We’re living at a time of heightened awareness of how each of us needs to help protect others from risk. Collaboration, always important, is taking on new meaning today.
Collaboration is crucial in the effective management of open source software, as well. At the heart of open source management is the legal team. Organizations must have a clear understanding of their legal obligations for using code. Safe usage doesn’t just fall on the shoulders of engineering or security teams; legal counsel’s input is vital.
Digital Transformation and Change Management
I’ve talked about the importance of open source in the age of digital transformation. In today’s changed environment, the role of legal teams is evolving quickly to meet the shifting needs of clients, businesses, and stakeholders. As technology continues to evolve and change forces businesses to revisit strategies, legal teams need to be aware of what’s going on. More than give a cursory review of open source license management, they need to engage with it and understand implications of use—at go-to-market and throughout its use. As business models change, legal practices need to align with emerging trends—and remain on top of technological changes within the open source world.
Photo by Ross Findon on Unsplash
Thousands of open source licenses exist, each with unique obligations, rights, and terms. In short: they’re complex. Managing them properly—and early—is the best way to avoid violations of software licensing agreements. Failure to do so can lead to litigation and reputation damage.
A comprehensive Software Composition Analysis (SCA) program can help protect intellectual property (IP) and avoid legal risk by maintaining legal policies, reviewing licenses, preparing third-party notices, and helping ensure open source license compliance. This is particularly important during an M&A or other due diligence event.
Legal Trends in Open Source Licensing
Last month, my colleague, Marty Mellican, VP and Associate General Counsel at Revenera, joined forces with Leon Schwartz, Associate at GTC Law Group, to present the webinar “A Year in Legal Review for Open Source Licensing.” (You can view the on-demand version of it here.) It provided a fascinating review of legal trends and best practices related to software development.
As Leon highlighted, lawsuits such as Ubiquiti v. Cambium (in which “Ubiquiti alleged that Cambium used Ubiquiti’s firmware as the starting point for” its software solution called Elevate “in violation of Ubiquiti’s Terms of Use and Firmware License Agreement”) and Artifex Software v. Siemens Product Lifecycle Management Software, Inc. (in which Siemens is alleged to have violated the AGPL/GPL) reflect creative approaches to addressing claims regarding software licensing. How the cases proceed will be informative. Resulting legal decisions can have major implications—particularly if they’re made by a court that doesn’t truly understand open source software.
Concurrently, as more deployments move to the cloud, they bring new concerns about how and where open source is used—even leading to claims of overreach and commercializing. And some providers are moving to a premium model, where open source software is provided for a fee; the core product is open source, but premium features are available at a cost. Each one of these moves requires thoughtful consideration and planning.
As open source becomes increasingly mainstream, there’s even greater demand for legal counsel to think ahead about how a license will be used. Currently, an ISO standard for open source use, OpenChain, is approaching final approval. When approved, the OpenChain project will become a formal compliance standard, which could possibly simplify open source management.
Shift Left, Scan Often
It’s an exciting time to watch these developments in the open source world. It’s also an important time to move assessment and compliance processes earlier in the development lifecycle—to shift left. As Marty emphasized, addressing open source tooling and review processes earlier can be very valuable: feedback is available earlier in the process and corrections can be made before they become too costly.
Photo by Chris Montgomery on Unsplash
Shifting left is also a cultural change for development teams; it needs to be recognized as such in order for it to be successful throughout the organization. Rather than throwing down a compliance mandate from the legal team, companies need to recognize developers as active participants in the responsible management of open source software.
Lawyers can collaborate in this process and help guide clients through transformation and change environments by serving as guides; helping developers integrate responsible open source management into their workflows. Shift left is also supported by automation—critical in times of immense change. This frees up resources to address the more value producing projects at times when it is most needed.
Together with an established Software Composition Analysis approach, collaboration between legal, security, and software development teams, companies can implement effective open source management and due diligence policies to help navigate change and competitive pressures. Together, these processes can help you protect your IP, while driving more revenue from your software solutions.
Additional resources include:
- Read the report.
- Access the on-demand version of the webinar based on the report’s findings,“Insights and Trends to Evolve Your Compliance and Security Practices,” here.
