Successfully reported this slideshow.
Your SlideShare is downloading. ×

Jeff Luszcz on Open Source Compliance

Oct. 03, 2019
0 likes 430 views
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Upcoming SlideShare
OpenChain Monthly Meeting - North America / Asia - 2023-03-21
OpenChain Monthly Meeting - North America / Asia - 2023-03-21
Loading in …3
×

Check these out next

Open Compliance Summit 2022 - Opening Keynote
Shane Coughlan
Open Compliance Summit 2022 - Opening Keynote
Shane Coughlan
OSPO Summit 2022 - OpenChain
Shane Coughlan
OpenChain @ 第二届 全球DSO敏捷安全大会
Shane Coughlan
Alibaba Standardization Summit 2022
Shane Coughlan
OpenChain Germany Work Group Meeting 2022-11-16
Shane Coughlan
OpenChain-Monthly-Meeting-2022-11-15
Shane Coughlan
OpenChain Monthly Meeting 2022-11-01
Shane Coughlan
1 of 6 Ad

Jeff Luszcz on Open Source Compliance

Oct. 03, 2019
0 likes 430 views

Download to read offline

Software

Jeff Luszcz on Open Source Compliance

Compliance is still a personality driven process
When influencers leave, a company’s compliance process often falls apart
Bus Factor=<1 at many companies
Experience levels vary greatly across the industry
BOM Inventory depends on who performed or what process was followed. Same project could report 10 or 1000 libraries depending on tool or person.
Analysis Paralysis is a double edged sword
First reviews lead to either NO reviews or MORE reviews
Remediation is an ART not a Science

The number of packages in a BOM has moved past where humans can easily monitor using spreadsheets

The build environment and tool chain are being ignored by compliance teams at the same time targeted Supply Chain Attacks are increasing

We need to start requiring accurate BOMS in contracts with real teeth

“Internal Audit” is waking up to OSS issues

Pressure building for new FOSS licenses / models

OpenChain has a bright future! Well respected and outside knowledge is growing

Jeff Luszcz on Open Source Compliance

Compliance is still a personality driven process
When influencers leave, a company’s compliance process often falls apart
Bus Factor=<1 at many companies
Experience levels vary greatly across the industry
BOM Inventory depends on who performed or what process was followed. Same project could report 10 or 1000 libraries depending on tool or person.
Analysis Paralysis is a double edged sword
First reviews lead to either NO reviews or MORE reviews
Remediation is an ART not a Science

The number of packages in a BOM has moved past where humans can easily monitor using spreadsheets

The build environment and tool chain are being ignored by compliance teams at the same time targeted Supply Chain Attacks are increasing

We need to start requiring accurate BOMS in contracts with real teeth

“Internal Audit” is waking up to OSS issues

Pressure building for new FOSS licenses / models

OpenChain has a bright future! Well respected and outside knowledge is growing

Software
Advertisement

Recommended

OpenChain Monthly Meeting - North America / Asia - 2023-03-21
Shane Coughlan
30 views
26 slides
OpenChain Monthly Meeting 2023-02-21 (North America and Asia)
Shane Coughlan
60 views
21 slides
OpenChain Monthly Meeting North America - Europe - 2023-02-07
Shane Coughlan
95 views
21 slides
OpenChain Overview Slides - 02-2023
Shane Coughlan
167 views
42 slides
OpenChain-Monthly-Meeting-2023-01-17
Shane Coughlan
42 views
27 slides
OpenChain Monthly Meeting (US / Europe) 2023-01-03
Shane Coughlan
73 views
25 slides
Open Compliance Summit - Export Control Informal Discussion
Shane Coughlan
33 views
11 slides
Open Compliance Summit 2022 – State of the Union from Mike Dolan, SVP and GM ...
Shane Coughlan
31 views
18 slides
Advertisement

More Related Content

More from Shane Coughlan (20)

Open Compliance Summit 2022 - Opening Keynote
Shane Coughlan
94 views
Open Compliance Summit 2022 - Opening Keynote
Shane Coughlan
26 views
OSPO Summit 2022 - OpenChain
Shane Coughlan
31 views
OpenChain @ 第二届 全球DSO敏捷安全大会
Shane Coughlan
14 views
Alibaba Standardization Summit 2022
Shane Coughlan
47 views
OpenChain Germany Work Group Meeting 2022-11-16
Shane Coughlan
3 views
OpenChain-Monthly-Meeting-2022-11-15
Shane Coughlan
56 views
OpenChain Monthly Meeting 2022-11-01
Shane Coughlan
32 views
OpenChain @ OSPOlogy.live Sweden 2022
Shane Coughlan
52 views
OpenChain Project Slide Templates 2023 - Version 1
Shane Coughlan
3 views
OpenChain @ Bitkom Forum Open Source 2022
Shane Coughlan
23 views
Open Source Software Licence Compliance: Art or science?
Shane Coughlan
104 views
Open Source Compliance Automation Capability Map
Shane Coughlan
103 views
OpenChain @ RIOS Open-Source Hardware IP Licensing and Policy Workshop
Shane Coughlan
47 views
OpenChain Telco - 2022-02-03
Shane Coughlan
225 views
OpenChain Automation Case Study - September to December 2021
Shane Coughlan
1.6k views
OpenChain Continual Improvement Case Studies
Shane Coughlan
356 views
OpenChain Automation Case Study - September to December 2021
Shane Coughlan
345 views
OpenChain Japan Work Group Meeting #20 - Case Studies
Shane Coughlan
175 views
FOSSLight Open Source Project
Shane Coughlan
328 views
Open Compliance Summit 2022 - Opening Keynote
Shane Coughlan
94 views
24 slides
Open Compliance Summit 2022 - Opening Keynote
Shane Coughlan
26 views
24 slides
OSPO Summit 2022 - OpenChain
Shane Coughlan
31 views
11 slides
OpenChain @ 第二届 全球DSO敏捷安全大会
Shane Coughlan
14 views
11 slides
Alibaba Standardization Summit 2022
Shane Coughlan
47 views
12 slides
OpenChain Germany Work Group Meeting 2022-11-16
Shane Coughlan
3 views
42 slides

Recently uploaded (20)

doku.pub_elegant-objects-by-yegor-bugayenko.pdf
Pablo Ismael Sanchez Rijo
0 views
How to Talk So Kids Will Listen & Listen So Kids Will Talk
robertseverino5
3 views
The God Delusion
carolynguyen
5 views
Klara and the Sun
robertseverino5
2 views
Timelines of Everything
carolynguyen
5 views
The YouTube Formula: How Anyone Can Unlock the Algorithm to Drive Views, Buil...
carolynguyen
5 views
WaTZ: A Trusted WebAssembly Runtime Environment with Remote Attestation for T...
Jämes Ménétrey
0 views
Llama Llama Easter Egg
carolynguyen
2 views
The Ultimate Road Trip: Family Vacation Collection
robertseverino5
3 views
1.pptx
JohnnielMar1
0 views
01.cb1.ppt
ChocolatJames1
2 views
Advantage of CRM.pdf
Elatesoft
0 views
Super Fly Guy (Fly Guy, #2)
robertseverino5
4 views
WebAssembly as a Common Layer for the Cloud-edge Continuum - Presentation slides
Jämes Ménétrey
0 views
What is Sales Management.pdf
Elatesoft
0 views
Not a book
robertseverino5
5 views
Anatomy Coloring Book
robertseverino5
4 views
We Own This City: A True Story of Crime, Cops, and Corruption
robertseverino5
3 views
Robert's Rules of Order
robertseverino5
3 views
Cuenta Con Dr. Seuss 1 2 3
carolynguyen
2 views
doku.pub_elegant-objects-by-yegor-bugayenko.pdf
Pablo Ismael Sanchez Rijo
0 views
234 slides
How to Talk So Kids Will Listen & Listen So Kids Will Talk
robertseverino5
3 views
1 slide
The God Delusion
carolynguyen
5 views
1 slide
Klara and the Sun
robertseverino5
2 views
1 slide
Timelines of Everything
carolynguyen
5 views
1 slide
The YouTube Formula: How Anyone Can Unlock the Algorithm to Drive Views, Buil...
carolynguyen
5 views
1 slide
Advertisement

Jeff Luszcz on Open Source Compliance

  1. 1. 15 YEARS IN OPEN SOURCE COMPLIANCE Jeff Luszcz jeff@luszcz.com @JeffLuszcz
  2. 2. 15 YEARS IN OPEN SOURCE COMPLIANCE INTRODUCTION – JEFF LUSZCZ  Founded Palamida in 2004  One of the first Scanning tools to manage FOSS  Designed compliance audit program and built out Professional Services team to implement it  Team helped everything from basic compliance, M&A due diligence, and open source project hygiene  Everyone from sole proprietors to largest software companies in the world  Witnessed industry move from dozens of OSS packages to 1000s of packages per BOM
  3. 3. THINGS LEARNED ALONG THE WAY  Compliance is still a personality driven process  When influencers leave, a company’s compliance process often falls apart  Bus Factor=<1 at many companies  Experience levels vary greatly across the industry  BOM Inventory depends on who performed or what process was followed. Same project could report 10 or 1000 libraries depending on tool or person.  Analysis Paralysis is a double edged sword  First reviews lead to either NO reviews or MORE reviews  Remediation is an ART not a Science
  4. 4. WHAT IS HARD FOR COMPANIES?  New code is valued over “maintenance” and no dev cycles are earmarked for compliance*  (*outside of post M&A work)  Top level package licenses can be managed but inner- package licensing is difficult to understand  The typical BOM undercounts by 99%!  Each layer (build, dev, deployed) is managed by different teams who all are scared to call the lawyers  “Here be dragons issues” like Old code with non- standard licenses from dead people
  5. 5. WHAT’S ON THE HORIZON  The number of packages in a BOM has moved past where humans can easily monitor using spreadsheets  The build environment and tool chain are being ignored by compliance teams at the same time targeted Supply Chain Attacks are increasing  We need to start requiring accurate BOMS in contracts with real teeth  “Internal Audit” is waking up to OSS issues  Pressure building for new FOSS licenses / models  OpenChain has a bright future! Well respected and outside knowledge is growing
  6. 6. THANKS! CONTACT: Jeff Luszcz jeff@luszcz.com @JeffLuszcz

Editor's Notes

  • We quickly discovered we need the human touch as well
  • In terms of maturity We don’t have this problem with financial compliance
    Experience impacts trust
    Still at the mercy of the right person being in the right place at the right time, affects the trustworthiness of a company
    Analysis paralysis: can lead to either ignoring the problem and pushing off compliance OR calling in the experts to fix things ASAP
    If we did a scan and everything was MIT or Apache 2.0 no one would have problems deciding to run a scan
  • In 2019 we are still not scheduling time for compliance
    Old code with non-standard licenses from dead people: this is problem with some of our core infrastructure that I hope projects like Clearly Defined or similar can help fix
    We all probably have “That File” or “That Package” we wish could get cleared up

  • There are holes in which we are monitoring. The build environment. I’m very concerned about this
    I’m still amazed that the level of quality in BOMs produced by companies is so large.
    The company with the better BOM can sometimes be penalized and that’s just wrong.

    In my interactions with companies who are not on the open chain calls, there is growing awareness. They are happy to see this, even if they don’t feel they can offer any help.




×