Embed Size (px)
Citation preview
© 2014 Black Duck Software, Inc. All Rights Reserved.
5 STEPS TO ENSURING COMPLIANCE IN THE SOFTWARE SUPPLY CHAIN: THE HARMAN CASE
STUDY
Black Duck Software
@black_duck_sw
2 © 2014 Black Duck Software, Inc. All Rights Reserved.
SPEAKERS
Matthew JacobsGeneral Counsel
Black Duck Software
Alyssa Harvey DawsonVice President, Global Intellectual Property &
LicensingHarman International Industries
3 © 2014 Black Duck Software, Inc. All Rights Reserved.
AGENDA
• Open Source Trends• License Review • OSS Compliance – Harman’s point of view• Q&A
4 © 2014 Black Duck Software, Inc. All Rights Reserved.
FIRST OF ALL…
“Software is Eating the World.”Marc Andreessen (Netscape Founder)
August ’11, Wall Street Journal
“Open Source is ubiquitous… having a policy against open source [use]
is impractical and places you at a competitive disadvantage.”Mark Driver, Gartner
5 © 2014 Black Duck Software, Inc. All Rights Reserved.
…AND THERE IS A GROWING APPETITE FOR OPEN SOURCE
• 4.0 billion files• Nearly 1M de-duplicated projects• 10+ million staff years of development• Billions of $s of development• 2,300+ unique software licenses
2007 2009 2011 2013 20150
200,000400,000600,000800,000
1,000,0001,200,0001,400,0001,600,0001,800,0002,000,000
Black Duck KnowledgeBase
Open Source Projects
6 © 2014 Black Duck Software, Inc. All Rights Reserved.
WHAT IS OPEN SOURCE SOFTWARE (OSS)?
• It’s third party software
• No single “official” definition
Third-Party Software
Open Source Softwar
e
7 © 2014 Black Duck Software, Inc. All Rights Reserved.
PRIMARY OSS LICENSE CATEGORIES
• Permissive Licenses• Licensee can use, copy, modify and
distribute the software• Licensee is allowed to combine the source
with open source or proprietary software • Licensee is NOT obligated to distribute the
source code of derivative works
• Copyleft Licenses• Any Licensee modifications to the software
must be distributed under the same reciprocal OSS license• Copyleft licenses are substantially more
complex than permissive licenses
Permissive:• BSD• MIT
Copyleft:• GPL• MPL
8 © 2014 Black Duck Software, Inc. All Rights Reserved.
TOP 20 OPEN SOURCE LICENSES
Ranked according to number of open source projects using the license: Top 10 licenses account for
94% Top 20 licenses account for
97% GPL family of licenses
account for 46%
Rank License1. GNU General Public License (GPL) 2.0
2. MIT License3. Apache License 2.0
4. GNU General Public License (GPL) 3.0
5. BSD License 2.0 (3-clause, New or Revised)
6. Artistic License (Perl)
7. GNU Lesser General Public License (LGPL) 2.1
8. GNU Lesser General Public License (LGPL) 3.0
9. Microsoft Public License (MS-PL)
10. Eclipse Public License (EPL)11. Code Project Open License 1.0212. Mozilla Public License (MPL) 1.113. Simplified BSD License (BSD)
14. Common Development and Distribution License (CDDL)
15. Microsoft Reciprocal License
16. GNU Affero General Public License v3 or later
17. Sun GPL With Classpath Exception v2.0
18. CDDL-1.119. zlib/libpng License20. Common Public License (CPL)
Source: https://www.blackducksoftware.com/resources/data/top-20-open-source-licenses October 2014
9 © 2014 Black Duck Software, Inc. All Rights Reserved.
IDC ON OPEN SOURCE USE
“ ‘Next generation’ companies such as Amazon, Google,
Netflix, etc., handle development in fundamentally different ways leveraging open
source software”
“Open source makes up 30% or more of the code at G2000
organizations”
10 © 2014 Black Duck Software, Inc. All Rights Reserved.
BLACK DUCK’S EXPERIENCE ANALYZING CODE
• 99% of code audits find open source.
• 95% of audits find unknown open source
• 75% of audits contain unknown licenses.
• 50% of code audits contain GPL.
• Audits on average contain 33% open source.
11 © 2014 Black Duck Software, Inc. All Rights Reserved.
TODAY DEVELOPMENT IS MULTI-SOURCE
12 © 2014 Black Duck Software, Inc. All Rights Reserved.
…BUT OFTEN OSS ENTERS A CODE BASE UNCHECKED
Code BaseCommercial
3rd PartyCode
Purchasing• Licensing?• Security?•Quality?• Support?
Open Source
OPERATIONAL RISKWhich versions of code are being used, and how old are they
LEGAL RISKWhich licenses are used and do they match anticipated use of the code
SECURITY RISKWhich components have vulnerabilities and what are they
13 © 2013 Black Duck Software, Inc. All Rights Reserved.
HARMAN CASE STUDYA Real-World Perspective on Open Source
14HARMAN INTERNATIONAL. CONFIDENTIAL. COPYRIGHT 2013.
ON STAGE, AT HOME,IN THE CAR, ORON THE GO
LEGENDARY, DISCIPLINED,VISIONARY
14
TECHNOLOGYINNOVATION
GLOBALGROWTH
PREMIUM BRANDS
HARMAN BRINGS YOUR CONNECTED LIFESTYLE AND ENTERTAINMENT EXPERIENCES TOGETHER THROUGH PREMIUM INFOTAINMENT AND AUDIO SOLUTIONS FOR THE STAGE, AT HOME, IN THE CAR, OR ON THE GO.
15HARMAN INTERNATIONAL. CONFIDENTIAL. COPYRIGHT 2014.
FY14 REV $5.3B~16,000 FTEs
NUMBER ONE IN ALL MARKETS
LTM REVENUE $1,580MLTM EBITDA 14.3%
BRANDED AUDIO PRODUCTS
FOR HOME, CAR, ON THE GO
L I F E S T Y L E
LTM REVENUE $826MLTM EBITDA 16.3%
PRO AUDIO & LIGHTING
FOR CINEMA, BROADCAST,
TOUR & INSTALLED SOUND
P R O F E S S I O N A L
NAVIGATION, MULTIMEDIA,
CONNECTIVITY, & SAFETY
SOLUTIONS
LTM REVENUE $2,680MLTM EBITDA 10.5%
I N F O TA I N M E N T
LTM = Last Twelve Months, ending Mar. 31, 2014, and exclude non-recurring expense
16HARMAN INTERNATIONAL. CONFIDENTIAL. COPYRIGHT 2013.
STRONGEST GLOBAL R&D FOOTPRINT
• IN-HOUSE DEVELOPMENT OF CORE TECHNOLOGIES
POWERFUL INNOVATION PIPELINE• 4,900+ PATENTS & PATENTS PENDING
• SOLUTION ORIENTED TECHNOLOGY ROADMAP
DISRUPTIVE INNOVATION CULTURE
• SCALABLE PLATFORM REDEFINED INDUSTRY LANDSCAPE
• REVERSE INNOVATION PIONEER IN AUTO
• RE-INVENTOR OF SURROUND SOUND
R&D LEADERIN INFOTAINMENT & AUDIO
17HARMAN INTERNATIONAL. CONFIDENTIAL. COPYRIGHT 2013.
EXPAND TECHNOLOGYLEADERSHIP
ACCELERATINGTHE PACE OFINNOVATION
1,800+
2,700+
3,600+
4,900+
FY ‘11 FY ‘13FY ‘07 FY ‘09
PATENT GROWTH TREND
4,900+PATENTS
18HARMAN INTERNATIONAL. CONFIDENTIAL. COPYRIGHT 2013.
CONNECTED, SAFE, GREEN AND INTELLIGENT
INNOVATION =PASSION + TECHNOLOGY
D I G I TA L S I G N A L P R O C E S S I N G
U S E R E X P E R I E N C E
N E T W O R K I N T E L L I G E N C E
A DVA N C E D S A F E T Y
C O N N E C T I V I T Y
HARMAN CLOUD PLATFORM
E N E R GY E F F I C I E N CY
2 X P E R F O R M A N C E @ 5 0 % E N E R G Y
19 © 2014 Black Duck Software, Inc. All Rights Reserved.
OPEN SOURCE AT HARMAN
• Simplified and rapid development opportunities• Many projects offer reliable and well supported code• Open standards and vendor independence
APPRECIATE THE BENEFITS
• OS has moved from margins to the mainstream• Key part of any development process
TECHNOLOGY LEADERSHIP
• Respect third party rights• Protect IP position• Minimize adverse product impact
COMPLIANCE
20 © 2014 Black Duck Software, Inc. All Rights Reserved.
FIVE STEPS TO OPEN SOURCE COMPLIANCE:STEP 1: UNDERSTAND PRODUCT DEVELOPMENT PROCESSES
COLLABORATE WITH PRODUCT DEVELOPMENT
OBTAIN MANAGEMENT BUY-IN
CREATE A TEAM WITH KEY PRODUCT DEVELOPMENT PROFESSIONALS
ENABLE TEAM OWNERSHIP OF REVIEW
SEEK TO LEARN AND UNDERSTAND FIRST
21 © 2014 Black Duck Software, Inc. All Rights Reserved.
FIVE STEPS TO OPEN SOURCE COMPLIANCESTEP 2: OPEN SOURCE USAGE EVALUATION
EVALUATE KEY OPEN SOURCE USAGE
DIFFERENTIATE INTERNAL VS. EXTERNAL USAGE
UNDERSTAND PRODUCT/SERVICES USAGE
PAY ATTENTION TO DISTRIBUTION
UNDERSTAND CONTRIBUTIONS
ASCERTAIN KEY STAKEHOLDERS
22 © 2014 Black Duck Software, Inc. All Rights Reserved.
FIVE STEPS TO OPEN SOURCE COMPLIANCE:STEP 3: TRANSLATE REVIEWS INTO POLICY
DEVELOP AN OPEN SOURCE POLICY
ESTABLISH A POLICY THAT WORKS WITH YOUR PRODUCT DEVELOPMENT PROCESSES
POLICY SHOULD FILL IN THE GAPS UNCOVERED BY YOUR PROCESS REVIEW
SET UP OPEN SOURCE GOVERNANCE COMMITTEE APPROPRIATE FOR YOUR ORGANIZATION
OBTAIN BUY-IN FROM KEY STAKEHOLDERS
DESIGN A PROCESS WITH YOUR CUSTOMERS IN MIND
MAKE SURE KEY COMPONENTS ARE ADDRESSED
23 © 2014 Black Duck Software, Inc. All Rights Reserved.
FIVE STEPS TO OPEN SOURCE COMPLIANCE:STEP 4: IMPLEMENT THE POLICY
IMPLEMENT THE POLICYEDUCATE KEY GROUPS ON OPEN SOURCE
TRAIN KEY GROUPS ON THE POLICY
OBTAIN FEEDBACK
CREATE DOCUMENTATION TO SPEED UP REVIEWS
BE TRANSPARENT WITH KEY CONSTITUENCIES SUCH AS CUSTOMERS, SUPPLIERS
24 © 2014 Black Duck Software, Inc. All Rights Reserved.
FIVE STEPS TO OPEN SOURCE COMPLIANCE:STEP 5: AUDIT THE POLICY AND PROCESS
REGULARLY REVIEW POLICY
ANNUAL REVIEWS
UPDATE AS ORGANIZATION CHANGES• DIVISION REORGS• NEW PERSONNEL
• ACQUISITIONS
LISTEN TO FEEDBACK
KEEP WHAT WORKS, CHANGE WHAT DOESN’T
ONE SIZE DOES NOT FIT ALL; TAILOR FOR YOUR COMPANY
25 © 2014 Black Duck Software, Inc. All Rights Reserved.
CONCLUSION
• Software development has changed• Componentization and re-use• Open source is ubiquitous and an important
element of software strategy• Open source has significant benefits, but needs
to be managed properly• An effective compliance program includes
policy, process and automation technology
VIEW THIS WEBINAR PRESENTATION AT:
WWW.BLACKDUCKSOFTWARE.COM/RESOURCES/WEBINAR/5-STEPS-ENSURING-OPEN-SOURCE-COMPLIANCE-SOFTWARE-SUPPLY-CHAIN-HARMAN-CASE-STUDY
@black_duck_sw
