OSS - enterprise adoption strategy and governance

maximizing the Return of Your Output Technology Investment
Open Source Software – Strategy, Policies & Governance.
Prabir Sarkar v1.0

Content
Part I:- What’s OSS and what are the Benefits / Opportunities?
Part II:- The Risks and Challenges
Part III:- Strategy & Policies
Part IV:- Governance

PART - I
What’s OSS and what are the
Benefits / Opportunities?

What is Open Source Software (OSS) anyway ?
Open source software is developed collaboratively and is owned by a community rather than a single vendor.
The source code is freely available, and users are permitted and encouraged to change, improve, and
redistribute the software—subject to the terms of the open source license.
The result is a paradigm that moves development teams away from being locked into a vendor and provides
benefits from cost savings, access to source code and continued innovation.
Wikipedia (which itself is a free content encyclopedia under the Creative Commons Attribution-ShareAlike license)
describes open source software as follows:
Open source is a development methodology, which offers practical accessibility to a product's source (goods
and knowledge) … The open source model of operation and decision-making allows concurrent input of
different agendas, approaches and priorities, and differs from the more closed, centralized models of
development.
The 16 October 2009 memorandum from the US DoD CIO, defines OSS as "software for which the human-
readable source code is available for use, study, re-use, modification, enhancement, and re-distribution
by the users of that software".

Why use OSS?
• At this point in the evolution of the software industry, it has become difficult, if not impossible, to create
any significant body of software without using at least some open source software (OSS).
• The best-in-class software in some areas is OSS.
• Lower cost alternatives to traditional commercial packages.
• Faster time-to-market by avoiding development and testing of new code.
• Lower development costs by using free, already debugged code.
• Customers favor, and sometimes even require OSS.
• Open source now represents an average of 29 percent of the code deployed by IT, and technology
innovators are using 60 to 80 percent of open source code. - Source: Black Duck Report - Open Source
Governance In Highly Regulated Companies.
• “Open source is a “silver bullet” that allows simultaneous improvement along all three dimensions of the
software “iron triangle” of cost, schedule and features”. - Jeff Hammond, principal analyst at Forrester
Research.
• OSS came with a corporate acquisition.

Why use OSS? … Cont
Mark Driver, Gartner’s lead analyst on
open source, recently reflected on this
development: “Open source is
ubiquitous, it’s unavoidable…having a
policy against open source is impractical
and places you at a competitive
disadvantage.” In fact, Gartner predicts
that “by 2014, 50 percent of Global 2000
organizations will experience technology,
cost and security challenges through a
lack of open source governance.” The
urgency is growing for management to
catch up with the reality of how software
is built today.

Why use OSS? … Cont

A slice of History.

A slice of History Cont …

Current state of OSS projects.

CII … Now and Forever ….

Primary Reasons why Organizations are using OSS – A Gartner
Survey.

Factors influencing OSS adoption – A LSE study on Private and Public
sector enterprises in Europe.
Source :- London School of Economics. “Total cost of ownership of open source software: a report for the UK Cabinet
Office supported by OpenForum Europe.” (November 2011 )

Key Initiatives Supported by OSS – A Gartner Survey

Show Me the Money: The Cost Savings and Other Benefits of Open Source
Source: The Growth of Open Source Software in Organizations. – Optaros Publications and Thought Leadership.
Source :- http://www.computerworlduk.com/
Nov. 2012
Source :- http://www.informationweek.com/
Source :- http://www.govtech.com/ Aug. 2013

Show Me the Money: Cost Heads & Savings of Open Source … Cont
Source: The Growth of Open Source Software in Organizations. – Optaros Publications and Thought Leadership.

Major reasons for supporting external OSS projects
- A Gartner Survey.

… So, its not just about saving Money !

Average Defect Density of OSS better than Industry average.
(Source https://scan.coverity.com/, Coverity Scan)

Quality of OSS code higher than proprietary code.
(Source https://scan.coverity.com/, Coverity Scan : 2013 OSS Report. )

PART II
The Risks and Challenges

Clear and Present Danger

What are the Risks in using OSS ?
Risks from the use of open source include:
• Technical and operational
Issues can arise in Code quality/integrity, Ability to obtain support, Viability of the community
behind the open source project. When open source is used in mission critical operations, a clear plan
and path from the code to where it’s used to how and where to obtain support and fixes are critical.
• Regulatory
Issues can arise in compliance of regulatory Sarbanes-Oxley, data privacy regulations (PCI) and
export regulations (there are over 4,000 open source projects with encryption algorithms strong enough
to require a filing with the U.S Bureau of Industry and Security(BIS).
The lack of visibility on what the code is doing and how it works can represent a major control oversight
of the data and create regulatory exposure. In addition, the way developers integrate open source with
proprietary code can affect IP ownership. For example, in March 2011, a former Goldman Sachs
programmer received an eight-year jail term for theft of intellectual property in the form of software.
[ http://cryptome.org/2014/04/goldman-sachs-code-thief.htm]

What are the Risks in using OSS ? … Cont 1
•Security
The lack of visibility on what the code is doing and how it works can represent a major control oversight
of the data and create regulatory exposure. In addition, the way developers integrate open source with
proprietary code can affect IP ownership. For example, in March 2011, a former Goldman Sachs
programmer received an eight-year jail term for theft of intellectual property in the form of software.
[http://cryptome.org/2014/04/goldman-sachs-code-thief.htm].
Development’s use of OSS can create blind spots that need to be addressed, and IT management needs
to ensure security as new applications, products and services are created.
• Legal
Legal risk and exposure with OSS is fairly well known and widely reported. While open source is free, all
open source comes with a license and obligations that must be met. Open source licenses range from
simple/permissive licenses such as the MIT and BSD license, to the more restrictive, “copyleft” GPL
family of licenses. Improper use of open source code, especially code under the GPL-family of licenses,
can impact an organization’s IP and their brand.

What are the Risks in using OSS ? …Cont 2.
• Brand
A company’s brand is one of its most valuable assets, representing the company’s ultimate promise to all of its customers.
Microsoft, for example, has made a concerted effort over the last few years to develop a positive relationship with the open
source community. But even one of the best run software companies in the world ran afoul of the open source community
and damaged its brand with the release of Windows 7.
GPL licensed open source code was integrated with part of the release by a third-party and was not discovered
as part of Microsoft’s release process. To its credit, Microsoft discovered the sproblem, reported and fixed it. However,
when viewed in the context of Microsoft working to improve their relationship with the open source community, it was a
significant setback to their development efforts and relationship with the community. This relationship is key to hiring
open source talent; companies now strategically seek developers who are both skilled in software development and open
source community savvy.
Microsoft admits its GPL violation; will reissue Windows 7 tool under open-source license (Source :-
http://www.zdnet.com/blog/microsoft/microsoft-admits-its-gpl-violation-will-reissue-windows-7-tool-under-open-source-
license/4547)
Microsoft pulled the Windows 7 USB/DVD Download Tool from the Microsoft Store on November 10 after a report by "Within
Windows" blogger Rafael Rivera that he had found what looked to be open-source code in the tool. Inclusion of open-
source code isn't a no-no, but Microsoft's decision to put a restrictive, non-open-source license on the tool incorporating
that code was. (The USB tool, which Microsoft made available on October 22, is designed to help netbook users upgrade
from XP to Windows 7 in a more streamlined way.)

The OSS License Regimes
GPL Preamble : - http://www.gnu.org/copyleft/gpl.html
Software Freedom Law Center Guide to GPL Compliance 2nd Edition :-
http://www.softwarefreedom.org/resources/2014/SFLC-Guide_to_GPL_Compliance_2d_ed.html#gplv2

Lack of Controls on OSS components

Mixing Code is risky!

PART III
Strategy & Policies

OSS Management

Why do we need an OSS Policy ?
"While most software managers are aware of the legal risks (e.g., license compliance with
commercial strategies and additional code used, monitoring the use of code, etc.) and the
operational risks (e.g., compatibility requirements, maintenance and support, integration concerns,
among others) of using open source, the benefits far outweigh these concerns. As such creating an
open source software policy is a key strategic imperative for organizations in the software industry.
“ - Greg Olson, Senior Director, Open Source Management Practice, Black Duck Software.
“Unaudited and unmanaged open source technology proliferates with an enterprise software
portfolio and is hidden as a ticking time bomb that eventually results in technical failure that cannot
be sufficiently addressed, security risks that can result in a significant loss of business value, and
potential intellectual property (IP) risks that can result in legal action. – Gartner
“Companies must have a policy for procuring OSS (Open Source Software), deciding which
applications will be supported by OSS, and identifying the intellectual property risk or supportability
risk associated with using OSS. Once a policy is in place, then there must be a governance process
to enforce it.” – Laurie Wurster, Research Director, Gartner

How did OSS policy evolve globally?

Why OSS policy trended the way it did?
Prior to 2001, there was almost no activity in policy related to open-source, which could be the result of a lack
of maturity in open-source software development up until this point and/or difficulty in finding
documentation of older open-source policies online. The first year in which we see a significant increase
in open-source policies is 2002, followed by a sharp jump in 2003 (see Figure 2). Potential
explanations for the marked surge in open-source policies in 2003 could include increased
lobbying efforts by large multinational firms invested in open-source, the growth of anti-
Americanism and the desire to be less reliant on American brands, and the development of strong viable
open-source alternatives. Between 2006 and 2007, we see a second boost in open-source policies,
which could be attributed to a reaction to the global release of a major closed-source software package,
to avoid vendor lock-in. This reaction was likely driven in part by the desire of governments to avoid
costly software renewal as well as unfavorable reception of the closed-source software package.
Source:- Center for Strategic and International Studies - Whitepaper on Government Open Source
Policies - March 2010

OSS strategy statement & Steps for creating OSS Policy
OSS Strategy Statement –“Maximize the Return while Minimizing the Risks”
In order to align ourselves with the above strategy we need to evolve an OSS
policy. The four steps for creating an effective OSS policy are:

The OSS Management action areas

Critical elements of an effective OSS policy
Who will Own the policy, conduct trainings, review,
update policy etc … OpenSource Review Board?
What are the evaluation criteria ?
Who approves what ?
Should provide guidance to procurement of OSS / third party
components with embedded OSS.
OSS inventory management, all modifications and uses
tracked, all bug fixes shared. Archive all artifacts of
OSS.
Identify owner of OSS components to track security bugs & all
support issues.
License compliance for distributed S/W with OSS & for network delivered services using
OSS components. Audit each release for total compliance.
What kind of OSS participation is permitted or required ?

The Discovery and Evaluation Step. (Further Details)

The Policy Builder Questionnaire.

Part IV
Governance

The Governance Gap
Gartner predicts that by 2014, "50% of Global 2000
organizations will experience technology, cost
and security challenges due to a lack of open
source governance," and through 2015, "less
than 50% of IT organizations will have effective
open source governance programs in place."

The Fallout
Free Software Foundation, Inc. v. Cisco Systems, Inc. – Dec, 2008
A GPLv2 quagmire
V Verizon. – GPL Compliance issues.

Enabling Open Source Governance
Effective governance of open source can empower developers, increase innovation and improve
competitiveness. For mid to large organizations with hundreds of developers working on multiple
projects across geographies better software can be delivered faster by automating, centrally
managing and auditing their selection & use. Its important to integrate enterprise-scale governance of
open source across the entire application lifecycle. An effective governance regime will deliver the
following results -

Tight coupling of automated governance process with application
Lifecycle

Automated governance & Compliance

Acknowledgements
During research and preparation of this document I have freely gathered information from various
whitepapers, surveys, articles, blogs available on the internet. I have mentioned the sources as and
when they came up across the slides. Here is a brief list of such & other sources but is not exhaustive.
• COVERITY SCAN: 2013 OPEN SOURCE REPORT (Coverity Scan)
• Blackduck Software.
• Gartner Surveys
• Opensource.org, Gnu.org
• OpenLogic.com
• Linuxfoundation.org
• Optaros.com
• CIO.com

OSS - enterprise adoption strategy and governance

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie OSS - enterprise adoption strategy and governance

Ähnlich wie OSS - enterprise adoption strategy and governance (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

OSS - enterprise adoption strategy and governance