Scan open source use to minimize risks, optimize benefits

Higher adoption of open source software (OSS) today among enterprises is pushing the need for scanning tools that can help maintain compliance and minimize potential risks from OSS use and licensing, say market players, who add that this also optimizes benefits from using open source.

Open source software is proving to be a viable market, said Steve Grandchamp, CEO of U.S.-based OpenLogic, who cited Gartner predictions that the number of Global 2000 companies which use open source in their mission-critical applications will jump from 75 percent in 2010 to 99 percent by 2016.

As OSS use among enterprises grows, so has the need for open source scanning tools and services, Grandchamp pointed out.

Companies are motivated to create more comprehensive policies that define the best legitimate ways of using OSS, he said, adding that in such instances scanning tools are useful to ensure adherence.

Developers also see the importance of such scans for monitoring purposes since non-compliance risks are heightened with the growing adoption of open source in mission-critical applications. These risks are higher if the OSS is distributed or purchased, and later sold as software assets, Grandchamp explained.

Likewise, he added, customers are demanding that their independent software vendors (ISVs) disclose any OSS used and provide warranties or indemnification with the software.

Guillaume Rousseau, CEO of Paris-based Antelink, said open source scanning helps companies proactively manage risks associated with using OSS and as a result, allows them to gain the benefits of adopting open source.

Incorporating open source enables organizations to ship their software faster, at a lower cost, and still maintain a high level of quality, he added.

However, poor management of open source use can also bring out hidden costs related to license compliance issues and software vulnerabilities, Rousseau noted.

He acknowledged that there were offerings available in the market to mitigate these OSS risks, but said these usually would come late in the software lifecycle, bumping up the costs of correcting the problems.

"What's more, the current [market offerings] base their analysis on unreliable techniques that produce too many false positives and increase the cost of mitigating risks," he added.

Risk management the chief benefit
Clint Oram, SugarCRM CTO and co-founder, said open source scanning is essentially compliance management.

Therefore, adoption of scanning tools boils down to how much a company is willing to tolerate, with regard to the risk of violating the open source license under which the software is distributed, Oram noted.

For instance, if a company uses packaged OSS already distributed under an open source license, there is little chance of violating a license. On the other hand, for a software developer, scanning tools are likely necessary to ensure its use of open source proponents or libraries comply with the associated licenses, he explained.

He added that SugarCRM views responsible management of its products a "fiduciary responsibility to our investors and customers". The company uses various code management tools to ensure customers are protected when using SugarCRM software, noted Oram.

Open source scanning also ensures a "clean bill of health" for its intellectual property and manages any legal risks associated with its source code, he added.

OpenLogic's Grandchamp said scanning also ensures creative choices and changes made by OSS developers are tracked, and this encourages innovation as well as talent retention.

Open source use can go unnoticed
According to Antelink's Rousseau, companies are often unaware that open source components exist in the software they use.

Grandchamp concurred, noting that from his company's experience of conducting scans for customers and prospects, there are discrepancies "100 percent of the time" between scan results and manual inventory lists. "An average enterprise uses well over 150 open source projects, with some using as many as 600," he stated.

He added that open source can be acquired and used by any developer on any team with few controls or limits, and when team members move from project to project or leave a company, and knowledge of the open source use becomes lost, he explained.

Hence, he noted that companies are increasingly relying on automated scanning tools to help keep track of the licenses and various obligations associated with OSS. An alternative would be to involve contract attorneys in the process, he added.