I’ve talked about trends in open source and Software Composition Analysis. One of the actions you can take today is to raise your level of awareness and gain better controls of your OSS license management.
In its Technology Insight for Software Composition Analysis report, Gartner states that “convenience comes with risk.” This is in reference to the use of open source and third-party software to quickly and efficiently drive both innovation and productivity. Security is certainly of primary concern, but without open source license compliance and a Software Bill of Materials (SBOM) companies are still opening the door to unnecessary risk. Why do that?
Open Source Management = Customer Focus
In 2019 I wrote about the maturity of the OSS industry. More forward-thinking organizations are capitalizing on that maturity and considering not just security, but the complete health of their software components – the overriding majority of which includes licenses. Most certainly this practice is to protect themselves from potential legal trouble but think about it. Finding competitive advantage in an unpredictable business environment is challenging, to say the least. After all, technology can make or break a company’s reputation in real-time.
It’s not passé to be considered customer focused, and customers today are more demanding than ever. By creating a risk-free environment that does not pass on potential peril to unsuspecting customers, organizations create a cultural selling point. “We take the security and compliance of our solutions seriously.”
Managing the overall health of the software supply chain creates trust with customers and helps to brand companies as customer focused.
OSS License Compliance
Question is, can you have true security without being a company that focuses on license compliance? I think not.
Some companies count on using open source software with no regard for the licenses associated with the code they use. Open source licenses give others permission to modify, use, and distribute software, but under specific conditions and terms. And, every component may very well have a different license. With the volume of open source being used, you can see how quickly this can get out of hand and lead to IP, reputation, and subsequent litigation down the road.
Another statement I use quite a bit, “It’s a must, not a maybe.” Development teams need to respect the legalities associated with source code licensing by passing along a copyright statement or a copy of license text, or by providing the entire source code for the company’s product. Licenses range from fairly permissive (allowing the licensee to use code without responsibilities) to highly restrictive (extremely limiting, even requiring you to make your proprietary project subject to the same software licensing terms of the OSS used).
The Software Bill of Materials (SBOM)
Software Composition Analysis (SCA) solutions aid in the discovery of open source components and license compliance, as well as in creating a SBOM – the open source disclosure list. This list is used to follow license obligations, modify open source policies and quickly react to vulnerabilities. The SBOM gives an accurate, complete roll call of all open source components being used.
Going back to being customer focused, the Bill of Materials helps build trust in the software supply chain and is especially important if products are shipped outside the organization to customers. In many industries – as companies become savvier about how and what software they are acquiring – they’re requiring a SBOM as part of the contractual agreements related to any software acquisition or purchase. For one software developer, the number of contractual agreements specifying the need for a Bill of Materials quadrupled between 2018 and 2019.
It’s probably time to get ahead of the game.