proprietary and open source software components to bring ground-breaking and innovative solutions like Horizon to market better, faster and more cost-effectively than ever before.”

–Patrick Holden, Senior Programme Manager, Software Development, SITA

SITA Horizon – The NextGen Passenger Management System that

connects airlines with their customers

gD-intRO_OsgC-uL-1013

abOut bLaCk DuCkOffering award-winning software and consulting, Black Duck is the partner of choice for open source software adoption, governance and management. Enterprises of every size depend on Black Duck to harness the power of open source technologies and methods. As part of the greater OSS community, Black Duck connects developers to comprehensive OSS resources through Ohloh.net, and to the latest commentary from industry experts through the Open Source Delivers blog. Black Duck also hosts the Open Source Think Tank, an international event where thought leaders collaborate on the future of open source. Black Duck is headquartered near Boston and has offices in San Mateo, St. Louis, London, Paris, Frankfurt, Hong Kong, Tokyo, Seoul and Beijing. For more information about how to leverage open source to deliver faster innovation, greater creativity and improved efficiency, visit www.blackducksoftware.com and follow us at @black_duck_sw.

ContaCtTo learn more, please contact: sales@blackducksoftware.com or 1.781.891.5100 Additional information is available at: www.blackducksoftware.com

IN CONCLUSIONBy using OSS strategically, you can gain significant management control with processes and technology while simultaneously helping your organization benefit from accelerated time-to-solution and cost advantages. In order to maximize the benefits of integrating open source components into your code base, it’s critical to implement a comprehensive, automated approach to governance and compliance that integrates across the application development lifecycle.

A proactive strategy is the best approach, and the Black Duck team works with customers at all levels of adoption to ensure open source success. The Black Duck® Suite provides a comprehensive set of governance and compliance automation tools that enable development organizations to maximize the power of open source technologies and methods.

Black Duck Consulting offers a quick and easy way to learn about industry best practices and assess organizational readiness and governance maturity. The easy-to-use, complementary Open Source Management Assessment (OSMA) begins with a self-guided survey and includes a phone consultation. The assessment is designed to help clients accelerate the implementation of a governance program.

Visit www.blackducksoftware.com/OSMA to complete a free OSMA today and quickly benchmark your organization’s use of OSS.