I have the opportunity to speak with people routinely about their organization’s open source use, in OSS compliance and security. And whether with prospective customers, with lawyers, audience members at my speaking engagements or in with colleagues, one question comes up regularly.
The question goes something like, “So what?” as in “So what if I breach an open source license?” And that leads to “Who is really going to take an action against me?” “How likely is it that some software engineer (who is the copyright holder) is going to know?” “And even if they were to find out, what is the likelihood that they will come after me?”
I get the point, but these questions fail to see the bigger picture. There can be serious business consequences if you’re not putting open source software (OSS) management and OSS compliance at the top of your priority list.
What OSS Compliance Means from a Business Perspective
From a business perspective, poor OSS management can cause targets in a M&A transaction to suffer. In Black Duck’s experience, 95% of the targets we audit have OSS they didn’t know they were using. Half the time that unknown OSS is licensed under one of the licenses from the GPL family of licenses and 67% of the time that unknown OSS contains publicly known security vulnerabilities.
When unknown or unreported OSS is discovered by an acquiring company during due diligence, it can impact the acquiring company’s ability to go to market quickly with the target’s products, or otherwise derail plans that the acquiring company had for the target company’s software. That can lead to purchase price reduction or a termination of the deal. Companies that foresee a merger or acquisition or some other exit in their future are wise to get out ahead the game by finding out what OSS they are using, how they are using it, and where they are using it. Again, 95% of the targets we’ve audited over the last several years believed they knew the answers to these questions only to find out, at the worst possible moment, that they really had little insight into their own software development operations.
Know Your Code
More businesses are demanding that their vendors provide an OSS bill of materials as part of the sales process. It can be a real competitive advantage for vendors who are prepared to come forward quickly with a list of OSS components in their products, and be ready to stand by that list and offer appropriate indemnification or warranties concerning the accuracy of that list. In other areas, insurance underwriters are paying more and more attention to a company’s OSS compliance when issuing professional liability coverage (to cover copyright infringement claims). Banks and VCs are paying attention too when considering a company’s IP assets as collateral or are thinking of investing in a company.
And then there is the whole cyber liability concern. License compliance and business concerns, in many cases, are far easier to deal with than the security issue. A license violation may often be cured with some cash. A security breach entails a host of issues ranging from significant direct damages to untold incidental and consequential damages. Consider the Panama Papers situation as one great case in point.
So What?
So yes, you might avoid legal action if you breach an open source license. Then again, you might not, and who really wants to spend time explaining to upper management or your Board of Directors why there’s an injunction to stop you selling your software until the offending code portions are removed? Whether you’re willing to take that chance or not, there are other solid business reasons to know what’s inside your code when it comes to open source, ranging from helping to ensure an M&A goes smoothly, through offering a clear competitive differentiator to your customers (“Open source used in our code base is compliant and secure”) to getting the best deal possible when it comes to cyber liability insurance.
That’s a lot of “so what?” Isn’t it?
The post Why You Need to Pay Attention to OSS Compliance & Enforcement appeared first on Open Source Delivers.