Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Jeff Luszcz on Open Source Compliance

330 views

Published on

Jeff Luszcz on Open Source Compliance

Compliance is still a personality driven process
When influencers leave, a company’s compliance process often falls apart
Bus Factor=<1 at many companies
Experience levels vary greatly across the industry
BOM Inventory depends on who performed or what process was followed. Same project could report 10 or 1000 libraries depending on tool or person.
Analysis Paralysis is a double edged sword
First reviews lead to either NO reviews or MORE reviews
Remediation is an ART not a Science

The number of packages in a BOM has moved past where humans can easily monitor using spreadsheets

The build environment and tool chain are being ignored by compliance teams at the same time targeted Supply Chain Attacks are increasing

We need to start requiring accurate BOMS in contracts with real teeth

“Internal Audit” is waking up to OSS issues

Pressure building for new FOSS licenses / models

OpenChain has a bright future! Well respected and outside knowledge is growing

Published in: Software
  • Be the first to comment

  • Be the first to like this

Jeff Luszcz on Open Source Compliance

  1. 1. 15 YEARS IN OPEN SOURCE COMPLIANCE Jeff Luszcz jeff@luszcz.com @JeffLuszcz
  2. 2. 15 YEARS IN OPEN SOURCE COMPLIANCE INTRODUCTION – JEFF LUSZCZ  Founded Palamida in 2004  One of the first Scanning tools to manage FOSS  Designed compliance audit program and built out Professional Services team to implement it  Team helped everything from basic compliance, M&A due diligence, and open source project hygiene  Everyone from sole proprietors to largest software companies in the world  Witnessed industry move from dozens of OSS packages to 1000s of packages per BOM
  3. 3. THINGS LEARNED ALONG THE WAY  Compliance is still a personality driven process  When influencers leave, a company’s compliance process often falls apart  Bus Factor=<1 at many companies  Experience levels vary greatly across the industry  BOM Inventory depends on who performed or what process was followed. Same project could report 10 or 1000 libraries depending on tool or person.  Analysis Paralysis is a double edged sword  First reviews lead to either NO reviews or MORE reviews  Remediation is an ART not a Science
  4. 4. WHAT IS HARD FOR COMPANIES?  New code is valued over “maintenance” and no dev cycles are earmarked for compliance*  (*outside of post M&A work)  Top level package licenses can be managed but inner- package licensing is difficult to understand  The typical BOM undercounts by 99%!  Each layer (build, dev, deployed) is managed by different teams who all are scared to call the lawyers  “Here be dragons issues” like Old code with non- standard licenses from dead people
  5. 5. WHAT’S ON THE HORIZON  The number of packages in a BOM has moved past where humans can easily monitor using spreadsheets  The build environment and tool chain are being ignored by compliance teams at the same time targeted Supply Chain Attacks are increasing  We need to start requiring accurate BOMS in contracts with real teeth  “Internal Audit” is waking up to OSS issues  Pressure building for new FOSS licenses / models  OpenChain has a bright future! Well respected and outside knowledge is growing
  6. 6. THANKS! CONTACT: Jeff Luszcz jeff@luszcz.com @JeffLuszcz

×