SlideShare a Scribd company logo

Identifying and managing the risks of open source software for PHP developers

Rogue Wave Software
Rogue Wave Software

Do you really need to worry about using open source software in developing commercial applications? This presentation looks at the key risk areas, how to identify and quantify the risk, and what steps if any are needed to deal with the risks.

Software
1 of 29
Download to read offline
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 1 Identifying and Managing the Risks of Open Source Software for PHP Developers Dave McLoughlin, Rogue Wave
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 2 Identifying and Managing the Risks of Open Source Software for PHP Developers Do you really need to worry about using open source software in developing commercial applications? In this session we'll talk about the key risk areas, how to identify and quantify the risk, and what steps if any are needed to deal with the risks. After this session, you'll have the information to better understand how to assess these risks. It will provide you with no nonsense steps to take to manage your OSS so you can rest easy and not worry if these issues will affect you or your business. The session will include: • Key risk areas and how to identify them • Common use case scenarios • Understanding and developing risk remediation strategies for OSS use
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 3 Legal disclaimer • Rogue Wave Software, Inc. is not engaged in the rendering of legal advice. This material provides legal information, which should not be confused with legal advice. • I am not an attorney
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 4 Risks and challenges of open source software
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 5 OSS statistics • According to Gartner 99% of fortune 2000 companies use OSS in the development of their products • Flexera developer study: – Only 37% of respondents had an open source acquisition or usage policy. – Sixty-three percent said either that their companies did not have an open source acquisition or usage policy, or they did not know if one existed. – Thirty-nine percent of respondents said that either no one within their company was responsible for open source compliance, or they did not know who was. – Thirty-three percent of respondents said their companies contributed to open source projects. – Of the 63 percent who said their companies did not have an open source acquisition or usage policy, 43 percent said they contributed to open source projects.
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 6 Real costs of open source 6
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 7 Risks • Myths - lack of understanding of issues • Legal - potential lawsuits, copyright infringement • Security – vulnerable applications, loss of data, PR, customer impact • Support – exposure for mission critical applications • Maintenance – cost of updates, slow development • Training – inefficient use of OSS, poor implementation • Operational – wasted time and resources • Others?
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 8 Unique risks for Php developers • Implementation – Usually web based – greater exposure to hackers • Licenses – Php license • Deployment infrastructure – Infrastructure components most used for Php development may pose additional risk • Security – Php has over 550 reported CVEs, 24th All time leader
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 9 OSS Myths we still see today • It’s free so I don’t have any license obligations – Copyright law protect authors, many have taken licensees to court • It’s free, so unlike commercial software, I don’t need to track it – Many vulnerabilities in commercial software are due to OSS – If there’s a license violation how do you remediate • It’s in the public domain, so I can use it anyway I want – Only some OSS is public domain – All other is protected by license and copyright
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 10 Legal risks • Violation action or lawsuit • License violation – license termination • Copyright infringement • Legal fees, damages • Injunction • Remediation costs to replace code in violation
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 11 Sample OSS litigation • USA – Linksys/Cisco (2003) – Wallace v. FSF (2005) & Wallace v. IBM et al (2006) – FSF v. Monsoon (2007) – FSF vs Cisco (2009) – Busybox vs Best Buy + 13 other companies (2009-2012) – XimpleWare v. Versata & Ameriprise Financial (2013) – Oracle v. Google (2015) • GERMANY – Welte vs Sitecom (2004) – Welte vs Fortinet UK Ltd. (2005) – Welte vs D-Link (2006) – Welte vs Skype (2008) – Welte in AVM vs Cybits case (2011) – Welte vs Fantec (2013) • FRANCE – AFPA v. Edu4 (2001) – Free/Iliad (2007)
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 12 Non-court actions • Developer reached out to large mobile phone manufacturer about OSS use in phone – Reaction was swift – Company now audits all software developed or acquired • FSF and FSFE (gpl-violations.org) – notices of compliance issue – FSF website has link to report license violations – Routinely send notices of violation and warning
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 13 Oversimplified OSS license primer • Two basic types of licenses: copyleft and permissive – Copyleft by far poses the greatest risk – Most lawsuits and violation actions to date have been on copyleft licenses – FSF, EFSF, and Software Freedom Conservancy proactively enforce GNU licenses (which are copyleft) • You must determine the license of OSS you use before you use, but it’s not easy – Not all projects have licenses – Licenses can change over time – Developers will incorrectly name the license they use. E.g. This project is under a BSD-like license but is under MIT – Just because a project is under a license doesn’t mean there isn’t embedded OSS under a different license
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 14 Types of licenses • Copyleft – Two main attributes of these licenses • You must provide source code to people you distribute your application • The work must be licensed under the original license (i.e. you can’t change the terms once you use it in your application) • Permissive – Sometimes called attribution licenses – You should give credit for use – Retain or add copyright notices – Distribute a copy of the license – Document modification copyleft
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 15 Managing legal risks • What can you do? – Learn about OSS licenses (tons of great resources) – Record license information on the packages you use – Consult your management and legal staff – Develop a compliance program – Perform regular license audits of your code – Keep source versions of all OSS you use (copyleft licenses require it) • Tools – Commercial – Fossa, FossID, Flexera, Black Duck – OSS – Github, Fossology, NexB – Internet – tldrlegal.com, wikipedia
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 16 The PHP License • PHP Codebase – PHP 4, PHP 5 and PHP 7 are distributed under the PHP License v3.01, copyright (c) the PHP Group. • This is an Open Source license, certified by the Open Source Initiative. • The PHP license is a BSD-style license which does not have the "copyleft" restrictions associated with GPL. – Some files have been contributed under other (compatible) licenses and carry additional requirements and copyright information. This is indicated in the license + copyright comment block at the top of the source file. – Practical Guidelines: • Distributing PHP • Contributing to PHP • PHP Documentation – The PHP manual text and comments are covered by the Creative Commons Attribution 3.0 License, copyright (c) the PHP Documentation Group
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 17
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 18 Fossology
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 19 Tldrlegal.com
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 20 nexB scan-toolkit
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 21 Security risks • Unmonitored vulnerabilities and Zero-day • Loss of data • PR issues, loss of credibility • Confidential customer information
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 22 Managing security risks • What can you do? – Track your OSS by version – Create policies on OSS usage based on known vulneraries, keep lists of banned OSS – Monitor NVD and project homepages – Have a plan, don’t wait until a vulnerability affects you to figure out how to upgrade – Purchase support and maintenance for mission critical components • Tools – Commercial – Rogue Wave, Red Hat – Open source – OpenVAS – Internet - NVD and CVEdetails sites, VersionEye
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 23
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 24 Support and maintenance risks • Your app goes down due to issue in OSS component and you don’t have any to call • Slow or no community response • Internal expertise is lacking • Bug fixes • Migration, upgrade, architecture, implementation best practices • Upgrades to infrastructure breaks tests, libraries
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 25 Managing support and maintenance risks • What can you do? – Build COE around mission critical apps and build support within organization – Purchase commercial support and or consulting for mission critical apps – Develop strong ties to communities – Training • Commercial – Rogue Wave, Red Hat – Individual project support – Professional services – Leverage community
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 26 Operational risks • Delayed product release schedules due to remediation required to resolve license issues, and associated costs • Emergency changes due to Legal threats • Overhead required to maintain security and bug fixes over time • Overall lack of visibility into security vulnerabilities • Chronic integration headaches as platform requirements change and code re-use is not facilitated • Difficulties in resolving customer support issues • Cost of maintaining many unique technology stacks
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 27 Managing operational risks • Develop an OSS strategy – Develop an OSS policy • Train development staff – License and compliance – OSS policy and risks • Track and manage OSS – Shadow repository – Track and monitor security issues • Manage support – Internal support – Commercial support
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 28 Be smart, take control of OSS • Know your risks – Legal, security, support • Proactively manage your OSS and compliance – Track, monitor, comply • Benefits of OSS far outweigh risks – Time to market, innovation, NO LICENSE FEE, readily accessible, robust community
© 2016 Rogue Wave Software, Inc. All Rights Reserved. 29

Recommended

Open Source License Compliance in the Cloud (CELESQ) (October 2012)
Open Source License Compliance in the Cloud (CELESQ) (October 2012)Open Source License Compliance in the Cloud (CELESQ) (October 2012)
Open Source License Compliance in the Cloud (CELESQ) (October 2012)Jason Haislmaier
 
Open Source Governance v2.5
Open Source Governance v2.5Open Source Governance v2.5
Open Source Governance v2.5Inria
 
Managing the Software Supply Chain: Policies that Promote Innovation While Op...
Managing the Software Supply Chain: Policies that Promote Innovation While Op...Managing the Software Supply Chain: Policies that Promote Innovation While Op...
Managing the Software Supply Chain: Policies that Promote Innovation While Op...FINOS
 
Fortify technology
Fortify technologyFortify technology
Fortify technologyImad Nom de famille
 
Open source software: Diligence, compliance, and future trends
Open source software: Diligence, compliance, and future trendsOpen source software: Diligence, compliance, and future trends
Open source software: Diligence, compliance, and future trendsRogue Wave Software
 
Understanding open source licenses
Understanding open source licensesUnderstanding open source licenses
Understanding open source licensesRogue Wave Software
 
Open Source Governance at HP
Open Source Governance at HPOpen Source Governance at HP
Open Source Governance at HPBruno Cornec
 
OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015Rogue Wave Software
 

Recommended

Open Source License Compliance in the Cloud (CELESQ) (October 2012)
Open Source License Compliance in the Cloud (CELESQ) (October 2012)Open Source License Compliance in the Cloud (CELESQ) (October 2012)
Open Source License Compliance in the Cloud (CELESQ) (October 2012)Jason Haislmaier
 
Open Source Governance v2.5
Open Source Governance v2.5Open Source Governance v2.5
Open Source Governance v2.5Inria
 
Managing the Software Supply Chain: Policies that Promote Innovation While Op...
Managing the Software Supply Chain: Policies that Promote Innovation While Op...Managing the Software Supply Chain: Policies that Promote Innovation While Op...
Managing the Software Supply Chain: Policies that Promote Innovation While Op...FINOS
 
Fortify technology
Fortify technologyFortify technology
Fortify technologyImad Nom de famille
 
Open source software: Diligence, compliance, and future trends
Open source software: Diligence, compliance, and future trendsOpen source software: Diligence, compliance, and future trends
Open source software: Diligence, compliance, and future trendsRogue Wave Software
 
Understanding open source licenses
Understanding open source licensesUnderstanding open source licenses
Understanding open source licensesRogue Wave Software
 
Open Source Governance at HP
Open Source Governance at HPOpen Source Governance at HP
Open Source Governance at HPBruno Cornec
 
OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015OSS has taken over the enterprise: The top five OSS trends of 2015
OSS has taken over the enterprise: The top five OSS trends of 2015Rogue Wave Software
 
Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016
Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016
Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016Mindtrek
 
How enterprises learned to stop worrying and love open source
How enterprises learned to stop worrying and love open sourceHow enterprises learned to stop worrying and love open source
How enterprises learned to stop worrying and love open sourceRogue Wave Software
 
Methods about Open Source Governance v2.5
Methods about Open Source Governance v2.5Methods about Open Source Governance v2.5
Methods about Open Source Governance v2.5fOSSa - Free Open Source Software Academia Conference
 
Best practices for using open source software in the enterprise
Best practices for using open source software in the enterpriseBest practices for using open source software in the enterprise
Best practices for using open source software in the enterpriseMarcel de Vries
 
Related OSS Projects - Peter Rowe, Flexera Software
Related OSS Projects - Peter Rowe, Flexera SoftwareRelated OSS Projects - Peter Rowe, Flexera Software
Related OSS Projects - Peter Rowe, Flexera SoftwareOpenStack
 
Open Source Support
Open Source SupportOpen Source Support
Open Source SupportSébastien Grimonet
 
Open Source Software[1]
Open Source Software[1]Open Source Software[1]
Open Source Software[1]amckay1578
 
Open source . . . Open Road
Open source . . . Open RoadOpen source . . . Open Road
Open source . . . Open RoadMazen Elsayed
 
Open soucre(cut shrt)
Open soucre(cut shrt)Open soucre(cut shrt)
Open soucre(cut shrt)Shivani Rai
 
When is free not free: The true costs of open source
When is free not free: The true costs of open sourceWhen is free not free: The true costs of open source
When is free not free: The true costs of open sourceRogue Wave Software
 
Open source software 101: Compliance and risk management
Open source software 101: Compliance and risk managementOpen source software 101: Compliance and risk management
Open source software 101: Compliance and risk managementOsler, Hoskin & Harcourt LLP
 
opensource.ppt
opensource.pptopensource.ppt
opensource.pptMohamedMagrpy
 
Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016Black Duck by Synopsys
 
Implementing and Managing an Open Source Compliance Program: A Crash Course
Implementing and Managing an Open Source Compliance Program: A Crash CourseImplementing and Managing an Open Source Compliance Program: A Crash Course
Implementing and Managing an Open Source Compliance Program: A Crash CourseFINOS
 
Implementing and Managing Open Source Compliance Programs - A Crash Course
Implementing and Managing Open Source Compliance Programs - A Crash CourseImplementing and Managing Open Source Compliance Programs - A Crash Course
Implementing and Managing Open Source Compliance Programs - A Crash CourseOpen Source Strategy Forum
 
My Seminar
My SeminarMy Seminar
My SeminarEsha Bindra
 
Open Source SW Business
Open Source SW Business Open Source SW Business
Open Source SW Business SANGHEE SHIN
 
Open source software
Open source softwareOpen source software
Open source softwarejaimeacurry
 
Introduction to Open Source License and Business Model
Introduction to Open Source License and Business ModelIntroduction to Open Source License and Business Model
Introduction to Open Source License and Business ModelMohd Izhar Firdaus Ismail
 
Open Source Software: What Are Your Obligations?
Open Source Software: What Are Your Obligations? Open Source Software: What Are Your Obligations?
Open Source Software: What Are Your Obligations? Source Code Control Limited
 
The Global Influence of Open Banking, API Security, and an Open Data Perspective
The Global Influence of Open Banking, API Security, and an Open Data PerspectiveThe Global Influence of Open Banking, API Security, and an Open Data Perspective
The Global Influence of Open Banking, API Security, and an Open Data PerspectiveRogue Wave Software
 
No liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failureNo liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failureRogue Wave Software
 

More Related Content

Similar to Identifying and managing the risks of open source software for PHP developers

Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016
Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016
Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016Mindtrek
 
How enterprises learned to stop worrying and love open source
How enterprises learned to stop worrying and love open sourceHow enterprises learned to stop worrying and love open source
How enterprises learned to stop worrying and love open sourceRogue Wave Software
 
Best practices for using open source software in the enterprise
Best practices for using open source software in the enterpriseBest practices for using open source software in the enterprise
Best practices for using open source software in the enterpriseMarcel de Vries
 
Related OSS Projects - Peter Rowe, Flexera Software
Related OSS Projects - Peter Rowe, Flexera SoftwareRelated OSS Projects - Peter Rowe, Flexera Software
Related OSS Projects - Peter Rowe, Flexera SoftwareOpenStack
 
Open Source Software[1]
Open Source Software[1]Open Source Software[1]
Open Source Software[1]amckay1578
 
Open source . . . Open Road
Open source . . . Open RoadOpen source . . . Open Road
Open source . . . Open RoadMazen Elsayed
 
Open soucre(cut shrt)
Open soucre(cut shrt)Open soucre(cut shrt)
Open soucre(cut shrt)Shivani Rai
 
When is free not free: The true costs of open source
When is free not free: The true costs of open sourceWhen is free not free: The true costs of open source
When is free not free: The true costs of open sourceRogue Wave Software
 
Open source software 101: Compliance and risk management
Open source software 101: Compliance and risk managementOpen source software 101: Compliance and risk management
Open source software 101: Compliance and risk managementOsler, Hoskin & Harcourt LLP
 
Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016Black Duck by Synopsys
 
Implementing and Managing an Open Source Compliance Program: A Crash Course
Implementing and Managing an Open Source Compliance Program: A Crash CourseImplementing and Managing an Open Source Compliance Program: A Crash Course
Implementing and Managing an Open Source Compliance Program: A Crash CourseFINOS
 
Implementing and Managing Open Source Compliance Programs - A Crash Course
Implementing and Managing Open Source Compliance Programs - A Crash CourseImplementing and Managing Open Source Compliance Programs - A Crash Course
Implementing and Managing Open Source Compliance Programs - A Crash CourseOpen Source Strategy Forum
 
Open Source SW Business
Open Source SW Business Open Source SW Business
Open Source SW Business SANGHEE SHIN
 
Open source software
Open source softwareOpen source software
Open source softwarejaimeacurry
 
Introduction to Open Source License and Business Model
Introduction to Open Source License and Business ModelIntroduction to Open Source License and Business Model
Introduction to Open Source License and Business ModelMohd Izhar Firdaus Ismail
 
Open Source Software: What Are Your Obligations?
Open Source Software: What Are Your Obligations? Open Source Software: What Are Your Obligations?
Open Source Software: What Are Your Obligations? Source Code Control Limited
 

Similar to Identifying and managing the risks of open source software for PHP developers (20)

Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016
Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016
Martin von Willebrand - Collaborative Open Source Compliance - Mindtrek 2016
 
How enterprises learned to stop worrying and love open source
How enterprises learned to stop worrying and love open sourceHow enterprises learned to stop worrying and love open source
How enterprises learned to stop worrying and love open source
 
Methods about Open Source Governance v2.5
Methods about Open Source Governance v2.5Methods about Open Source Governance v2.5
Methods about Open Source Governance v2.5
 
Best practices for using open source software in the enterprise
Best practices for using open source software in the enterpriseBest practices for using open source software in the enterprise
Best practices for using open source software in the enterprise
 
Related OSS Projects - Peter Rowe, Flexera Software
Related OSS Projects - Peter Rowe, Flexera SoftwareRelated OSS Projects - Peter Rowe, Flexera Software
Related OSS Projects - Peter Rowe, Flexera Software
 
Open Source Support
Open Source SupportOpen Source Support
Open Source Support
 
Open Source Software[1]
Open Source Software[1]Open Source Software[1]
Open Source Software[1]
 
Open source . . . Open Road
Open source . . . Open RoadOpen source . . . Open Road
Open source . . . Open Road
 
Open soucre(cut shrt)
Open soucre(cut shrt)Open soucre(cut shrt)
Open soucre(cut shrt)
 
When is free not free: The true costs of open source
When is free not free: The true costs of open sourceWhen is free not free: The true costs of open source
When is free not free: The true costs of open source
 
Open source software 101: Compliance and risk management
Open source software 101: Compliance and risk managementOpen source software 101: Compliance and risk management
Open source software 101: Compliance and risk management
 
opensource.ppt
opensource.pptopensource.ppt
opensource.ppt
 
Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016Open Source Outlook: Expected Developments for 2016
Open Source Outlook: Expected Developments for 2016
 
Implementing and Managing an Open Source Compliance Program: A Crash Course
Implementing and Managing an Open Source Compliance Program: A Crash CourseImplementing and Managing an Open Source Compliance Program: A Crash Course
Implementing and Managing an Open Source Compliance Program: A Crash Course
 
Implementing and Managing Open Source Compliance Programs - A Crash Course
Implementing and Managing Open Source Compliance Programs - A Crash CourseImplementing and Managing Open Source Compliance Programs - A Crash Course
Implementing and Managing Open Source Compliance Programs - A Crash Course
 
My Seminar
My SeminarMy Seminar
My Seminar
 
Open Source SW Business
Open Source SW Business Open Source SW Business
Open Source SW Business
 
Open source software
Open source softwareOpen source software
Open source software
 
Introduction to Open Source License and Business Model
Introduction to Open Source License and Business ModelIntroduction to Open Source License and Business Model
Introduction to Open Source License and Business Model
 
Open Source Software: What Are Your Obligations?
Open Source Software: What Are Your Obligations? Open Source Software: What Are Your Obligations?
Open Source Software: What Are Your Obligations?
 

More from Rogue Wave Software

The Global Influence of Open Banking, API Security, and an Open Data Perspective
The Global Influence of Open Banking, API Security, and an Open Data PerspectiveThe Global Influence of Open Banking, API Security, and an Open Data Perspective
The Global Influence of Open Banking, API Security, and an Open Data PerspectiveRogue Wave Software
 
No liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failureNo liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failureRogue Wave Software
 
Disrupt or be disrupted – Using secure APIs to drive digital transformation
Disrupt or be disrupted – Using secure APIs to drive digital transformationDisrupt or be disrupted – Using secure APIs to drive digital transformation
Disrupt or be disrupted – Using secure APIs to drive digital transformationRogue Wave Software
 
Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...Rogue Wave Software
 
Adding layers of security to an API in real-time
Adding layers of security to an API in real-timeAdding layers of security to an API in real-time
Adding layers of security to an API in real-timeRogue Wave Software
 
Getting the most from your API management platform: A case study
Getting the most from your API management platform: A case studyGetting the most from your API management platform: A case study
Getting the most from your API management platform: A case studyRogue Wave Software
 
Advanced technologies and techniques for debugging HPC applications
Advanced technologies and techniques for debugging HPC applicationsAdvanced technologies and techniques for debugging HPC applications
Advanced technologies and techniques for debugging HPC applicationsRogue Wave Software
 
The forgotten route: Making Apache Camel work for you
The forgotten route: Making Apache Camel work for youThe forgotten route: Making Apache Camel work for you
The forgotten route: Making Apache Camel work for youRogue Wave Software
 
Are open source and embedded software development on a collision course?
Are open source and embedded software development on a collision course?Are open source and embedded software development on a collision course?
Are open source and embedded software development on a collision course?Rogue Wave Software
 
Three big mistakes with APIs and microservices
Three big mistakes with APIs and microservices Three big mistakes with APIs and microservices
Three big mistakes with APIs and microservices Rogue Wave Software
 
5 strategies for enterprise cloud infrastructure success
5 strategies for enterprise cloud infrastructure success5 strategies for enterprise cloud infrastructure success
5 strategies for enterprise cloud infrastructure successRogue Wave Software
 
PSD2 & Open Banking: How to go from standards to implementation and compliance
PSD2 & Open Banking: How to go from standards to implementation and compliancePSD2 & Open Banking: How to go from standards to implementation and compliance
PSD2 & Open Banking: How to go from standards to implementation and complianceRogue Wave Software
 
Java 10 and beyond: Keeping up with the language and planning for the future
Java 10 and beyond: Keeping up with the language and planning for the futureJava 10 and beyond: Keeping up with the language and planning for the future
Java 10 and beyond: Keeping up with the language and planning for the futureRogue Wave Software
 
How to keep developers happy and lawyers calm (Presented at ESC Boston)
How to keep developers happy and lawyers calm (Presented at ESC Boston)How to keep developers happy and lawyers calm (Presented at ESC Boston)
How to keep developers happy and lawyers calm (Presented at ESC Boston)Rogue Wave Software
 
Open source applied - Real world use cases (Presented at Open Source 101)
Open source applied - Real world use cases (Presented at Open Source 101)Open source applied - Real world use cases (Presented at Open Source 101)
Open source applied - Real world use cases (Presented at Open Source 101)Rogue Wave Software
 
How to migrate SourcePro apps from Solaris to Linux
How to migrate SourcePro apps from Solaris to LinuxHow to migrate SourcePro apps from Solaris to Linux
How to migrate SourcePro apps from Solaris to LinuxRogue Wave Software
 
Approaches to debugging mixed-language HPC apps
Approaches to debugging mixed-language HPC appsApproaches to debugging mixed-language HPC apps
Approaches to debugging mixed-language HPC appsRogue Wave Software
 
Enterprise Linux: Justify your migration from Red Hat to CentOS
Enterprise Linux: Justify your migration from Red Hat to CentOSEnterprise Linux: Justify your migration from Red Hat to CentOS
Enterprise Linux: Justify your migration from Red Hat to CentOSRogue Wave Software
 
Walk through an enterprise Linux migration
Walk through an enterprise Linux migrationWalk through an enterprise Linux migration
Walk through an enterprise Linux migrationRogue Wave Software
 
How to keep developers happy and lawyers calm
How to keep developers happy and lawyers calmHow to keep developers happy and lawyers calm
How to keep developers happy and lawyers calmRogue Wave Software
 

More from Rogue Wave Software (20)

The Global Influence of Open Banking, API Security, and an Open Data Perspective
The Global Influence of Open Banking, API Security, and an Open Data PerspectiveThe Global Influence of Open Banking, API Security, and an Open Data Perspective
The Global Influence of Open Banking, API Security, and an Open Data Perspective
 
No liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failureNo liftoff, touchdown, or heartbeat shall miss because of a software failure
No liftoff, touchdown, or heartbeat shall miss because of a software failure
 
Disrupt or be disrupted – Using secure APIs to drive digital transformation
Disrupt or be disrupted – Using secure APIs to drive digital transformationDisrupt or be disrupted – Using secure APIs to drive digital transformation
Disrupt or be disrupted – Using secure APIs to drive digital transformation
 
Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...Leveraging open banking specifications for rigorous API security – What’s in...
Leveraging open banking specifications for rigorous API security – What’s in...
 
Adding layers of security to an API in real-time
Adding layers of security to an API in real-timeAdding layers of security to an API in real-time
Adding layers of security to an API in real-time
 
Getting the most from your API management platform: A case study
Getting the most from your API management platform: A case studyGetting the most from your API management platform: A case study
Getting the most from your API management platform: A case study
 
Advanced technologies and techniques for debugging HPC applications
Advanced technologies and techniques for debugging HPC applicationsAdvanced technologies and techniques for debugging HPC applications
Advanced technologies and techniques for debugging HPC applications
 
The forgotten route: Making Apache Camel work for you
The forgotten route: Making Apache Camel work for youThe forgotten route: Making Apache Camel work for you
The forgotten route: Making Apache Camel work for you
 
Are open source and embedded software development on a collision course?
Are open source and embedded software development on a collision course?Are open source and embedded software development on a collision course?
Are open source and embedded software development on a collision course?
 
Three big mistakes with APIs and microservices
Three big mistakes with APIs and microservices Three big mistakes with APIs and microservices
Three big mistakes with APIs and microservices
 
5 strategies for enterprise cloud infrastructure success
5 strategies for enterprise cloud infrastructure success5 strategies for enterprise cloud infrastructure success
5 strategies for enterprise cloud infrastructure success
 
PSD2 & Open Banking: How to go from standards to implementation and compliance
PSD2 & Open Banking: How to go from standards to implementation and compliancePSD2 & Open Banking: How to go from standards to implementation and compliance
PSD2 & Open Banking: How to go from standards to implementation and compliance
 
Java 10 and beyond: Keeping up with the language and planning for the future
Java 10 and beyond: Keeping up with the language and planning for the futureJava 10 and beyond: Keeping up with the language and planning for the future
Java 10 and beyond: Keeping up with the language and planning for the future
 
How to keep developers happy and lawyers calm (Presented at ESC Boston)
How to keep developers happy and lawyers calm (Presented at ESC Boston)How to keep developers happy and lawyers calm (Presented at ESC Boston)
How to keep developers happy and lawyers calm (Presented at ESC Boston)
 
Open source applied - Real world use cases (Presented at Open Source 101)
Open source applied - Real world use cases (Presented at Open Source 101)Open source applied - Real world use cases (Presented at Open Source 101)
Open source applied - Real world use cases (Presented at Open Source 101)
 
How to migrate SourcePro apps from Solaris to Linux
How to migrate SourcePro apps from Solaris to LinuxHow to migrate SourcePro apps from Solaris to Linux
How to migrate SourcePro apps from Solaris to Linux
 
Approaches to debugging mixed-language HPC apps
Approaches to debugging mixed-language HPC appsApproaches to debugging mixed-language HPC apps
Approaches to debugging mixed-language HPC apps
 
Enterprise Linux: Justify your migration from Red Hat to CentOS
Enterprise Linux: Justify your migration from Red Hat to CentOSEnterprise Linux: Justify your migration from Red Hat to CentOS
Enterprise Linux: Justify your migration from Red Hat to CentOS
 
Walk through an enterprise Linux migration
Walk through an enterprise Linux migrationWalk through an enterprise Linux migration
Walk through an enterprise Linux migration
 
How to keep developers happy and lawyers calm
How to keep developers happy and lawyers calmHow to keep developers happy and lawyers calm
How to keep developers happy and lawyers calm
 

Recently uploaded

5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...aditisharan08
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsMehedi Hasan Shohan
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 

Recently uploaded (20)

5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software Solutions
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 

Identifying and managing the risks of open source software for PHP developers

  • 1. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 1 Identifying and Managing the Risks of Open Source Software for PHP Developers Dave McLoughlin, Rogue Wave
  • 2. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 2 Identifying and Managing the Risks of Open Source Software for PHP Developers Do you really need to worry about using open source software in developing commercial applications? In this session we'll talk about the key risk areas, how to identify and quantify the risk, and what steps if any are needed to deal with the risks. After this session, you'll have the information to better understand how to assess these risks. It will provide you with no nonsense steps to take to manage your OSS so you can rest easy and not worry if these issues will affect you or your business. The session will include: • Key risk areas and how to identify them • Common use case scenarios • Understanding and developing risk remediation strategies for OSS use
  • 3. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 3 Legal disclaimer • Rogue Wave Software, Inc. is not engaged in the rendering of legal advice. This material provides legal information, which should not be confused with legal advice. • I am not an attorney
  • 4. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 4 Risks and challenges of open source software
  • 5. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 5 OSS statistics • According to Gartner 99% of fortune 2000 companies use OSS in the development of their products • Flexera developer study: – Only 37% of respondents had an open source acquisition or usage policy. – Sixty-three percent said either that their companies did not have an open source acquisition or usage policy, or they did not know if one existed. – Thirty-nine percent of respondents said that either no one within their company was responsible for open source compliance, or they did not know who was. – Thirty-three percent of respondents said their companies contributed to open source projects. – Of the 63 percent who said their companies did not have an open source acquisition or usage policy, 43 percent said they contributed to open source projects.
  • 6. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 6 Real costs of open source 6
  • 7. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 7 Risks • Myths - lack of understanding of issues • Legal - potential lawsuits, copyright infringement • Security – vulnerable applications, loss of data, PR, customer impact • Support – exposure for mission critical applications • Maintenance – cost of updates, slow development • Training – inefficient use of OSS, poor implementation • Operational – wasted time and resources • Others?
  • 8. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 8 Unique risks for Php developers • Implementation – Usually web based – greater exposure to hackers • Licenses – Php license • Deployment infrastructure – Infrastructure components most used for Php development may pose additional risk • Security – Php has over 550 reported CVEs, 24th All time leader
  • 9. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 9 OSS Myths we still see today • It’s free so I don’t have any license obligations – Copyright law protect authors, many have taken licensees to court • It’s free, so unlike commercial software, I don’t need to track it – Many vulnerabilities in commercial software are due to OSS – If there’s a license violation how do you remediate • It’s in the public domain, so I can use it anyway I want – Only some OSS is public domain – All other is protected by license and copyright
  • 10. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 10 Legal risks • Violation action or lawsuit • License violation – license termination • Copyright infringement • Legal fees, damages • Injunction • Remediation costs to replace code in violation
  • 11. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 11 Sample OSS litigation • USA – Linksys/Cisco (2003) – Wallace v. FSF (2005) & Wallace v. IBM et al (2006) – FSF v. Monsoon (2007) – FSF vs Cisco (2009) – Busybox vs Best Buy + 13 other companies (2009-2012) – XimpleWare v. Versata & Ameriprise Financial (2013) – Oracle v. Google (2015) • GERMANY – Welte vs Sitecom (2004) – Welte vs Fortinet UK Ltd. (2005) – Welte vs D-Link (2006) – Welte vs Skype (2008) – Welte in AVM vs Cybits case (2011) – Welte vs Fantec (2013) • FRANCE – AFPA v. Edu4 (2001) – Free/Iliad (2007)
  • 12. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 12 Non-court actions • Developer reached out to large mobile phone manufacturer about OSS use in phone – Reaction was swift – Company now audits all software developed or acquired • FSF and FSFE (gpl-violations.org) – notices of compliance issue – FSF website has link to report license violations – Routinely send notices of violation and warning
  • 13. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 13 Oversimplified OSS license primer • Two basic types of licenses: copyleft and permissive – Copyleft by far poses the greatest risk – Most lawsuits and violation actions to date have been on copyleft licenses – FSF, EFSF, and Software Freedom Conservancy proactively enforce GNU licenses (which are copyleft) • You must determine the license of OSS you use before you use, but it’s not easy – Not all projects have licenses – Licenses can change over time – Developers will incorrectly name the license they use. E.g. This project is under a BSD-like license but is under MIT – Just because a project is under a license doesn’t mean there isn’t embedded OSS under a different license
  • 14. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 14 Types of licenses • Copyleft – Two main attributes of these licenses • You must provide source code to people you distribute your application • The work must be licensed under the original license (i.e. you can’t change the terms once you use it in your application) • Permissive – Sometimes called attribution licenses – You should give credit for use – Retain or add copyright notices – Distribute a copy of the license – Document modification copyleft
  • 15. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 15 Managing legal risks • What can you do? – Learn about OSS licenses (tons of great resources) – Record license information on the packages you use – Consult your management and legal staff – Develop a compliance program – Perform regular license audits of your code – Keep source versions of all OSS you use (copyleft licenses require it) • Tools – Commercial – Fossa, FossID, Flexera, Black Duck – OSS – Github, Fossology, NexB – Internet – tldrlegal.com, wikipedia
  • 16. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 16 The PHP License • PHP Codebase – PHP 4, PHP 5 and PHP 7 are distributed under the PHP License v3.01, copyright (c) the PHP Group. • This is an Open Source license, certified by the Open Source Initiative. • The PHP license is a BSD-style license which does not have the "copyleft" restrictions associated with GPL. – Some files have been contributed under other (compatible) licenses and carry additional requirements and copyright information. This is indicated in the license + copyright comment block at the top of the source file. – Practical Guidelines: • Distributing PHP • Contributing to PHP • PHP Documentation – The PHP manual text and comments are covered by the Creative Commons Attribution 3.0 License, copyright (c) the PHP Documentation Group
  • 17. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 17
  • 18. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 18 Fossology
  • 19. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 19 Tldrlegal.com
  • 20. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 20 nexB scan-toolkit
  • 21. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 21 Security risks • Unmonitored vulnerabilities and Zero-day • Loss of data • PR issues, loss of credibility • Confidential customer information
  • 22. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 22 Managing security risks • What can you do? – Track your OSS by version – Create policies on OSS usage based on known vulneraries, keep lists of banned OSS – Monitor NVD and project homepages – Have a plan, don’t wait until a vulnerability affects you to figure out how to upgrade – Purchase support and maintenance for mission critical components • Tools – Commercial – Rogue Wave, Red Hat – Open source – OpenVAS – Internet - NVD and CVEdetails sites, VersionEye
  • 23. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 23
  • 24. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 24 Support and maintenance risks • Your app goes down due to issue in OSS component and you don’t have any to call • Slow or no community response • Internal expertise is lacking • Bug fixes • Migration, upgrade, architecture, implementation best practices • Upgrades to infrastructure breaks tests, libraries
  • 25. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 25 Managing support and maintenance risks • What can you do? – Build COE around mission critical apps and build support within organization – Purchase commercial support and or consulting for mission critical apps – Develop strong ties to communities – Training • Commercial – Rogue Wave, Red Hat – Individual project support – Professional services – Leverage community
  • 26. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 26 Operational risks • Delayed product release schedules due to remediation required to resolve license issues, and associated costs • Emergency changes due to Legal threats • Overhead required to maintain security and bug fixes over time • Overall lack of visibility into security vulnerabilities • Chronic integration headaches as platform requirements change and code re-use is not facilitated • Difficulties in resolving customer support issues • Cost of maintaining many unique technology stacks
  • 27. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 27 Managing operational risks • Develop an OSS strategy – Develop an OSS policy • Train development staff – License and compliance – OSS policy and risks • Track and manage OSS – Shadow repository – Track and monitor security issues • Manage support – Internal support – Commercial support
  • 28. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 28 Be smart, take control of OSS • Know your risks – Legal, security, support • Proactively manage your OSS and compliance – Track, monitor, comply • Benefits of OSS far outweigh risks – Time to market, innovation, NO LICENSE FEE, readily accessible, robust community
  • 29. © 2016 Rogue Wave Software, Inc. All Rights Reserved. 29