Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Identifying and managing the risks of open source software for PHP developers

Do you really need to worry about using open source software in developing commercial applications? This presentation looks at the key risk areas, how to identify and quantify the risk, and what steps if any are needed to deal with the risks.

  • Login to see the comments

  • Be the first to like this

Identifying and managing the risks of open source software for PHP developers

  1. 1. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 1 Identifying and Managing the Risks of Open Source Software for PHP Developers Dave McLoughlin, Rogue Wave
  2. 2. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 2 Identifying and Managing the Risks of Open Source Software for PHP Developers Do you really need to worry about using open source software in developing commercial applications? In this session we'll talk about the key risk areas, how to identify and quantify the risk, and what steps if any are needed to deal with the risks. After this session, you'll have the information to better understand how to assess these risks. It will provide you with no nonsense steps to take to manage your OSS so you can rest easy and not worry if these issues will affect you or your business. The session will include: • Key risk areas and how to identify them • Common use case scenarios • Understanding and developing risk remediation strategies for OSS use
  3. 3. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 3 Legal disclaimer • Rogue Wave Software, Inc. is not engaged in the rendering of legal advice. This material provides legal information, which should not be confused with legal advice. • I am not an attorney
  4. 4. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 4 Risks and challenges of open source software
  5. 5. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 5 OSS statistics • According to Gartner 99% of fortune 2000 companies use OSS in the development of their products • Flexera developer study: – Only 37% of respondents had an open source acquisition or usage policy. – Sixty-three percent said either that their companies did not have an open source acquisition or usage policy, or they did not know if one existed. – Thirty-nine percent of respondents said that either no one within their company was responsible for open source compliance, or they did not know who was. – Thirty-three percent of respondents said their companies contributed to open source projects. – Of the 63 percent who said their companies did not have an open source acquisition or usage policy, 43 percent said they contributed to open source projects.
  6. 6. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 6 Real costs of open source 6
  7. 7. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 7 Risks • Myths - lack of understanding of issues • Legal - potential lawsuits, copyright infringement • Security – vulnerable applications, loss of data, PR, customer impact • Support – exposure for mission critical applications • Maintenance – cost of updates, slow development • Training – inefficient use of OSS, poor implementation • Operational – wasted time and resources • Others?
  8. 8. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 8 Unique risks for Php developers • Implementation – Usually web based – greater exposure to hackers • Licenses – Php license • Deployment infrastructure – Infrastructure components most used for Php development may pose additional risk • Security – Php has over 550 reported CVEs, 24th All time leader
  9. 9. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 9 OSS Myths we still see today • It’s free so I don’t have any license obligations – Copyright law protect authors, many have taken licensees to court • It’s free, so unlike commercial software, I don’t need to track it – Many vulnerabilities in commercial software are due to OSS – If there’s a license violation how do you remediate • It’s in the public domain, so I can use it anyway I want – Only some OSS is public domain – All other is protected by license and copyright
  10. 10. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 10 Legal risks • Violation action or lawsuit • License violation – license termination • Copyright infringement • Legal fees, damages • Injunction • Remediation costs to replace code in violation
  11. 11. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 11 Sample OSS litigation • USA – Linksys/Cisco (2003) – Wallace v. FSF (2005) & Wallace v. IBM et al (2006) – FSF v. Monsoon (2007) – FSF vs Cisco (2009) – Busybox vs Best Buy + 13 other companies (2009-2012) – XimpleWare v. Versata & Ameriprise Financial (2013) – Oracle v. Google (2015) • GERMANY – Welte vs Sitecom (2004) – Welte vs Fortinet UK Ltd. (2005) – Welte vs D-Link (2006) – Welte vs Skype (2008) – Welte in AVM vs Cybits case (2011) – Welte vs Fantec (2013) • FRANCE – AFPA v. Edu4 (2001) – Free/Iliad (2007)
  12. 12. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 12 Non-court actions • Developer reached out to large mobile phone manufacturer about OSS use in phone – Reaction was swift – Company now audits all software developed or acquired • FSF and FSFE (gpl-violations.org) – notices of compliance issue – FSF website has link to report license violations – Routinely send notices of violation and warning
  13. 13. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 13 Oversimplified OSS license primer • Two basic types of licenses: copyleft and permissive – Copyleft by far poses the greatest risk – Most lawsuits and violation actions to date have been on copyleft licenses – FSF, EFSF, and Software Freedom Conservancy proactively enforce GNU licenses (which are copyleft) • You must determine the license of OSS you use before you use, but it’s not easy – Not all projects have licenses – Licenses can change over time – Developers will incorrectly name the license they use. E.g. This project is under a BSD-like license but is under MIT – Just because a project is under a license doesn’t mean there isn’t embedded OSS under a different license
  14. 14. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 14 Types of licenses • Copyleft – Two main attributes of these licenses • You must provide source code to people you distribute your application • The work must be licensed under the original license (i.e. you can’t change the terms once you use it in your application) • Permissive – Sometimes called attribution licenses – You should give credit for use – Retain or add copyright notices – Distribute a copy of the license – Document modification copyleft
  15. 15. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 15 Managing legal risks • What can you do? – Learn about OSS licenses (tons of great resources) – Record license information on the packages you use – Consult your management and legal staff – Develop a compliance program – Perform regular license audits of your code – Keep source versions of all OSS you use (copyleft licenses require it) • Tools – Commercial – Fossa, FossID, Flexera, Black Duck – OSS – Github, Fossology, NexB – Internet – tldrlegal.com, wikipedia
  16. 16. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 16 The PHP License • PHP Codebase – PHP 4, PHP 5 and PHP 7 are distributed under the PHP License v3.01, copyright (c) the PHP Group. • This is an Open Source license, certified by the Open Source Initiative. • The PHP license is a BSD-style license which does not have the "copyleft" restrictions associated with GPL. – Some files have been contributed under other (compatible) licenses and carry additional requirements and copyright information. This is indicated in the license + copyright comment block at the top of the source file. – Practical Guidelines: • Distributing PHP • Contributing to PHP • PHP Documentation – The PHP manual text and comments are covered by the Creative Commons Attribution 3.0 License, copyright (c) the PHP Documentation Group
  17. 17. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 17
  18. 18. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 18 Fossology
  19. 19. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 19 Tldrlegal.com
  20. 20. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 20 nexB scan-toolkit
  21. 21. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 21 Security risks • Unmonitored vulnerabilities and Zero-day • Loss of data • PR issues, loss of credibility • Confidential customer information
  22. 22. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 22 Managing security risks • What can you do? – Track your OSS by version – Create policies on OSS usage based on known vulneraries, keep lists of banned OSS – Monitor NVD and project homepages – Have a plan, don’t wait until a vulnerability affects you to figure out how to upgrade – Purchase support and maintenance for mission critical components • Tools – Commercial – Rogue Wave, Red Hat – Open source – OpenVAS – Internet - NVD and CVEdetails sites, VersionEye
  23. 23. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 23
  24. 24. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 24 Support and maintenance risks • Your app goes down due to issue in OSS component and you don’t have any to call • Slow or no community response • Internal expertise is lacking • Bug fixes • Migration, upgrade, architecture, implementation best practices • Upgrades to infrastructure breaks tests, libraries
  25. 25. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 25 Managing support and maintenance risks • What can you do? – Build COE around mission critical apps and build support within organization – Purchase commercial support and or consulting for mission critical apps – Develop strong ties to communities – Training • Commercial – Rogue Wave, Red Hat – Individual project support – Professional services – Leverage community
  26. 26. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 26 Operational risks • Delayed product release schedules due to remediation required to resolve license issues, and associated costs • Emergency changes due to Legal threats • Overhead required to maintain security and bug fixes over time • Overall lack of visibility into security vulnerabilities • Chronic integration headaches as platform requirements change and code re-use is not facilitated • Difficulties in resolving customer support issues • Cost of maintaining many unique technology stacks
  27. 27. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 27 Managing operational risks • Develop an OSS strategy – Develop an OSS policy • Train development staff – License and compliance – OSS policy and risks • Track and manage OSS – Shadow repository – Track and monitor security issues • Manage support – Internal support – Commercial support
  28. 28. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 28 Be smart, take control of OSS • Know your risks – Legal, security, support • Proactively manage your OSS and compliance – Track, monitor, comply • Benefits of OSS far outweigh risks – Time to market, innovation, NO LICENSE FEE, readily accessible, robust community
  29. 29. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 29

×