Is your organization using open source software? More than likely it is, whether management knows it or not. Unregulated,...
open source software could lead to compliance, license or quality issues. A new crop of software tools is now addressing such governance and intellectual property concerns around open source.
"More companies are realizing the value of open source software," said Mahshad Koohgoli, CEO of start-up Protecode Inc., based in Ottawa. "Even the large companies that had been shying away because of the gray areas around quality and license obligations have started adopting open source over the last three years. I don't think there's any organization that doesn't use open source."
One driver is the way software development has evolved, said Peter Vescuso, executive vice president of marketing and business development at Black Duck Software, based in Waltham, Mass. "The way software is developed today has changed—it's more a process of collecting, integrating and testing components. A lot of that means bringing in external open source components that need to be assessed, integrated and tested."
Both Black Duck and Ottawa-based Protecode are offering ways to manage and assess the use of open source software (OSS) within an organization's portfolio.
"For development organizations the use of open source software has been uncontrolled and unregulated," Vescuso said. "They've been grabbing snippets for years. Management needs to get that under control for legal reasons and for control/standardization reasons."
According to a report from Forrester Research, "… IT executives demonstrably underreport active use of OSS in their shops … they may not even know that an application using OSS technologies or programming languages is in production until a serious support issue or intellectual property risk crops up." ("Open Source Software Goes Mainstream," April 2009). Forrester found that 33% of open source adopters do not have any kind of policy for the use of open source software.
The Black Duck Suite targets the management, compliance and security issues associated with open source, and comprises the Black Duck Code Center, Export and Protex products and the Black Duck KnowledgeBase. Code Center enables development organizations to search for and select open source and third-party code, expedite the approval process and track components throughout their lifecycle. Protex manages intellectual property (IP) rights and licensing of open source, third-party and proprietary code, and Export automates the identification and resolution of encryption issues.
Vescuso said Black Duck helps organizations assess the quality of open source software from metadata such as how many developers are behind the project, how many releases they have had and how often, as well as known security vulnerabilities and licensing information. He said Black Duck is not a code scanner or security analysis tool, but rather is designed to be an add-on to existing toolkits like Microsoft Visual Studio, CollabNet and ClearCase.
Protecode's automated IP management suite consists of the Enterprise IP Analyzer, which identifies all IP attributes and potential violations of code in a directory; the Developer IP Assistant, which notifies developers as they are working if there is any violation of IP policy; the Library IP Auditor; the Build IP Analyzer; and an SDK.
"Open source software is a good driver of the awareness about the importance of knowing what's in your portfolio," Koohgoli said, "and for creating awareness of contamination and third-party content. "We've been creating code signatures of anything out there in the public domain for last three years; we have a billion lines of code in our database, and that's one way you can detect open source content."
Competitive products to Protecode and Black Duck in this small market include San Franciso-based Palamida Inc., which uses component-level analysis to quickly identify and track undocumented code and associated security vulnerabilities as well as IP and compliance issues, and the FOSSology Project, a Free Open Source Software (FOSS) project, which provides license analysis, metadata extraction, and MIME type identification [http://www.fossology.org/]. The FOSSology Project originated at Hewlett Packard's Open Source and Linux Organization.
When adopting an automated solution for managing open source and IP content in software, Koohgoli recommended that organizations should first define what is and is not acceptable and set policy. Then organizations should establish a baseline of what's already there in the portfolio, and finally, utilize real-time management of licensing and compliance obligations as the developers are working with the code.
"Through education, companies are adopting policies and processes to have a controlled and managed way to bring in open source software to the environment, to benefit from what open source has to offer and also manage the downsides that could harm the company," Koohgoli said. "Once they have a way of knowing what they have and a way of taking action, they have peace of mind."
To really use open source components at scale and increase innovation by making wider use of OSS, Vescuso said a platform is needed for management. "You can automate the approval and discovery process, which will help you increase use of open source software so can write less code, and you can increase velocity."
There is another benefit, Koohgoli added: "One important aspect of the managed adoption of open source software is, to as much as possible, take away the burden of decision making—if this is OK to use—from developers or managers. They want to concentrate on creativity; they don't want to have to manage if something is acceptable."
Dig Deeper on Software Security Testing and Quality Assurance