The proliferation of Free and Open Source Software (FOSS) components in public online code repositories presents companies with opportunities as well as challenges. For many software developing organizations FOSS can be a powerful asset for accelerating the development process and decreasing licensing costs. However, re-using FOSS components and code snippets in commercial software products may bring about business, legal, reputational and security risks. Mitigating the risks requires proactive and deliberate Open Source Management.

Open Source Management involves standardizing the use of open source software across development teams. Open source policies and processes are established to make open source re-use as effortless as possible for developers. A FOSS policy raises awareness of the risks involved with neglect and outlines specific rules and steps to be taken when dealing with open source software, with defined roles and responsibilities. This helps companies avoid and mitigate serious legal and IP-related consequences while simultaneously giving developers clear guidance on how software containing open source components should be distributed and how to deal with software suppliers.

Establishing organizational processes and policies around FOSS ensures that future software products can be commercialized safely. However, to identify and fix any existing issues in the code base, the creation of an up-to-date inventory of deployed FOSS components is necessary. A FOSS inventory can be created with the following steps:

Scan the code base

  • The entire code base of the product, including all upstream source code artifacts, must be scanned with an appropriate tool.
  • The scan results must be analyzed to create the inventory of deployed FOSS components.

Analyse and identify issues

  • Based on the inventory, licenses and security issues are identified.
  • A report with mitigation actions, for all the issues found, illustrates the needed steps to obtain a compliant product.

Fulfil all license obligations

  • Open source licenses contain specific license obligations (e.g. distribute license text, copyleft effect) which must be fulfilled.
  • A technical analysis provides a clear view of how these obligations must be handled.

Create the license documentation

  • The license documentation must include all license texts and copyright statements extracted from the open-source components, on file level.
  • This documentation must be distributed along with the commercial product.

An up-to-date inventory of deployed FOSS components is also crucial for managing open source security vulnerabilities. Many companies have been affected by serious security vulnerabilities in FOSS components. Possibly the most well-known example is the Heartbleed vulnerability, a critical defect in some versions of OpenSSL that endangered protected information for everyone using outdated versions of the software. Organizations with up-to date inventories of FOSS components knew exactly which versions of OpenSSL were used across their product range, enabling them to take rapid action and upgrade their OpenSSL to protect their customers and reputation.

Open Source Management is a complex niche topic that requires specialized knowledge. It may prove to be particularly difficult for companies for which software development is not part of their core business. Some organizations have chosen to outsource FOSS management to a service provider. BearingPoint provides such an option with a highly specialized team focused on compliance and risk mitigation. BearingPoint's FOSS compliance services are highly standardized and are deployed in a multitude of business situations, companies, and markets.

FOSS is widely used in modern software development due to the many advantages it brings to the development process. But FOSS use must remain under control with proactive Open Source Management, to help maximize utility and value while avoiding any legal and security risks. Companies in control of their FOSS use can safely focus on product leadership and innovation to provide increasing value to their customers.

BearingPoint’s FOSS management services

Contact us for more information

Leo Piirto
Senior Business Consultant
BearingPoint Finland

Mikko Virta
Business Development Manager
BearingPoint Finland

Toggle search
Toggle location