Open Source in the Enterprise: Compliance and Risk Management

1

Open Source in the EnterpriseCompliance and Risk Management

Sebastiano Cobianco CEO and CTO

Ex Machina SAGL6900 Lugano

2

Copyright protection for Proprietary Software

1889 – the Berne Convention defined copyright and other moral rights for authors of publicly distributed materials: copy, distribute, and prepare derivative works

1976 – US Copyright Law went through a major revision, which included:

Software and hardware are separate products Software is copyrightable

IT companies began to recruit developers from research institutes to develop software, and asked these individuals to sign confidentiality agreements upon recruitment

FOSS as a reaction to IT industry transition and legal definition of software copyright. Access to source code is a prerequisite to exercise rights bundled in copyright.

3

Defining Open Source

What exactly is Free and Open Source Software?

Free software is about granting users the freedom to run, copy, distribute, study, change and improve the software. Free software is any software that provided the following freedoms. The freedom to:

Run the program, for any purpose (freedom 0) Study how the program works, and adapt it to your needs

(freedom 1). Access to the source code is a precondition for this Redistribute copies so you can help your neighbour (freedom 2) Improve the program, and release your improvements to the

public, so that the whole community benefits (freedom 3). Access to the source code is a precondition for this

The FOSS makes sure that free software and their derivative works stay free through adequate licence obligations.

4

An epochal change in IT

Open Source technology is an idea whose time has finally come. For twenty years it has been building momentum in the technical cultures that built the Internet and the World Wide Web. Now it's breaking out into the commercial world, growing from opportunistic cost-saving tactics to a strategic part of modern IT.

Open Source has permanently disrupted the software industry Open source development has gone mainstream. 70% of open

source developers are corporate developers (Red Hat, Novell, IBM, HP, Sun….)

170,000+ open source projects covering every major software category and rapidly growing in number and features

5

Open Source Adoption

170,000+ of open source projects 3,800+ websites 10+ GB of new code each day

“85% of companies are already using open-source software, with most of the remaining 15% expecting to do so within the next year .”

– Gartner Research, Nov. 2008

6

Open Source: a business enabler!

Accelerate Time to Market

Use open source software to avoid reinventing

the wheel

Increase Innovation & Product Capability

Readily available to fill out feature list

Focus internal resources on valuable new

features that provide strong value to customers or

differentiation against competitors

Control Development Costs

Reuse to lower development and licensing

costs

Improve development and group productivity

Used by permission of Black Duck Software, Inc.

7

Evolution in software development

Reuse

Component-BasedDevelopment

1980’s 1990’s 2000’s

Focu

s

Code Design

Individual Software Developer

Sco

pe Development

Ecosystem

Application Life Cycle Management

SingleEnterprise

Project Team

Collaboration


8

The hybrid development ecosystem


9

Hybrid Development Challenges

• Multitude of licenses• License conflicts• Security vulnerabilities• Cross functional approval process

Who owns your code?

Open Source Developers Avoid proprietary code in open

source applications

Code must remain freely available

Corporate Developers Development productivity

Software is a competitive advantage and a valued asset

Avoid unlicensed 3rd party code


10

Hybrid Development Risks

Loss of Intellectual Property

Export Regulations Injunctions

Security Vulnerabilities

Software Defects

License Rights and Restrictions

Contractual Obligations

Escalating Support Costs


11

Open Source Licences: a closer look

Permissive Licencesyou can ship the OS component under a Proprietary Licence

Apache BSD MIT

Reciprocal Licencesyou can ship the OS component, but you may be required to distribute your source code

GPL (70% of all OSS) LGPL

GPLLGPL/Mozilla

BSD/MIT/X11

12

Examples of Licences: GPLThe GNU General Public License (GPL)Version 2, June 1991Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.

Preamble

The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too.

When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies …..

The precise terms and conditions for copying, distribution and modification follow.

TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you".

…..

This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License.

13

Examples of Licences: other examples

Animal Rights LicenseThis software is under animal rights license, for every commercial usage you have to donate $25 for dogs and cats in need. Mail me for a proof of donation, otherwise if I find out , that you use this software/source code/source code fragments commercially I sue you when I find out, think about these nice little puppies/kitties who do not have a home :-)

Corona LicenseLicense AgreementReleased under the 'Corona License'You are free to use this SW for any purpose you see fit under 2 conditions: 1) Keep my name on it 2) If you find it useful, send me a sixpack of Coronoa or the $$ equiv via paypal ([email protected]):

14

Legal actions against infringement

Robert Jacobsen, a model train hobbyist, holds a copyright to software code that he makes available to the public free of charge under an open source license, the Artistic License.

Matthew Katzer and Kamind Associates, develop commercial software products for

the model train industry and hobbyists.

Jacobsen brought an action for copyright infringement against Katzer, accusing them of copying certain portions of his software code and incorporating it into their own commercially available software products without abiding by the terms of the Artistic License.

On Aug. 13, 2008 the NY Court of Appeal ruled that violations of open source licenses can constitute copyright infringement, because the language in the licenses imposes "conditions" of use, such as the notice and other requirements.Violation of a condition of a license constitutes copyright infringement!

15

Licence violation: Cisco’s Software SCM

FSF accused Ciscoof a license violation

After much bad press, source code was made available by

adopted this technology into its WRT54G wireless broadband router

bought for $500M in 2003

Major loss of Cisco’s Intellectual Property rights and competitive advantage. Loss of revenue est. $50M

Developers modified firmware turning a low-end $60 device into a high-function $399 router

used GPL code to customize Broadcom’s standard Linux distribution

embedded the code in one of its chipsets

How did this story end up?


16

Licence violation: more examples

…and more to be found at http://gpl-violations.org

17

The name of the game is Governance

Tight deadlines Cost reductions Distributed teams, off-shore teams High turnover, Sub-contractors

Knowledge of Code is paramount to prevent Compliance and Security issues!

1. Assess current Code Base2. Set up Policy and Governance3. Enforce Governance with tools

170,000+ OSS projects 3,800+ download websites 400+ million files 1,400+ unique OSS licenses 28,000+ security vulnerabilities Tens of billions of lines of code

18

Who should care about Compliance?Poor management of OSS Compliance may result in

Bad press Loss of valuable Intellectual Property rights/competitive advantage

(open source your code) Loss of control over a code base (security vulnerabilities) Legal complications (stop ship, product recall, remediation work,

monetary compensation, etc.)

Software VendorsTechnology transfer CompaniesEmbedded software products

Financial ServicesPublic AdministrationGovernment

(Serial) AcquirersVenture CapitalsPrivate Equities

Proper management of full software lifecycle ensures compliance and full exploitation of benefits brought by OSS to Companies of any type

19

Sebastiano Cobianco

[email protected]

Ex Machina SAGL

6900 Lugano

Thank you

in <code> we trust