Open source has become ubiquitous in corporate enterprises, but its use brings the potential for licensing violations and other operational risks. As a result, organizations must strike a balance between management controls and freeing developers to leverage the benefits of the open source ecosystem.
The economics of open source software (OSS) are clear, especially for IT development groups trying to do more with less. The following are best practices we’ve pulled together from the experiences of hundreds of companies taking advantage of OSS to drive innovation and reduce costs.
1. Develop policies for using open source code.
The first step in governing OSS use and reuse is having a policy in place. Uncontrolled use of OSS exposes companies to significant operational, compliance, and security risks. IT development organizations that use externally-sourced code need to make sure all applications are developed and deployed in accordance with these policies. It’s critical for IT executives to work with legal departments to ensure that governance policies for external code use are defined, managed, and communicated effectively to all developers.
2. Automate the management of OSS usage.
Even the best policy for OSS use won’t be effective unless your organization has a strong governance policy that’s implemented efficiently. Too often, companies attempt to implement policies through manual methods that can be slow and difficult for developers to comply with. The key to effective policy implementation is automation. To gain control, it makes sense to consider management platforms that automate the key processes associated with using open source: search, selection, validation, approval, and monitoring. By automating the selection and use of OSS, your organization can streamline processes, speed up development timelines, and improve visibility into external code throughout the development lifecycle.
3. Scan incoming components to ensure developers use only compliant code.
It’s all too easy for developers to unknowingly introduce external code that fails to comply with corporate policies, contains security vulnerabilities, or introduces license conflicts. Automated tools that scan incoming code before it’s selected for projects offer an additional level of assurance that only compliant code is introduced into your company’s codebase.
4. Give developers a one-stop resource to search for pre-approved external code and to identify opportunities for reuse.
Developers want fast, efficient searches, and you want to ensure they can easily identify code that meets your company’s standards and policies. Rather than random searches for externally-sourced components and their associated metadata, developers will benefit from having the ability to search a catalog of pre-approved code. This will increase the efficiency of your developer teams, accelerate time-to-market, and reduce development costs.
5. Provide developers with a quick, accurate way to validate code.
Developers need an effective way to validate that what’s approved is actually what’s built and deployed. Too often, development teams uncover discrepancies between the bill of materials and the source code once an application is built, leading to rework and lost opportunity. You’ll want to give developers a quick and accurate way to find inconsistencies between the approved bill of materials and what is being built, preferably in real time and with an audit trail. This saves time, ensures compliance, and helps eliminate rework.
6. Establish an automated approval process.
Without a formal approval process within your development organization, you risk introducing code that does not comply with corporate policies, contains security vulnerabilities, is unlicensed, or may contain bugs. But to be effective, your approval process should be implemented through an automated workflow. Manual approval processes have been found to actually hamper the use of externally-sourced code, not to mention extending development schedules.
7. Monitor externally-sourced code once it’s put into use.
When developers integrate external code into applications and services, problems can arise post-deployment including the discovery of new security vulnerabilities, new versions, or other problems. Development organizations need an effective way to monitor externally-sourced code once it’s put into use on projects. This makes it easier to determine which components are deployed where, and to track down defects and security vulnerabilities across multiple code repositories distributed across the enterprise.
8. Integrate OSS tools into your application lifecycle management processes and internal workflows.
Integrating an OSS management toolset into your application lifecycle management processes and workflows can reduce time to market and save money. Implementing effective programs to search, select, manage, and monitor open source use across your enterprise will yield the best results.
9. Identify encryption code embedded in complex software to comply with applicable international regulations.
Governments across the world regulate the commercial export and transfer of software containing encryption algorithms. Your organization needs to be aware of the cryptographic content in its software code base to comply with applicable regulations. Finding encryption within codebases can be time-consuming and subject to error. Automating this process saves time and helps assure your company of compliance.
10. When evaluating potential acquisitions or divestitures, make sure to quickly identify open source and its related licensing obligations.
Depending on your business context, knowing what OSS-related intellectual property you possess will help you reduce business risk, enhance value, accelerate transactions, and improve trust in customer relationships.