SCC FOSS Services - Source Code Control Limited

Open Source Software Management Services Open Source Risks Open source has become indispensable to almost all organisations, because open source provides needed functionality, at a low cost, resulting in: • • •

Security Over 30,3000 know Open Source Software Vulnerabilities since 2000

Faster time to market Lower development costs Support from broad communities

-

- 4,300 component vulnerabilities in 2015 - Less than 50% of organisations have a policy for: - Tracking, identifying and remediating

Gartner already estimates that greater than 95% of all mission critical applications contain open source components, and the broader adoption of open source is fueling the community as enterprises contribute to existing and new open source projects.

Security Vulnerability Exploits -

The popularity in open source has also spurred the growth of new open source projects. Significantly, commercial enterprises are more likely to contribute to open source communities than ever before, including projects started by these organizations. Google, Facebook, IBM, EMC, Microsoft, and Apple have all contributed major open source code projects to the community.

-

• •

Over 2,300 licences Variety of licence types - Copy Left e.g. GPL, AGPL - Permissive e.g. Apache, BSD - OpenCore - Hybrid

License Compliance Issues

Each software component used by a developer has a number of attributes which could be a business risk to an organisation. These risks are

•

Heartbleed (CVE-2014-0160) 2014 - Affected 66% of websites globally - 199,500 systems still vulnerable - 49 further vulnerabilities found since 2014

Open Source Licensing

As more projects become available, especially those supported by large organisations, it becomes more important to track how and where these are used.

•

National Vulnerability Database:

Legal risk/licence compliance o Open Source Software licence analysis, legal obligations as well as potential intellectual property (IP) risks, copyright issues Security vulnerabilities o Security vulnerabilities contained within components Operational risk o evaluates if components meet technical and architectural standards Community support o Determines developer activity and resulting component viability based on commit history

Source Code Control provide a range of services that specialise in building business processes to manage risks in open source software applications developed in-house or by third party suppliers.

-

-

Recent Legal Examples -

Hellwig v VMware GPL enforcement - Supported by Software Freedom Conservancy - On-going since 2007 - “community” raised $50,000 to support - German courts

-

Open Source IP Trolls e.g. Patrick McHardy - Linux Kernel Developer - Targeting large organisations - Estimated 50+ approaches per organisation - Retailers, telcos, producers, importers - Seeks monetary gain

-

Harald Welte – OSS Compliance Company - Enforcement of the GPL - European geographic focus - Civil charges in Germany - Cease and desist notices - Damages for loss of revenue

We help organisations who develop or modify software become responsible software organisations who can transparently demonstrate to their customers how they avoid passing on risk and keep customers protected. We enable a model for Professional Re-Usable Open Source Software to ensure minimal risk with maximum return. Open source software code risk, although a technical problem, the risk created is a business risk with business implications.

Increase in legal activity - Driven by increased adoption of Open Source Organisations are not meeting their obligations - Attribution notices - Copyright notices - Making source code available - Licence conflicts - e.g. proprietary and Open Source

https://sourcecodecontrol.co 149-151 Mortimer Street, Herne Bay, Kent, CT6 5HA Telephone +44 1227 254200 [email protected]

Open Source Software Management Services

OPEN SOURCE SOFTWARE CORES SERVICES OFFERED Getting it Right with Open Source Software Licensing

This course is a half-day class room based course designed to help organisations who develop and distribute software and/or companies receiving software through a supply chain implement a governance program

Source Code Audits and Reviews

A full Bill of Materials (BoM) itemising all third party and proprietary components used including components attributes such as licensing, security vulnerabilities

OpenChain Conformance and Assessment

A review and gap analysis of an organisation’s current Open Source management practices assessed against the Linux Foundation OpenChain specification

Open Source Policy Creation

Open Source Processes Design and Implementation

Cyber and IP Assurance

Software Procurement Services

Continuous Compliance Service

A clearly defined and robust Open Source Software Policy is fundamental to a successful professionally managed Open Source Software Program. The policies defined will guide organisation’s risk management strategy Business processes are required to ensure organisations realise all the benefits of using open source software to develop software solutions while minimising potential risks such as licensing and security risks Technology companies who are insuring against cyber security and/or IP issues in software need an accurate assessment of their ability to mitigate risk to minimise their insurance outlay Where organisations are outsourcing development to third parties or purchasing open source software based solutions. There needs to be processes in place to measure the quality in the software supplied Managing Open Source Software risk should be a continuous process not a one-off audit/remediate exercise. A Continuous Compliance Managed Service enables proactive risk management to ensure unnecessary risk is not engineered into software.

https://sourcecodecontrol.co 149-151 Mortimer Street, Herne Bay, Kent, CT6 5HA Telephone +44 1227 254200 [email protected]