Open Source Software Management

(1)

Open Source Software

Management

Claus-Peter Wiedemann

Senior Manager, FOSS Services, BearingPoint

Black Duck Korea Open Source Conference Seoul, June 5, 2015

Safely Unlock the Potential of Open

Source Software

(2)

Disclaimer

This presentation does NOT constitute Legal Advice. None of the information given herein may be relied upon in lieu of consultation with an appropriate lawyer specialized in Free & Open Source Software matters and qualified to give advice in the area of copyright law and other areas of law which this presentation may relate to.

(3)

By 2016, at least 95% of IT organizations

will leverage nontrivial elements of

open source software technology

in their mission-critical IT portfolios,

including cases where they might not be

aware of it — an increase from 75% in 2010.

Gartner predicts…

(4)

Barclays claims 90 percent software cost

savings with open source drive

http://www.v3.co.uk/v3-uk/news/2234593/barclays-slashes-software-spend-by-90-percent-with-open-source-drive

(5)

Source: BearingPoint Automotive Survey (http://www.bearingpoint.com/en-us/7-5601/study-foss-management)

(6)

• … creates transparency

• … increases quality

• … accelerates innovation in Automotive software

• … enables new Automotive business models

(7)

100+ m lines of code in a premium-class car

(IEEE, Feb. 2009)

70+% is in IVI “head

unit”, at R&D of

US$1-10/line!

(GENIVI, 2010)

Infotainment & Telematics

(8)

• Responding to consumers

−

Integration of rapidly innovating consumer devices

−

New KPI: time from consumer request to in-car availability

• Complexity & cost

−

„Black box“ supplier approach no longer sufficient

• Customer ownership

−

New players in the car (Google, Apple,…)

−

Branding & data ownership

−

Supplier relationships and business models evolving

(9)

Source: http://www.slideshare.net/fullscreen/blackducksoftware/2015-future-of-open-source-survey-results/8)

(10)

(11)

• … accelerate innovation

− Reuse non-differentiating code

− Utilize the power of communities

− Enable/accelerate standardization

− Gain competitive avantage

• … attract top talent

• … bring software development productivity to the next level

− Scale with beyond market speed

• … increase security and quality

− Source code availability see what the code (really) does

− Code is deployed (and tested) by many and in other domains higher code quality

• … save money

(12)

(13)

• Technical

• Operational

• Security

• Legal

(14)

• Unknown architecture

• Unknown code quality/documentation

• Unknown efforts for maintenance and support availability

• Unknown fitness for regulatory requirements, e.g.

• ISO 26262 (Automotive)

• Sarbanes-Oxley (Financial) • 510(k) (Healthcare)

Business Risks of FOSS Deployment

Technical & Operational

(15)

Mature organizations…

… define technical entry gates for FOSS

… consider community activity and other meta data

… apply the same stringent quality assurance procedures to FOSS … actively participate in FOSS communities and contribute code … coordinate FOSS use across organizational boundaries

Business Risks of FOSS Deployment

Technical & Operational

Use proper tooling. Manual attempts will fail.

Outsource to experienced supplier.

(16)

• Security is most critical

− Safety critical applications (e.g. medical devices, airplanes, cars)

− High damage potential (liability, data and money loss)

− Reputation damage can be detrimental to the business

• FOSS specific aspects

− Source code is available hard to hide malicious code

− Vulnerabilities can get fixed (very) fast

− Many different FOSS components are deployed in many products

− Version proliferation (e.g. old, new versions mixed)

− Own responsibility for finding out about security vulnerabilities

Business Risks of FOSS Deployment

Security

(17)

Business Risks of FOSS Deployment

Public Security Vulnerability Data Sources (Examples)

http://www.ipa.go.jp/security/english/

http://www.osvdb.org/ http://nvd.nist.gov/

(18)

Example: Large EU Bank

Thousands of vulnerabilities detected in the 3

rd

_{party components}

0 500 1000 1500 2000 2500 3000 3500 4000 4500

Low Medium High

(19)

Mature organizations…

… keep track meticulously where which FOSS is deployed

… evaluate known security vulnerabilities when new FOSS is selected

… constantly monitor the FOSS communities and other public data sources for new security vulnerabilities

Use proper tooling. Manual attempts will fail.

Outsource to experienced supplier

Business Risks of FOSS Deployment

Security

(20)

• Noncompliance with FOSS license terms may lead to:

− Preliminary Injunctions, delivery stops

− Damage payments and profit skimming

− Unfair competition claims

− Criminal charges

• Copyleft risks

• Patent & trademark risks

• FOSS specific aspects

− FOSS can be obtained without purchasing/legal involvement

− License obligations come „unexpectedly“

− FOSS license obligations are „unusual“ compared to commercial software

Business Risks of FOSS Deployment

Legal

(21)

Mobile Computing Changes the Game

• “Traditional” organizations (e.g. banks, broadcasters, utilities) and

service providers suddenly become software distributors/vendors

• Additional license obligations kick in, e.g.

− Provision of the license text

− Provision of the source code

− Attributions

(22)

Mature organizations actively manage FOSS compliance by…

… defining legal entry gates for FOSS

… collecting and maintaining license information for all FOSS files … examining all source code (own or delivered) for hidden FOSS … keeping track meticulously where which FOSS is deployed … accurately fulfilling all license obligations

… requiring all their suppliers to do the same

Use proper tooling. Manual attempts will fail.

Outsource to experienced supplier

Business Risks of FOSS Deployment

Legal

(23)

(24)

FOSS Management Maturity Model

F

O

S

B

e

n

e

fi

ts

High legal

and technical

risks

Risks

reduced

FOSS Management Maturity

Cultural

Change

2 1 3 4

5

(25)

FOSS Management is a non-core activity

Mature Organizations outsource FOSS Management

– Less pressure on internal staff

• No specialized FOSS Management know how

required

• No need for dedicated internal staff

– Less pressure on IT infrastructure costs

• No dedicated hardware required, tools can be hosted

and maintained by external partner

– Lower cost & higher efficiency

• specialized & experienced full-time resources • economy of scale

(26)

Q

&

A

(27)

Claus-Peter Wiedemann Senior Manager BearingPoint Erika-Mann-Str. 9 80636 München Germany [email protected] T+49 89 54033 6367 F+49 89 54033 7940 M+49 172 2757415 www.bearingpoint.com

Contact

(28)