it’s no myth: compliance is good business•encourages contribution to the open source community...
TRANSCRIPT
© Black Duck 2012
It’s No Myth:
Compliance Is Good Business
Linux Collaboration Summit, 16 April 2013
Phil Odence, VP Business Development
Black Duck
2 © Black Duck 2013
Black Duck’s Perspective
• Know for services; primarily a software company
• Not an open source company per se
• Very involved, but most products under commercial licenses
• Serving (primarily) commercial companies
• Software, Systems, Enterprise IT Organizations
• Helping companies manage their use of open source
3 © Black Duck 2013
Agenda
Goal: To provide a bird’s eye view of open source/FOSS
usage and compliance in companies
• Evolving Relationship Between Commercial Companies and
FOSS
• Why open source?
• Why comply?
• Are they really?
• What’s next?
4 © Black Duck 2013
First of all…
“Software is Eating the World.”Marc Andreessen (Netscape Founder)
August ’11, Wall Street Journal
And there’s a growing appetite for open source…
5 © Black Duck 2013
…with the plate is heaping
Source: Ohloh/Black Duck KnowledgeBase
2.7 billion filesNearly 1M de-duplicated projects10+ million staff years of development5000+ sites2,200+ unique software licenses
-
500,000.00
1,000,000.00
1,500,000.00
2,000,000.00
2,500,000.00
2006 2008 2010 2012 2014
FOSS Projects
Projected
Games
UI
6 © Black Duck 2013
OSS Adoption: Jeff Hammond circa early 2009
7 © Black Duck 2013
Olliance Group* Management Maturity Framework
Developer driven Business strategy driven
Ad Hoc Use
Built-in
Compliance
Informal
Guidelines
Strategic
OSS Use,
Community
Leadership
Explicit Policy,
Tracking &
Audting
Process
Automation,
Community
Participation
Op
en
So
urc
e A
do
pti
on
*now a division of Black Duck
8 © Black Duck 2013
Industry OSS Adoption ala Geoff Moore
Innovators Majority
Op
en
So
urc
e A
do
pti
on
9 © Black Duck 2013
Jeff Hammond circa late 2010
• OSS goal to means• 80% developers used• Reduced management gap• Don’t ask/tell to strategic• Waned concern about
mission critical apps
10 © Black Duck 2013
The Chasm is the Stuff of Myth
Closed
source is the
evil empire
You are a bunch
of wookies
If anyone knows
we are using open
source we’ll have
to give up all our
code
They just
want a free
ride
There’s no way to make
money if I give away my
software.
No one cares
about licenses
unless they are
getting sued Those guys
don’t get it.
•Chasm: Greek χάος means emptiness, vast void, abyss. Same as for “chaos”•Out of which grew the Chaoskamph myths • Explaining the clash between order and chaos in the world’s creation
• paraphrasing Wikipdia
11 © Black Duck 2012
Why open source?
Myth: You only love us cause we’re
free (as in beer)
12 © Black Duck 2013
Faster, Better, Cheaper
Jeffrey Hammond, Forrester
Open source is a ‘silver bullet’ that allows simultaneous improvement along all three dimensions of the software
‘iron triangle’ of cost, schedule, features.
Cost
FeaturesSchedule
13 © Black Duck 2013
A bunch of good reasons…
“Open source is ubiquitous, it’s unavoidable….having a policy against open
source is impractical and places you at a competitive disadvantage”
• Key Benefits
• Flexibility
• Modify, mix, reuse code
• Innovation
• Leverage FOSS and community
• Cost Optimization
• Reduce or eliminate acquisition costs
Source: Mark Driver, Gartner Group
It’s only #3
14 © Black Duck 2013
30%
80%
AverageBest in class
Company Benefit: Less is More
15 © Black Duck 2013
Real World Example
“Over 80% of the software in our handsets is open source”
Carl-Eric Mols, Head of OSS, Sony Mobile Communications
16 © Black Duck 2013
Another:
Large Commercial UK Bank Trading Application
Delivered a new
trading app but only
had to do 28% of the
work!
17 © Black Duck 2013
…and then there’s customer acceptance
• DoD CIO Letter…• To effectively achieve its missions, the
Department of Defense must develop and update its software-based capabilities faster than ever, to anticipate new threats and respond to continuously changing requirements. The use of Open Source Software (OSS) can provide advantages in this regard.
• Unfortunately, there have been misconceptions and misinterpretations of the existing laws, policies and regulations that deal with software and apply to OSS, that have hampered effective DoD use and development of OSS
• I have asked the Director, Enterprise Services & Integration, to work with your staffs and identify other barriers to the effective use of open source software within the Department, so we can continue to increase the benefits from the use of OSS
FOSS
18 © Black Duck 2013
So…
• The myth:
• It’s all about the “free beer”
• The reality:
• It’s about:
• Flexibility
• Innovation
• Co-opetition and Community
• Support from customers
• And, yes, Cost
19 © Black Duck 2012
Why Comply?
Myth: Companies don’t give a hoot
(’cept maybe when they get sued)
20 © Black Duck 2013
Software today is Multi-Source
THE ENTERPRISE – TOOLS, PROCESSES
Your Software Application
Internally Developed Code
Commercial 3rd-Party Code
Outsourced Code Development
OSS Communities
Global 2000 organizations increasingly leverage code from a vast array of sources — including internally built, open source, outsourced, commercially built, and customized applications.
- Melinda Ballou, IDC (sponsored by Black Duck
21 © Black Duck 2013
The Fundamental Challenge
“How ya gonna keep ’em down on the farm…?”
22 © Black Duck 2013
Management challenges aren’t just legal
• Key Benefits
• Flexibility
• Modify, mix, reuse
code
• Innovation
• Leverage FOSS and
community
• Cost Optimization
• Reduce or eliminate
acquisition costs
• Challenges
• Technical Failure
• Operational
exposure
• Needs to be audited,
managed
• Security Risks
• Business exposure
• IP Risks
• Legal exposure
“Open source is ubiquitous, it’s unavoidable….having a policy against open
source is impractical and places you at a competitive disadvantage”
Source: Mark Driver, Gartner Group
It’s only #3
23 © Black Duck 2013
Managing Open Source = Proper SW Dev Mgmt
• “There are plenty of other reasons beyond licensing
that I want to understand what’s in our code”• CIO, Large Financial Services Firm
• Security
• Quality
• Supportability
• Community
• Sarbanes Oxley Act Section 404 says you gotta know
what software you got and who owns it
• Fortune 500 tech companies- material risk in 10Ks
24 © Black Duck 2013
And, if they want to get bought someday…
2009 2010 2011 2012
M&A Audits
US Tech Deals
OSS Compliance have become routine question in tech M&A
Source: Black Duck / 451 Group
25 © Black Duck 2013
Free’s not all that free
Risk
(all
sorts)
ComplianceProductivity
Phil’s (other) iron triangle
26 © Black Duck 2013
So…
• The myth:
• Companies don’t care
• And only pay attention to
extreme measures
• The reality:
• Legal fear is a motivator
• But companies’ overall risk
management agendas align
reasonably with open source
governance
• It’s just not all that simple
27 © Black Duck 2012
Who complies?
Myth: OK, but most companies don’t comply
And, they may talk the talk, but…
28 © Black Duck 2013
Companies invest heavily in compliance
29 © Black Duck 2013
In the form of sophisticated governance processes
30 © Black Duck 2013
…and people
31 © Black Duck 2013
…best practices, training, transformation
32 © Black Duck 2013
..,dedicated review boards and programs
Open Source Program Office
• Responsible for all open source activities and strategy across the company
• Provides continuous training and consulting to HP product and project teams
• Encourages contribution to the open source community
• Sponsors numerous open source foundations (e.g. ASF, Linux Foundation, OpenStack) and events
• Typically review 10 to 20 proposals per week from teams wanting to use and/or contribute to open source
• Develops in-house tools to support the review and tracking of open source across the company
• Promptly handle any compliance inquiries that come to our attention
http://opensource.hp.com
33 © Black Duck 2013
….correct and corresponding code infrastructure
“The Internet of objects would encode
50 to 100 trillion objects, and be able to
follow the movement of those objects.
Human beings surrounded by 1000 to
5000 trackable objects”
34 © Black Duck 2013
OK, but do they waddle the waddle?
35 © Black Duck 2013
Giving back is a higher order “skill”
Engineering driven Business strategy
driven
Ad Hoc Use
Built-in
Compliance
Informal
Guidelines
Strategic
OSS Use,
Community
Leadership
Explicit Policy,
Tracking &
Audting
Process
Automation,
Community
Participation
Op
en
So
urc
e A
do
pti
on
36 © Black Duck 2013
Companies certainly rock the Kernel
• 75% Kernel developers are paid
• 800 companies have contributed over time; 200 active
as of 2012
• Red Hat, Intel, Novell, IBM, Texas Instruments,
Broadcom, Nokia, Samsung, Oracle and Google
• Jon Corbet’s 2012 annual report
37 © Black Duck 2013
Financial
Services
Automotive
Mobile
AerospacePolarsys
Healthcare
Community and Co-opetition
Mozilla
Eclipse
Openstack
The
Foundation
The Apache Foundation
Networking
38 © Black Duck 2013
Automotive may boast the most logos
Ford contributes AppLink code to GENIVI Alliance
GENIVI
License Review
Team
39 © Black Duck 2013
And … I’m just sayin’
40 © Black Duck 2013
Closer to our hearts
41 © Black Duck 2013
So…
• The myth:
• Companies don’t comply
• And even if they do they don’t
participate
• The reality:
• Some don’t
• Many do
• The world’s best companies
invest heavily
• And, more and more they are
walking the walk
42 © Black Duck 2012
Looking forward and Conclusions
43 © Black Duck 2013
Conclusion
• The Companies/FOSS has evolved
• Corporate usage has crossed the chasm
• Companies have good business reasons to
manage/comply
• The best companies do comply
• And are finding good business reasons to give back
44 © Black Duck 2013
There may remain a philosophical schism, but...
Software is all
about
delivering
shareholder
value
Software is
all about
“free”
45 © Black Duck 2013
Check out where it’s going
• Key trend toward internal OSS methods – 80%
• Open source will make up >50% deployed code – 62%
• “Lower Cost” – drops to #7 in importance
• Attracting talent – #1 reason to engage
• Company’s co-epetition will increase – 57%
• New Study release April 17
• Black Duck webinars
• #FutureOSS