If you believe the myth, “OSS is free so I don’t have any license obligations,” then you may want to reconsider how you approach your risks. Taking time to learn common mistakes made by developers can save your company costly expenses and slipups.

1. 1© 2017 Rogue Wave Software, Inc. All Rights Reserved. 1
Open source software:
Diligence, compliance,
and future trends

2. 2© 2017 Rogue Wave Software, Inc. All Rights Reserved. 2
Presenters
Dave McLoughlin, Dir, OSS Auditing
Rogue Wave Software
Aldin Basic, Account Executive
Rogue Wave Software

3. 3© 2017 Rogue Wave Software, Inc. All Rights Reserved. 3

4. 4© 2017 Rogue Wave Software, Inc. All Rights Reserved. 4
Agenda
• Introduction
– Evolution of software development
– The emergence of OSS
– Prevalence of OSS today
– Common misconceptions (myths)
– Where the misconceptions comes from
• Potential Risks and Litigation
– An emerging trend - compliance and copyright infringement
– Some examples of why its occurring
– What is risky and why?
– Cost of that risk
• Remedies & Next Steps
– Education, policies, audits, training

5. 5© 2017 Rogue Wave Software, Inc. All Rights Reserved. 5
Legal disclaimer
• Rogue Wave Software, Inc. is not engaged in the rendering of legal
advice. This training class material provides legal information, which
should not be confused with legal advice
• We are not an attorneys

6. 6© 2017 Rogue Wave Software, Inc. All Rights Reserved. 6
Evolution of software
• 1960-1980
– All software was free, companies sold “hardware”
– Slowly prices of hardware dropped, computers became commodities
• 1980-1990
– The rise of large software companies: Microsoft, Lotus, Word Perfect,
IBM, Oracle
– Microsoft Windows (1985), copy protection, anti-piracy
– Software Publishing Association (SPA)
• 1990-2010
– Linux (1991)
– Internet gave rise to the World Wide Web
– Netscape based on free software, eventually makes Mozilla OSS again

7. 7© 2017 Rogue Wave Software, Inc. All Rights Reserved. 7
Emergence of open source software
• Linux becomes mainstream
– RedHat - Commercial version and support
of Linux (JBoss and other OSS tools and frameworks)
– Multiple stable versions become available (RHEL, CentOS, Debian,
Fedora, Ubuntu, SUSE)
• World Wide Web
– Provides mechanism to distribute and share free software
– Platform infrastructure primarily OSS – Linux, JBoss, Apache,
MySQL, PHP
• Business use
– Companies transition mission critical system infrastructure to OSS
– IoT (Mobile devices, smart home, video and audio streaming)

8. 8© 2017 Rogue Wave Software, Inc. All Rights Reserved. 8
Open source crossed the chasm
99%
of Global 2000 companies are using
open source in mission critical
applications

9. 9© 2017 Rogue Wave Software, Inc. All Rights Reserved. 9
Common OSS myths
• It’s free so I don’t have any license obligations
– Copyright law protect authors, many have taken licensees to court or
taken other legal action
• It’s in the public domain, so I can use it anyway I want
– Only some OSS is public domain
– All other is protected by license or copyright
• I don’t need to track it
– Many vulnerabilities in commercial software are due to OSS
– If there’s a license violation how do you remediate?
• I don’t need support, the community will help
– What do you do if your system goes down at 2am?
• If I license a commercial product that I use in my development I don’t need
to worry if it contains OSS
– Doesn’t matter where you get OSS, if you use in products you develop
you still need to comply with OSS license

10. 10© 2017 Rogue Wave Software, Inc. All Rights Reserved. 10
Where do the myths come from?
• OSS comes from many sources, not just direct download
– Supply chain, commercial software, contractors, out-sourcers
• Lack of education
– Developers were trained in developing software, license issues
were managed by the lawyers
– Now that developers have direct access to build OSS into
products, they need to be savvy about OSS compliance issues
• Lack of process
– Organizations have purchasing systems to manage commercial
software, but most have not built similar systems to manage OSS
• Lack of policies
– Developer may not have guidelines for OSS usage

11. 11© 2017 Rogue Wave Software, Inc. All Rights Reserved. 11
Potential risks

12. 12© 2017 Rogue Wave Software, Inc. All Rights Reserved. 12
An emerging trend
compliance and copyright infringement
• Free Software Foundation (FSF, FSFE), the Software Freedom Law
Center (SFLC) and the Software Freedom Conservancy
– De facto enforcer of GNU licenses
– Provide resources to report and enforce
• Pretty substantial increase in cases over last 10 year
– Software Freedom Law Center (SFLC) started filing suits in 2007
with BusyBox
– Copyright trolls for profit emerging for first time in 2016
– FSF critically refers to them as “GPL Monetizers”
– E.g. Patrick McHardy (Linux), David Fligor/Progressive LLP: Troll
lawyer searching for a project, so far no cases filed

13. 13© 2017 Rogue Wave Software, Inc. All Rights Reserved. 13
Enforcement
• Free Software Foundation (FSF) is the de facto enforcer of the
GPL license
– FSF conducts a compliance laboratory that investigates violations
– FSF is available for hire to assist companies to comply
– Partners with the Software Freedom Law Center (SFLC)
• Free Software Foundation Europe (FSFE) is a charitable
registered association under German law. It is as an official
European sister organization of the U.S.-based Free Software
Foundation (FSF)
• Original copyright holder has to bring suit

14. 14© 2017 Rogue Wave Software, Inc. All Rights Reserved. 14
Sample OSS litigation
• USA
– Linksys/Cisco (2003)
– Wallace v. FSF (2005) & Wallace v. IBM et al (2006)
– FSF v. Monsoon (2007)
– FSF vs Cisco (2009)
– Busybox vs Best Buy + 13 other companies (2009-2012)
– XimpleWare v. Versata & Ameriprise Financial (2013)
– Oracle v. Google (2015)
• GERMANY
– Welte vs Sitecom (2004)
– Welte vs Fortinet UK Ltd. (2005)
– Welte vs D-Link (2006)
– Welte vs Skype (2008)
– Welte in AVM vs Cybits case (2011)
– Welte vs Fantec (2013)
• FRANCE
– AFPA v. Edu4 (2001)
– Free/Iliad (2007)

15. 15© 2017 Rogue Wave Software, Inc. All Rights Reserved. 15
What is risky and why
• A lot of OSS gets into commercial products “undetected” by developers
– From external sources or embedded in known components
• Most ”license compliance” lawsuits become “copyright infringement”
cases
– Once compliance issue is established then copyright law is used
to enforce and protect illegal use of OSS
– Cases settle immediately
• Copyright law is well established and easy to defend
– It is a simply matter of permission to use software your
developers did not create, and protection of OSS under copyright
law
– Non-compliance means you don’t have permission to use,
without permission copyright holder has right to block you from
shipping your product

16. 16© 2017 Rogue Wave Software, Inc. All Rights Reserved. 16
2017 Open Source Report

17. 17© 2017 Rogue Wave Software, Inc. All Rights Reserved. 17
Cost of risk
• Companies have insurance for non-compliance of commercial software
– Manageable, expected
• Companies cannot manage cost if commercial products contain
software used without compliance or permission
– Judge can order injunction and stop shipping of product
– Can potentially affect revenue without simple recourse

18. 18© 2017 Rogue Wave Software, Inc. All Rights Reserved. 18
Managing risk

19. 19© 2017 Rogue Wave Software, Inc. All Rights Reserved. 19
Education
• Require baseline education on OSS
– Risks and challenges of OSS
– What are licenses and why they are important
– How compliance works
– Where OSS comes from – not just directly downloaded
– Responsibility and expectations
• Who should you train?
– Development
– Management
– Legal staff

20. 20© 2017 Rogue Wave Software, Inc. All Rights Reserved. 20
Policies and procedures
• Usage policies
– White list, black list, grey list
– Base policies on license type, software type, and security
vulnerabilities
• Tracking and management
– Set up who is responsible for tracking OSS
– Create a process where developers can report and management
and can review
• Support and community
– Insure you have support for mission critical apps
– Have policies on how developers can participate

21. 21© 2017 Rogue Wave Software, Inc. All Rights Reserved. 21
Audits
• Policies and process are not enough
– Undetected OSS
– Uneducated developers
– You don’t want to pay the price because OSS came in the back
door
• Expert analysis
– Outsourcing periodic audits insures you don’t waste valuable time
and resources scanning and researching OSS
– Experts help you pinpoint key issues and perform audits at a
higher level of accuracy in a shorter period of time
• M&A
– Can you trust a third-party to not pass along an OSS compliance
or security issue to you?

22. 22© 2017 Rogue Wave Software, Inc. All Rights Reserved. 22
Conclusion
• Know your risks
– Legal, security, support
• Proactively manage your OSS and compliance
– Perform regular audits
– Track, education, monitor, comply
• Benefits of OSS far outweigh risks
– Time to market, innovation, NO LICENSE FEE,
readily accessible, robust community

23. 23© 2017 Rogue Wave Software, Inc. All Rights Reserved. 23
Wrap up and Q&A

24. 24© 2017 Rogue Wave Software, Inc. All Rights Reserved. 24
Next steps
• Re-watch and share the on-demand webinar
• Download the Application Audit service datasheet
• See an example Open Source Audit Report
• Contact us:
– Aldin Basic
– Dave McLoughlin

25. 25© 2017 Rogue Wave Software, Inc. All Rights Reserved. 25