More Related Content Similar to Open source software: Diligence, compliance, and future trends (20) More from Rogue Wave Software (20) Open source software: Diligence, compliance, and future trends1. 1© 2017 Rogue Wave Software, Inc. All Rights Reserved. 1
Open source software:
Diligence, compliance,
and future trends
2. 2© 2017 Rogue Wave Software, Inc. All Rights Reserved. 2
Presenters
Dave McLoughlin, Dir, OSS Auditing
Rogue Wave Software
Aldin Basic, Account Executive
Rogue Wave Software
4. 4© 2017 Rogue Wave Software, Inc. All Rights Reserved. 4
Agenda
• Introduction
– Evolution of software development
– The emergence of OSS
– Prevalence of OSS today
– Common misconceptions (myths)
– Where the misconceptions comes from
• Potential Risks and Litigation
– An emerging trend - compliance and copyright infringement
– Some examples of why its occurring
– What is risky and why?
– Cost of that risk
• Remedies & Next Steps
– Education, policies, audits, training
5. 5© 2017 Rogue Wave Software, Inc. All Rights Reserved. 5
Legal disclaimer
• Rogue Wave Software, Inc. is not engaged in the rendering of legal
advice. This training class material provides legal information, which
should not be confused with legal advice
• We are not an attorneys
6. 6© 2017 Rogue Wave Software, Inc. All Rights Reserved. 6
Evolution of software
• 1960-1980
– All software was free, companies sold “hardware”
– Slowly prices of hardware dropped, computers became commodities
• 1980-1990
– The rise of large software companies: Microsoft, Lotus, Word Perfect,
IBM, Oracle
– Microsoft Windows (1985), copy protection, anti-piracy
– Software Publishing Association (SPA)
• 1990-2010
– Linux (1991)
– Internet gave rise to the World Wide Web
– Netscape based on free software, eventually makes Mozilla OSS again
7. 7© 2017 Rogue Wave Software, Inc. All Rights Reserved. 7
Emergence of open source software
• Linux becomes mainstream
– RedHat - Commercial version and support
of Linux (JBoss and other OSS tools and frameworks)
– Multiple stable versions become available (RHEL, CentOS, Debian,
Fedora, Ubuntu, SUSE)
• World Wide Web
– Provides mechanism to distribute and share free software
– Platform infrastructure primarily OSS – Linux, JBoss, Apache,
MySQL, PHP
• Business use
– Companies transition mission critical system infrastructure to OSS
– IoT (Mobile devices, smart home, video and audio streaming)
8. 8© 2017 Rogue Wave Software, Inc. All Rights Reserved. 8
Open source crossed the chasm
99%
of Global 2000 companies are using
open source in mission critical
applications
9. 9© 2017 Rogue Wave Software, Inc. All Rights Reserved. 9
Common OSS myths
• It’s free so I don’t have any license obligations
– Copyright law protect authors, many have taken licensees to court or
taken other legal action
• It’s in the public domain, so I can use it anyway I want
– Only some OSS is public domain
– All other is protected by license or copyright
• I don’t need to track it
– Many vulnerabilities in commercial software are due to OSS
– If there’s a license violation how do you remediate?
• I don’t need support, the community will help
– What do you do if your system goes down at 2am?
• If I license a commercial product that I use in my development I don’t need
to worry if it contains OSS
– Doesn’t matter where you get OSS, if you use in products you develop
you still need to comply with OSS license
10. 10© 2017 Rogue Wave Software, Inc. All Rights Reserved. 10
Where do the myths come from?
• OSS comes from many sources, not just direct download
– Supply chain, commercial software, contractors, out-sourcers
• Lack of education
– Developers were trained in developing software, license issues
were managed by the lawyers
– Now that developers have direct access to build OSS into
products, they need to be savvy about OSS compliance issues
• Lack of process
– Organizations have purchasing systems to manage commercial
software, but most have not built similar systems to manage OSS
• Lack of policies
– Developer may not have guidelines for OSS usage
11. 11© 2017 Rogue Wave Software, Inc. All Rights Reserved. 11
Potential risks
12. 12© 2017 Rogue Wave Software, Inc. All Rights Reserved. 12
An emerging trend
compliance and copyright infringement
• Free Software Foundation (FSF, FSFE), the Software Freedom Law
Center (SFLC) and the Software Freedom Conservancy
– De facto enforcer of GNU licenses
– Provide resources to report and enforce
• Pretty substantial increase in cases over last 10 year
– Software Freedom Law Center (SFLC) started filing suits in 2007
with BusyBox
– Copyright trolls for profit emerging for first time in 2016
– FSF critically refers to them as “GPL Monetizers”
– E.g. Patrick McHardy (Linux), David Fligor/Progressive LLP: Troll
lawyer searching for a project, so far no cases filed
13. 13© 2017 Rogue Wave Software, Inc. All Rights Reserved. 13
Enforcement
• Free Software Foundation (FSF) is the de facto enforcer of the
GPL license
– FSF conducts a compliance laboratory that investigates violations
– FSF is available for hire to assist companies to comply
– Partners with the Software Freedom Law Center (SFLC)
• Free Software Foundation Europe (FSFE) is a charitable
registered association under German law. It is as an official
European sister organization of the U.S.-based Free Software
Foundation (FSF)
• Original copyright holder has to bring suit
14. 14© 2017 Rogue Wave Software, Inc. All Rights Reserved. 14
Sample OSS litigation
• USA
– Linksys/Cisco (2003)
– Wallace v. FSF (2005) & Wallace v. IBM et al (2006)
– FSF v. Monsoon (2007)
– FSF vs Cisco (2009)
– Busybox vs Best Buy + 13 other companies (2009-2012)
– XimpleWare v. Versata & Ameriprise Financial (2013)
– Oracle v. Google (2015)
• GERMANY
– Welte vs Sitecom (2004)
– Welte vs Fortinet UK Ltd. (2005)
– Welte vs D-Link (2006)
– Welte vs Skype (2008)
– Welte in AVM vs Cybits case (2011)
– Welte vs Fantec (2013)
• FRANCE
– AFPA v. Edu4 (2001)
– Free/Iliad (2007)
15. 15© 2017 Rogue Wave Software, Inc. All Rights Reserved. 15
What is risky and why
• A lot of OSS gets into commercial products “undetected” by developers
– From external sources or embedded in known components
• Most ”license compliance” lawsuits become “copyright infringement”
cases
– Once compliance issue is established then copyright law is used
to enforce and protect illegal use of OSS
– Cases settle immediately
• Copyright law is well established and easy to defend
– It is a simply matter of permission to use software your
developers did not create, and protection of OSS under copyright
law
– Non-compliance means you don’t have permission to use,
without permission copyright holder has right to block you from
shipping your product
16. 16© 2017 Rogue Wave Software, Inc. All Rights Reserved. 16
2017 Open Source Report
17. 17© 2017 Rogue Wave Software, Inc. All Rights Reserved. 17
Cost of risk
• Companies have insurance for non-compliance of commercial software
– Manageable, expected
• Companies cannot manage cost if commercial products contain
software used without compliance or permission
– Judge can order injunction and stop shipping of product
– Can potentially affect revenue without simple recourse
18. 18© 2017 Rogue Wave Software, Inc. All Rights Reserved. 18
Managing risk
19. 19© 2017 Rogue Wave Software, Inc. All Rights Reserved. 19
Education
• Require baseline education on OSS
– Risks and challenges of OSS
– What are licenses and why they are important
– How compliance works
– Where OSS comes from – not just directly downloaded
– Responsibility and expectations
• Who should you train?
– Development
– Management
– Legal staff
20. 20© 2017 Rogue Wave Software, Inc. All Rights Reserved. 20
Policies and procedures
• Usage policies
– White list, black list, grey list
– Base policies on license type, software type, and security
vulnerabilities
• Tracking and management
– Set up who is responsible for tracking OSS
– Create a process where developers can report and management
and can review
• Support and community
– Insure you have support for mission critical apps
– Have policies on how developers can participate
21. 21© 2017 Rogue Wave Software, Inc. All Rights Reserved. 21
Audits
• Policies and process are not enough
– Undetected OSS
– Uneducated developers
– You don’t want to pay the price because OSS came in the back
door
• Expert analysis
– Outsourcing periodic audits insures you don’t waste valuable time
and resources scanning and researching OSS
– Experts help you pinpoint key issues and perform audits at a
higher level of accuracy in a shorter period of time
• M&A
– Can you trust a third-party to not pass along an OSS compliance
or security issue to you?
22. 22© 2017 Rogue Wave Software, Inc. All Rights Reserved. 22
Conclusion
• Know your risks
– Legal, security, support
• Proactively manage your OSS and compliance
– Perform regular audits
– Track, education, monitor, comply
• Benefits of OSS far outweigh risks
– Time to market, innovation, NO LICENSE FEE,
readily accessible, robust community
23. 23© 2017 Rogue Wave Software, Inc. All Rights Reserved. 23
Wrap up and Q&A
24. 24© 2017 Rogue Wave Software, Inc. All Rights Reserved. 24
Next steps
• Re-watch and share the on-demand webinar
• Download the Application Audit service datasheet
• See an example Open Source Audit Report
• Contact us:
– Aldin Basic
– Dave McLoughlin