Amy Chun, Partner at Knobbe Martens and Marty Mellican, VP & Associate General Counsel at Flexera discuss the role of in-house counsel to better manage any potential legal risks that might be inherent with OSS use.
3. Agenda
• Why Open Source is Important
• Guidelines for Managing Open
Source
o Review Audit Results
o Implement Open Source Policies
o Review Agreements
• Q&A
4. STRUTS 2
WEB APP
FRAMEWORK
FIREFOX
WEB
BROWSER
WHAT IS OPEN SOURCE SOFTWARE?
Human-readable software designed for inspection, reuse, improvement and distribution
by the public—pursuant to a broad copyright license that does not require the payment of
any fees to the copyright holder.
Common Open Source Software
LINUX OS
5. OPEN SOURCE SOFTWARE IS EVERYWHERE
5
A U T O M O B I L E H E A LT H C A R E I O T E D U C AT I O N
S A A S M E D I A C O N S U M E R
G O O D S
T E L C O
6. OPEN SOURCE SOFTWARE USE IS EXPLODING
MORE THAN
of IT organizations
leverage Open Source
software assets
Source: Gartner
95%
MORE THAN
of all code written
today is Open Source
Source: Flexera OSS Fact or Fiction report 2017
50% 25MM
MORE THAN
repositories of Open
Source code exist today
Sources: Github
7. SIGNIFICANT ADVANTAGES
7
1. Technology agility and flexibility
2. Large amount of code covering different
areas
3. Code is reviewed by many in the OSS
community
4. Community provides ongoing
improvements and patches
5. Organizations can attract higher caliber
professional technologists
6. Cost effectiveness – Often free to use (but
not necessarily free of obligations)
8. UNMANAGED OPEN SOURCE CREATES RISK
8
License Compliance
Security Issues
Loss of Company IP
Reputational Harm
OSS Community Pushback
10. #1 REVIEW AUDIT RESULTS: THE DATA SAYS…
ONLY
2% OF ISSUES ARE KNOWN PRIOR TO
AUDIT START
1 ISSUE IDENTIFIED FOR EVERY 33,000 LINES
OF CODE (TOTAL OF 1,605,496,111 LINES OF
CODE SCANNED)
367 AVERAGE NUMBER OF ISSUES
IDENTIFIED PER AUDIT PROJECT
39%
OF COMPANIES HAVE NO ONE RESPONSIBLE
FOR OPEN SOURCE SOFTWARE COMPLIANCE
11. 11
85%
P1: High severity issues such as
strong Copyleft compliance issues
involving the AGPL and GPL, or
other important vulnerabilities.
P2: Secondary priority issues
related to commercial and vanity
licenses.
P3: Low risk hygiene issues related
to permissive licenses such as those
under BSD, apache, and MIT.
P4: dual/tri licensed components
with a viral and permissive license
option. For example: jQuery under
GPL or MIT
• Conduct an audit
o Use a scanning tool such as FlexNet
Code Insight
• Review flagged issues
• Assign priority
#1 REVIEW AUDIT RESULTS
12. 12
TypesofLicenses
A free software license with few restrictions on how the OSS can be
redistributed
Examples: BSD, MIT, Apache
PERMISSIVE
Copyleft triggered by hosted uses of OSS
Examples: AGPL
NETWORK
Often triggered by “distribution” and extends to derivative works
Examples: GPL, LGPL, MPL, CPL
COPYLEFT
#1 REVIEW AUDIT RESULTS
13. 13
85%
Remediation Plan/Checklist
o Do the restrictions apply?
o How important is the OSS feature set?
o What other licenses are available?
o What other code is available
o Could the development team write
replacement code?
#1 REVIEW AUDIT RESULTS
14. #2 IMPLEMENT OSS POLICIES
Guidelines for OSS
Use
• Green light licenses
that are ok to use
• If not green light,
see legal
• Be sure to add to
the code base
listing
Management of
License Notices
• Track licenses
• Track notice
requirements
Ongoing Training
• Onboarding for
new employees
and managers
• Periodic training
for policy and OSS
use updates
15. #2 IMPLEMENT OSS POLICIES
Contribute to
Community
• Voluntary payment
of license fee
• Contribute code
• Sponsor a hackathon
• Contribute
developer time
Potential Release of
Company OSS
• Consider releasing
existing company
code
• Devote resources to
start new OSS
projects
16. #3 AGREEMENTS: OUTBOUND
16
C O N S I D E R
L I A B I L I T Y C A R V E
O U T S / C A P S
D I S C L O S U R E &
M A R K I N G
R E Q U I R E M E N T S
P R O V I D E O S S
C O D E L I S T I N G
Rep and warranty carve out
and no indemnification for
OSS
Included with any OSS and
available on website
When requested, make OSS
code list available
17. #3 AGREEMENTS: INBOUND
Restrictions on use of open source
Make available a complete list of
all open source use
Provide a list of all updates on an
ongoing basis
18. KEY TAKEAWAYS
Open Source is everywhere
and offers significant
advantages
Regular training and
agreement reviews are critical
Track my OSS usage and
manage license
compliance/security risk on an
ongoing process
Create an environment that
supports the OSS community
Implementing policies for OSS
management mitigates risk and
provides structure
Stacey: Will read bios of Amy and Marty and then transition to Amy
Amy:
Thanks Stacey
During this session, we’ll do a quick level-set on why open source is important
We’ll then walk thought some guidelines for managing open source
Covering off on reviewing audit results, implementing policies, and reviewing agreements
We’ll then have time for Q&A
Marty, do you want to start us of by making sure we’re all on the same page as to what we mean when we say “open source”?
Marty: OSS is software that is made available in human readable form (as opposed to the 1s and 0s that computers read- that’s often called compiled code or object code). It is also free in the sense that you don’t need do pay the developer of the code any money for the right to use the software. Instead, you are contractually obligated to comply with a copyright license that accompanies the software. Depending on the license selected by the developer, you have certain obligations that you must comply with when you use the code. There are lots of examples of open source in the market today. Some are even related to pretty large commercial operations. My guess is most have heard of the three we have listed here- Linux, Firefox and Struts 2. Although you may know Struts for a different reason than why you know the first two. But we’ll talk about that later. Transition to Amy: First, Amy, given your work with tech companies, what are you seeing in terms of open source use?]
Amy: Given the cost benefit and timing efficiencies of using Open Source, we are seeing that open source is used in almost every piece of computerized technology today. Open Source is being used well beyond standard software companies, but being integrated across a wide array of industries. Open source is becoming the default, not an anomaly when it comes to building products. Whether med devices, media apps, or smart home devices.
Amy:
Here is some information on how prevalent Open Source is today.
Over 95% of IT organizations leverage open-source software applications
More than 50% of code written is Open Source
And there are more than 25 million public repositories of Open Source
It really is everywhere.
Marty, You’ve seen this first hand at Flexera. Can you talk about why companies are so drawn to using Open Source?
Marty: Not only does Flexera help manage OSS, but Flexera also uses OSS and is able to enjoy many of its key advantages.
[insert discussion of advantages]
While open source does come with many advantages, it also comes with risk. Amy, can you walk us through some of that risk.
Amy
Yes, we’ve seen several examples of how unmanaged open source can create risk for the company.
While open source may be freely available, each set of open source code almost always comes with specific license terms. These can range from 1 or 2 general terms or include pages and pages of requirement. In many situations, these requirements are straightforward and can be easy to comply with. However, we often see that no one at the company knows that there are licenses, what the licenses are or what requirements they should be following.
The biggest risk we’re seeing more recently is the potential security risk that comes with using open source. Much like any other software, there can often be flaw or security issues with open source. These issues are made available to the public once known, but if no one in the company even knows what Open Source is being used, then no one knows that they need to go an install a security patch. There have been some pretty well-publicized security issues with certain, popular open source, but we still find a lot of companies continuing to use open source with the known security issue.
A company can also lose its own IP due to unmanaged open source. For example, we’ve seen instances where teams have released code meant to only be used for the company as open source. There have also been instances where a company was using proprietary code with open source where the open source owner was arguing that the proprietary code had now become open source. Some companies have decided to just release the proprietary code as open source rather than fight the open source community.
Which leads us to the next issue in that poor management of open source can also hurt the reputation of the company. Owners of open source are often offering their open source to the public expecting that uses of the code will honor the terms of the licenses. When an owner finds out that a company is blatantly disregarding the terms of the license, they often make their concerns known to the community.
Once the Open Source community sees a company as a “bad guy” then there is often significant pressure for the company to comply with the licenses. Sometimes organizations will step in to fund or assist with litigation. We find that the main goal isn’t for them to receive some type of monetary compensation, they just want the company to comply with their license terms.
Marty:
[potentially talk about importance of managing whether you just bought a company after an M&A deal v. start-up v. existing company that is playing catch up]
Marty: One of the first things in-house lawyers need to understand is how likely the open source is being underreported at the company. Flexera recently released a report on what we have found during the audits that we do. We have found that folks really don’t have a great grasp on what they’re using. In fact, only 2% of the issues we discovered were known to our clients when we started. Or, put another way- 98% of the issues we found were a surprise to the company. That is a very voluminous level of unknown issues.
To be clear, though, if the unknown issues are benign, then it’s not a big deal, right? And that’s true. Unfortunately, we found an issue for every 33k lines of code or so. And when you’re talking over 1.6 billion lines of code- you’re looking at almost 50k issues.
We also found that only 37% of the companies we audit have a formal policy in place. And fully 39% have no one at all responsible for OS compliance. Think about that- more people have no one looking after OS than those that have a full policy in place.
Marty
[Importance of audit]
[What audit provides]
[priority levels]
Amy
While there are hundreds of different open source licenses. There are a few key types that come up from a risk perspective.
The one you hear about the most is “Copyleft” where they are allowing a company to use their open source, but if the company combines the open source with any of the company’s code, then the company’s code also becomes open source. Further, if the company then distributes that combined code, all of the corresponding source code should be made available. There are lots of legal debates as to whether those provisions could ever be fully upheld if litigated, but we still see this being a key concern to companies.
Another category of licenses are “permissive” licenses which have a few restrictions like certain notice requirements (you will give “Credit where credit is due”) or common sense prohibitions such as not saying that the open source owner is endorsing your product. They don’t place any key restrictions on the company, but still put some obligations on the company using the open source.
There are lots of other provisions that can be found. For example, some license prevent some sort of field of use (for example No Commercial Use or No Military Use”.
Finally, the “source code disclosure” requirement of the original copyleft licenses were only triggered upon distribution. At the time, the thought was that source code disclosure was not needed if a company was just using the open source internally. However, that didn’t take into account server services. So, there is another copyleft license that includes a “source code disclosure” requirement even if the code is not disclosed but used by third parties, such as in a SaaS environment if certain conditions are met.
So, what this means, is that there are lots of areas of potential risk, risk that can range from severe to potentially unimportant to the company. The key is making sure the company knows what is going on and deciding what risk it is willing to take on and what risk it wants to manage.
Marty, can you kick-off the discussion on what steps you can take to start managing your open source.
Amy
[remediation options]
Marty
Marty
Amy
Marty
Amy or Marty
- Will Open Source be around for the next 21 years? That's an open question.
- I wouldn't bet against it and its ability to innovate and deliver value in new channels and with greater impact in growth industries.
- In its maturity, open source is helping to provide companies across the globe with competitive advantage. Many companies are unable to be successful without it while other companies – as we discussed – are taking full advantage of the benefits it provides. Companies you wouldn't normally think of as SW companies are releasing their own open source software to the rest of the world.
- The cycle of maturity seems to not have an end in sight. With the explosion of devices in use – the IoT and wearable technology for example – open source continues to get better, and with that, more users are added at a highly expedited rate, which also pushes it improve
- As Open Source is maturing and 2018 seems to have brought out both the good and the bad, we expect its use to continue to accelerate and to continue to mature. The future is here? Yes. But there's definitely more to come.