Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How to build effective and cheaper m-payments with Open Source


Published on

How can the use of open source software help you to save money and improve efficiency in m-payment app development? Our whitepaper highlights the measurable benefits and assists you on how to manage legal, security, IP and quality risks effectively.

  • Be the first to comment

  • Be the first to like this

How to build effective and cheaper m-payments with Open Source

  1. 1. Whitepaper SQS – the world’s leading specialist in software quality Accelerate deployment of mobile payments using Open Source Understand the benefits and how to govern its use effectively Introduction Mark Driver of Gartner states that “Open source is ubiquitous. Having a policy against open source is impractical and places you at a competitive disadvantage”. The financial services and payments industry is undergoing major change as a result of advances in mobile technology, software, social media and higher consumer expectations. Here we examine the opportunity that open source presents for the financial sector. We establish how open source software can speed up the development of mobile financial services, while reducing costs, improving quality and accelerating uptake. This paper also highlights the importance of understanding exactly what open source components are in use within an organisation, and whether the legal, security, intellectual property and quality risks are being effectively managed. Author: Julian Brook Associate Director SQS Group Limited, United Kingdom Published: March 2014
  2. 2. Page 2© SQS Group 2014 Whitepaper | Accelerate deployment of mobile payments using Open Source Marc Andreesen said that “software is eating the world” and Jeffrey Hammond of Forrester believes that software costs 90 % less to develop today than in 1999. No wonder then that software is shaking up every industry: Amazon is now bigger than Waterstones, Netflix has superseded Blockbuster and Spotify and iTunes have replaced HMV. The financial services industry is no different and is being transformed by software too. New financial services models, customer channels and competition are reaching the market faster than ever before. These include: • Mobile payments services that enable customers to send money to each other include PingIt, Swish and the upcoming Mobile Payments Service from the Payments Council • E-wallets such as, MasterPass, Google Wallet, PayPal, Weve and Monitise • Mobile payments services enable customers to pay for goods and services in shops such as PayPal’s pay-by-face feature • Mobile Chip and PIN payments services that make it easier and cheaper for small merchants to accept credit and debit cards like CardEase, InuitPay or iZettle • Peer lending models such as Zopa, RateSetter and FundingCircle EngageMobile states that by 2014 mobile internet use is predicted to overtake desktop internet use, and therefore unsurprisingly mobile is central to the majority of these new services. Mobile provides customers with a convenient and personalised service. Mobile also allows organisations to connect more deeply with their customers, enabling them to offer more services and increase brand loyalty. SQS’ experience shows that within the established financial services sector the use of open source is ad hoc, supported by policies that are overly restrictive. Visibility of what open source is actually in use within an organisation stands at approximately 50 %, and this typically reflects the best case organisation. 1. Background SQS’ Open Source solution increases speed to market for a leading global mobile money platform SQS implements open source management and governance for an organisation that provides a new mobile payment platform specifically designed for financial institutions, MNOs and distribution partners. This solution enables developers to continue to use open source code and components to accelerate soft- ware development, while at the same time providing visibility of what open source is used and where to ensure it aligns with quality and security policies and that compliance and legal risks are covered. Live Example 1
  3. 3. Page 3© SQS Group 2014 Whitepaper | Accelerate deployment of mobile payments using Open Source 2. Enabling Rapid Innovation Ensuring that innovative services reach the market quickly is often critical to their success. Organisations must focus time and effort on the unique selling proposition (USP) and not on commodity functionality that is already available. Alongside organisational, cultural and development process changes, open source software helps to foster innovation. According to Black Duck Software there are over one million open source projects representing over 100 billion lines of code (LOC) or approximately 10 million person years of soft- ware development. The sheer number and variety of projects enables organisations to reuse these existing building blocks of commodity functionality and focus on developing innovative USPs. A recent study carried out by IT analyst firm Forrester of 542 developers suggested that as many as 92 % of banks have been using open source software (OSS) to develop mobile apps. Figure 1 shows that the number of mobile projects is growing rapidly, and Black Duck reports that there are over 35,000 mobile related projects including 28,000 targeting Android and 7,000 for iOS. Many of these are relevant for mobile financial services: • Near Field Communication – projects such as openNFC, Linux NFC project, NFC tools and libNFC with related wrappers for various languages • Encryption – libraries including OpenSSL, BouncyCastle, libtomcrypt, libgcrypt, crypto++, SQLcipher, StrongSwan and Crypton • Financial – projects like quantlib, OpenMAMA, A+, OpenGamma, OpenAdaptor, Open Bank Project • Payments – APIs for devices from Simplify, Handpoint and messaging apps like ussdgateway • Mobile UI – widgets and frameworks – jQT, ZK Framework, ipfaces, phonegap, Slide MwF Navigation View Controller Open source software also represents a different way of working. As a copyright owner releases software under an open source license, communities often form around the software and contribute to its maintenance and future growth. This collaborative development approach is hugely powerful: many of the world’s most talented software engineers are passionate about supporting and improving specific open source projects. Dubbed “inner-sourcing”, this collaborative, community style development approach is now starting to be adopted within organisations to channel the nascent energy and passion for new ideas from internal engineering resources to deliver inno- vation. Inner-sourcing also complements the agile development approach allowing communities to self-organise to meet business and technical needs in unimagined ways. Figure 1: New Mobile OSS Projects (Source: Black Duck Software) New Mobile OSS Projects Android iOS Other Mobile Platforms 201220112010200920082007 20,000 17,500 15,000 12,500 10,000 7,500 5,000 2,500 0
  4. 4. Page 4© SQS Group 2014 Whitepaper | Accelerate deployment of mobile payments using Open Source Just look at how organisations such as Google, Amazon, Face- book and extensively use open source components in their software, products and websites and also release non-USP software and components under open source licenses. Figure 2 shows open source software is helping organisations in many different ways including: 1. Faster customer uptake: by reusing UI components and touch screen interactions that customers are already familiar simplifies the use of software. Releasing code to the open source community can encourage developers to embed a new service into a wide variety of applications, web sites and services which helps to speed up market penetration. 2. Bring software to market more quickly: open source software is often at the forefront of new technology. Organisations are able to leverage this to bring new services and features to market more quickly. 3. Improve flexibility: open source software tends to use open standards and therefore reduces vendor or technology lock in. This provides the flexibility to change direction more easily in the future. 4. Reduce development costs: using open source not only means reducing software purchasing costs, it also means less development effort, less testing effort and over time reduced maintenance effort. Similar to above, using open standards also reduces costs by avoiding vendor and technology lock in. 5. Improve quality: using software that has already been proven in the field reduces the likelihood of quality issues. Access to source code also reduces dependency on a third party and empowers users to either fix issues directly or ask the community of developers if they are unable to resolve an issue. Lowering the company’s overall operating costs Improving quality of products and/or processes Achieving faster time-to-market Driving innovative new market offerings or business practices Acquiring and retaining customers Managing our customer relationships Re-engineering core business processes Figure 2: A commissioned study conducted by Forrester Consulting on behalf of Unisys (Percentages may not total 100 because of rounding) “Please rate the extent to which you agree or disagree with the statement that open source software can help your company achieve the following business goals” (N = 486) 10 % 12 % 21 % 14 % 33 % 31 % 19 % 28 % 31 % 29 % 37 % 36 % 33% 36% 33 % 39 % 33 % 36 % 18 % 21 % 35 % 29 % 17 % 15 % 12 % 11 % 14 % 14 % Not at all important ... ... Very important N.A. / Don’t know
  5. 5. Page 5© SQS Group 2014 Whitepaper | Accelerate deployment of mobile payments using Open Source Common component of e.g. HDTVs, DVD players, using the GPL v2 licence Busybox code inserted in electronic components Components used in HDTVs and DVD players Reseller of the HDTVs and DVD players 3. What are the Risks? Without suitable governance processes, open source does present risks which can impact brand, competitive advantage and the bottom line. Risks increase when open source has been used in an ad-hoc and unstructured manner. The risks include: 1. Legal: although open source software is free of charge, it is still licensed like any other software. Users need to ensure that any open source software use is in compliance with each and every license. Some licenses prohibit commercial use, while others may impact on intellectual property (see below). Many require an attribution regarding their use and a few licenses have rude names. Some software may infringe third party patents. The legal implications for an organisation can only be fully understood if there is clear visibility of the level of open source in use. 2. Intellectual Property (IP): some open source licenses require their license terms to be applied either to the entire piece of software the open source is included in or to any modifications made to the open source code. This reciprocal concept is also known as “copyleft” and some commentators refer to these types of licenses as “viral licenses”. Not only does this prevent an appropriate proprietary license being applied to the software under development, these license terms usually include the requirement to provide the source code also. This means that the proprietary code within a piece of software may also need to be made available. The most well- known reciprocal open source license is the GNU General Public License (GPL), but there are others too. Licensing obligations are often only triggered when the software is distributed. So when an organisation starts to develop mobile applications, and distributes applications for the first time, it often does not have the relevant expertise in place to ensure these risks are controlled. Figure 3 shows how this has affected the embedded software industry. 3. Security: Security is critical to confidence in existing and new financial services. We have become accustomed to ensuring that our Microsoft Windows operating system and web browser is kept up-to-date to protect against new security vulnera- bilities. In the same way, open source components can also be affected by security issues. It is worth noting that open source code is often argued to bring security benefits due to its open, peer reviewed nature and the speed of security fixes. However, without knowing what code and components are in use, how can an organisation and its customers be protected from new security threats in those components? Key questions when determining security risks are: • What security vulnerabilities are already known? • What is the provenance of this code? • What does code really do and is it malicious in any way? Figure 3: An example of a software supply chain resulting in a legal action 14 electronics manufacturers are sued by Software Freedom Law Center (SFLC) in violation of the governing of the open source software. US court stopped distribution of all out-of-compliance software.
  6. 6. Page 6© SQS Group 2014 Whitepaper | Accelerate deployment of mobile payments using Open Source 4. Quality: As with all code, some is well written adhering to good software engineering practices and coding standards and accompanied by good unit tests and documentation and other software may fall short of expected standards, may not be a suitable technical fit for the overall software architecture or may lead to technology proliferation. The open nature of this software also means communities can splinter or disappear when a better technology/approach comes along. The communities also may not subscribe to an organisation’s particular agenda or provide a service level agreement, which can lead to support issues. SQS audits UK’s first m-payment service for Open Source issues SQS helped Europe’s first retail bank to find code and components used within its application, a contactless money-sending service for smartphones, allowing current account customers to send and receive cash using their mobiles. The team successfully worked in partnership to audit the code as part of the bank’s legal and compliance governance processes. As a result, SQS determined the license compliance and legal risks as well as obligations that were triggered by distributing the application to customer’s phones from the open source it contained. Live Example 2
  7. 7. Page 7© SQS Group 2014 Whitepaper | Accelerate deployment of mobile payments using Open Source 4. Governing Open Source With the benefits outlined, there is no wonder that financial organisations are looking to take full advantage of open source as part of the mobile and wider software development mix. However, many financial organisations have no strategy, policy or process in place for the governance of open source. This means they are at best using open source in a non-strategic manner, or worse still proactively avoiding its use. The result is that open source is unlikely to be delivering the maximum business benefit. As open source software can easily be downloaded by deve- lopers from the internet free of charge, the due diligence that would usually be overseen by the procurement department when bringing third party software into an organisation is not undertaken. This leads to unmanaged risks. Having a policy and process to maximise and govern positive open source use helps organisations to realise the full benefits of open source and manage the risks appropriately. Initially, the organisation needs a clear vision and strategy on the levels of engagement with open source. Key questions include: • How will open source be consumed? • How will teams contribute to open source projects? • How does open source align with business strategy? Answers can inform the policy and process, and determine how to: • align technical, legal, security, procurement and other teams to achieve a suitable level of due diligence when selecting open source and automate decisions around open source as much as possible • avoid introducing issues and risk in the first place • detect and catalogue open source usage as software is developed Good software development governance brings further benefits such as increased standardisation of the code and components in use across an application estate; this helps focus technical knowledge and expertise of open source software used and increases resource flexibility across the organisation.
  8. 8. Page 8© SQS Group 2014 Whitepaper | Accelerate deployment of mobile payments using Open Source Software is essential to capitalise on the opportunities the mobile ecosystem offers to both established financial services organisations and new entrants. Developing this software quickly, making it easy-to-use and encouraging its rapid uptake is critical to its success. There are already vast resources of open source code, libraries and applications, and this is being added to every day. By using open source software when developing applications avoids the need to reinvent the wheel and enables organisations to focus on innovation while saving time and money. Releasing code into the open source community can also help seed and drive uptake of a new technology or service. However, open source also presents risks. The right strategy and relevant governance processes will ensure that organisations can strike the right balance between the benefits open source brings and the risks. “Open source is ubiquitous. Having a policy against open source is impractical and places you at a competitive disadvantage” Mark Driver – Gartner 5. Summary
  9. 9. Page 9© SQS Group 2014 Whitepaper | Accelerate deployment of mobile payments using Open Source 6.1. About SQS SQS is the world’s leading software quality specialist. As part of its portfolio of services, SQS assists organisations to implement open source software and techniques. SQS services support business transformation and increase the productivity of software development while ensuring governance processes manage associated risks. SQS also provides a full range of technical due diligence and audit services for mergers and acquisitions and outsourcing. SQS partners with Black Duck Software to help organisations build better software faster with open source. 6.2. What is Open Source? Open source software ranges from complete operating systems, enterprise application suites and individual applications through to components and widgets that perform very specific functions. There are various definitions of open source software. One of the most common definitions is the Open Source Initiative (OSI) Open Source Definition (OSD) – see 7.3. The fundamental differences relate to: • Free redistribution: This is the most obvious business benefit. Whereas most proprietary software imposes a fee for its redistribution and use, open source may not restrict the redistribution of software with a fee. • Source code: This is the key technical benefit. Source code is analogous to the secret recipe of the software. Without this you cannot fundamentally change the behaviour of the software or fix bugs that may affect you. In most cases, proprietary software does not provide access to source code. This means you are dependent on the 3rd party software licensor to provide you with updates or bug fixes. Open source does provide access to the source code so you have more flexibility with the open software components you choose to use. However, there is one important similarity between open source and proprietary software; that is that the software is licensed. A software license broadly includes: • Copyright statements: Who the legal owner is • Definitions: The meanings of various terms used in the license • Grant of license: Who the license is granted to • Usage rights: How the software may be used • Obligations: What you must do if you use the software • Warranty statements: What warranties are included or excluded • Disclaimers: Things like limitations of liability All software licenses are different. Not all licenses will include all of the information above. Not all licenses will comply with the OSI definition. The top 10 most commonly used licenses for open source projects according to Black Duck on 1st July 2013 are: 1. GNU General Public License (GPL) 2.0 2. Apache License 2.0 3. GNU General Public License (GPL) 3.0 4. MIT License 5. BSD License 2.0 6. Artistic License (Perl) 7. GNU Lesser General Public License (LGPL) 2.1 8. GNU Lesser General Public License (LGPL) 3.0 9. Eclipse Public License (EPL) 10. Code Project Open 1.02 License 6. Appendix
  10. 10. Page 10© SQS Group 2014 Whitepaper | Accelerate deployment of mobile payments using Open Source 6.3. The Open Source Initiative: The Open Source Definition Introduction Open source doesn’t just mean access to the source code. The distribution terms of open-source software must comply with the following criteria: 1. Free Redistribution The license shall not restrict any party from selling or giving away the software as a component of an aggregate software distribution containing programs from several different sources. The license shall not require a royalty or other fee for such sale. 2. Source Code The program must include source code, and must allow dis- tribution in source code as well as compiled form. Where some form of a product is not distributed with source code, there must be a well-publicized means of obtaining the source code for no more than a reasonable reproduction cost preferably, downloading via the Internet without charge. The source code must be the preferred form in which a programmer would modify the program. Deliberately obfuscated source code is not allowed. Intermediate forms such as the output of a preprocessor or translator are not allowed. 3. Derived Work The license must allow modifications and derived works, and must allow them to be distributed under the same terms as the license of the original software. 4. Integrity of The Author’s Source Code The license may restrict source-code from being distributed in modified form only if the license allows the distribution of “patch files” with the source code for the purpose of modifying the program at build time. The license must explicitly permit distribution of software built from modified source code. The license may require derived works to carry a different name or version number from the original software. 5. No Discrimination Against Persons or Groups The license must not discriminate against any person or group of persons. 6. No Discrimination Against Fields of Endeavor The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research. 7. Distribution of License The rights attached to the program must apply to all to whom the program is redistributed without the need for execution of an additional license by those parties. 8. License Must Not Be Specific to a Product The rights attached to the program must not depend on the program’s being part of a particular software distribution. If the program is extracted from that distribution and used or distributed within the terms of the program’s license, all parties to whom the program is redistributed should have the same rights as those that are granted in conjunction with the original software distribution. 9. License Must Not Restrict Other Software The license must not place restrictions on other software that is distributed along with the licensed software. For example, the license must not insist that all other programs distributed on the same medium must be open-source software. 10. License Must Be Technology-Neutral No provision of the license may be predicated on any individual technology or style of interface. Reproduced from under the Creative Commons Attribution 3.0 license
  11. 11. Page 11© SQS Group 2014 Whitepaper | Accelerate deployment of mobile payments using Open Source © SQS Software Quality Systems AG, Cologne 2014. All rights, in particular the rights to distribution, duplication, translation, reprint and reproduction by photomechanical or similar means, by photocopy, microfilm or other electronic processes, as well as the storage in data processing systems, even in the form of extracts, are reserved to SQS Software Quality Systems AG. Irrespective of the care taken in preparing the text, graphics and programming sequences, no responsibility is taken for the correctness of the information in this publication. All liability of the contributors, the editors, the editorial office or the publisher for any possible inaccuracies and their consequences is expressly excluded. The common names, trade names, goods descriptions etc. mentioned in this publication may be registered brands or trademarks, even if this is not specifically stated, and as such may be subject to statutory provisions. SQS Software Quality Systems AG Phone: +49 2203 9154-0 | Fax: +49 2203 9154-55 |