Nowadays, software development without Free and Open Source Software (FOSS) is difficult to imagine. Using open-source software enables companies to significantly lower license and development costs in infrastructure and software development. On the other hand, relying on FOSS entails business risks which must be considered and mitigated: license obligations, as well as security and compliance aspects, are just some examples that could cost dearly if neglected.

To meet the requirements for compliant handling of open-source software, the following steps should be taken:

Scan the code base

  • The entire code base of the product, including all upstream source code artifacts, must be scanned with an appropriate tool.
  • The scan results must be analyzed to create the inventory of deployed FOSS components.

Analyze and identify issues

  • Based on the inventory, licenses and security issues are identified.
  • A report with mitigation actions, for all the issues found, illustrates the needed steps to obtain a compliant product.

Fulfill all license obligations

  • Open source licenses contain specific license obligations (e.g. distribute license text, copyleft effect) which must be fulfilled.
  • A technical analysis provides a clear view of how these obligations must be handled.

Create the license documentation

  • The license documentation must include all license texts and copyright statements extracted from the open-source components, on file level.
  • This documentation must be distributed along with the commercial product.

An up-to-date inventory of deployed FOSS components is also crucial for managing security vulnerabilities. Many companies were affected by serious security vulnerabilities in FOSS components, for example, the Heartbleed vulnerability, a serious bug in some versions of OpenSSL that put at risk protected information for everyone who was still using those outdated versions of the software. Only those who knew exactly which version of OpenSSL was used and in which products, were able to react quickly and protect their software.

Open Source Management is complex and requires specialized knowledge. It is especially difficult for those companies for which software creation is not part of their core business. The alternative here is outsourcing the FOSS management to a service provider. BearingPoint provides such an option with a highly specialized team focused on compliance and risk mitigation. The BearingPoint FOSS compliance services are highly standardized and are deployed in a multitude of business situations, companies, and markets.

With every technology, FOSS is widely used, and it brings many advantages to the development process. But it must be handled with major consideration to gain real value out of it and avoid any legal and security issues. Only in this way does FOSS become a friend of companies and helps them focus on innovation and customer value. 

Would you like more information?

If you want to get more information about this insight please get in touch with our experts who would be pleased to hear from you.