it’s no myth: compliance is good business•encourages contribution to the open source community...

© Black Duck 2012

It’s No Myth:

Compliance Is Good Business

Linux Collaboration Summit, 16 April 2013

Phil Odence, VP Business Development

Black Duck

2 © Black Duck 2013

Black Duck’s Perspective

• Know for services; primarily a software company

• Not an open source company per se

• Very involved, but most products under commercial licenses

• Serving (primarily) commercial companies

• Software, Systems, Enterprise IT Organizations

• Helping companies manage their use of open source


Agenda

Goal: To provide a bird’s eye view of open source/FOSS

usage and compliance in companies

• Evolving Relationship Between Commercial Companies and

FOSS

• Why open source?

• Why comply?

• Are they really?

• What’s next?


First of all…

“Software is Eating the World.”Marc Andreessen (Netscape Founder)

August ’11, Wall Street Journal

And there’s a growing appetite for open source…


…with the plate is heaping

Source: Ohloh/Black Duck KnowledgeBase

2.7 billion filesNearly 1M de-duplicated projects10+ million staff years of development5000+ sites2,200+ unique software licenses

-

500,000.00

1,000,000.00

1,500,000.00

2,000,000.00

2,500,000.00

2006 2008 2010 2012 2014

FOSS Projects

Projected

Games

UI


OSS Adoption: Jeff Hammond circa early 2009


Olliance Group* Management Maturity Framework

Developer driven Business strategy driven

Ad Hoc Use

Built-in

Compliance

Informal

Guidelines

Strategic

OSS Use,

Community

Leadership

Explicit Policy,

Tracking &

Audting

Process

Automation,

Community

Participation

Op

en

So

urc

e A

do

pti

on

*now a division of Black Duck


Industry OSS Adoption ala Geoff Moore

Innovators Majority

Op

en

So

urc

e A

do

pti

on


Jeff Hammond circa late 2010

• OSS goal to means• 80% developers used• Reduced management gap• Don’t ask/tell to strategic• Waned concern about

mission critical apps


The Chasm is the Stuff of Myth

Closed

source is the

evil empire

You are a bunch

of wookies

If anyone knows

we are using open

source we’ll have

to give up all our

code

They just

want a free

ride

There’s no way to make

money if I give away my

software.

No one cares

about licenses

unless they are

getting sued Those guys

don’t get it.

•Chasm: Greek χάος means emptiness, vast void, abyss. Same as for “chaos”•Out of which grew the Chaoskamph myths • Explaining the clash between order and chaos in the world’s creation

• paraphrasing Wikipdia


Why open source?

Myth: You only love us cause we’re

free (as in beer)


Faster, Better, Cheaper

Jeffrey Hammond, Forrester

Open source is a ‘silver bullet’ that allows simultaneous improvement along all three dimensions of the software

‘iron triangle’ of cost, schedule, features.

Cost

FeaturesSchedule


A bunch of good reasons…

“Open source is ubiquitous, it’s unavoidable….having a policy against open

source is impractical and places you at a competitive disadvantage”

• Key Benefits

• Flexibility

• Modify, mix, reuse code

• Innovation

• Leverage FOSS and community

• Cost Optimization

• Reduce or eliminate acquisition costs

Source: Mark Driver, Gartner Group

It’s only #3


30%

80%

AverageBest in class

Company Benefit: Less is More


Real World Example

“Over 80% of the software in our handsets is open source”

Carl-Eric Mols, Head of OSS, Sony Mobile Communications


Another:

Large Commercial UK Bank Trading Application

Delivered a new

trading app but only

had to do 28% of the

work!


…and then there’s customer acceptance

• DoD CIO Letter…• To effectively achieve its missions, the

Department of Defense must develop and update its software-based capabilities faster than ever, to anticipate new threats and respond to continuously changing requirements. The use of Open Source Software (OSS) can provide advantages in this regard.

• Unfortunately, there have been misconceptions and misinterpretations of the existing laws, policies and regulations that deal with software and apply to OSS, that have hampered effective DoD use and development of OSS

• I have asked the Director, Enterprise Services & Integration, to work with your staffs and identify other barriers to the effective use of open source software within the Department, so we can continue to increase the benefits from the use of OSS

FOSS


So…

• The myth:

• It’s all about the “free beer”

• The reality:

• It’s about:

• Flexibility

• Innovation

• Co-opetition and Community

• Support from customers

• And, yes, Cost


Why Comply?

Myth: Companies don’t give a hoot

(’cept maybe when they get sued)


Software today is Multi-Source

THE ENTERPRISE – TOOLS, PROCESSES

Your Software Application

Internally Developed Code

Commercial 3rd-Party Code

Outsourced Code Development

OSS Communities

Global 2000 organizations increasingly leverage code from a vast array of sources — including internally built, open source, outsourced, commercially built, and customized applications.

- Melinda Ballou, IDC (sponsored by Black Duck


The Fundamental Challenge

“How ya gonna keep ’em down on the farm…?”


Management challenges aren’t just legal

• Key Benefits

• Flexibility

• Modify, mix, reuse

code

• Innovation

• Leverage FOSS and

community

• Cost Optimization

• Reduce or eliminate

acquisition costs

• Challenges

• Technical Failure

• Operational

exposure

• Needs to be audited,

managed

• Security Risks

• Business exposure

• IP Risks

• Legal exposure

“Open source is ubiquitous, it’s unavoidable….having a policy against open

source is impractical and places you at a competitive disadvantage”

Source: Mark Driver, Gartner Group

It’s only #3


Managing Open Source = Proper SW Dev Mgmt

• “There are plenty of other reasons beyond licensing

that I want to understand what’s in our code”• CIO, Large Financial Services Firm

• Security

• Quality

• Supportability

• Community

• Sarbanes Oxley Act Section 404 says you gotta know

what software you got and who owns it

• Fortune 500 tech companies- material risk in 10Ks


And, if they want to get bought someday…

2009 2010 2011 2012

M&A Audits

US Tech Deals

OSS Compliance have become routine question in tech M&A

Source: Black Duck / 451 Group


Free’s not all that free

Risk

(all

sorts)

ComplianceProductivity

Phil’s (other) iron triangle


So…

• The myth:

• Companies don’t care

• And only pay attention to

extreme measures

• The reality:

• Legal fear is a motivator

• But companies’ overall risk

management agendas align

reasonably with open source

governance

• It’s just not all that simple


Who complies?

Myth: OK, but most companies don’t comply

And, they may talk the talk, but…


Companies invest heavily in compliance


In the form of sophisticated governance processes


…and people


…best practices, training, transformation


..,dedicated review boards and programs

Open Source Program Office

• Responsible for all open source activities and strategy across the company

• Provides continuous training and consulting to HP product and project teams

• Encourages contribution to the open source community

• Sponsors numerous open source foundations (e.g. ASF, Linux Foundation, OpenStack) and events

• Typically review 10 to 20 proposals per week from teams wanting to use and/or contribute to open source

• Develops in-house tools to support the review and tracking of open source across the company

• Promptly handle any compliance inquiries that come to our attention

http://opensource.hp.com

http://opensource.hp.com/


….correct and corresponding code infrastructure

“The Internet of objects would encode

50 to 100 trillion objects, and be able to

follow the movement of those objects.

Human beings surrounded by 1000 to

5000 trackable objects”


OK, but do they waddle the waddle?


Giving back is a higher order “skill”

Engineering driven Business strategy

driven

Ad Hoc Use

Built-in

Compliance

Informal

Guidelines

Strategic

OSS Use,

Community

Leadership

Explicit Policy,

Tracking &

Audting

Process

Automation,

Community

Participation

Op

en

So

urc

e A

do

pti

on


Companies certainly rock the Kernel

• 75% Kernel developers are paid

• 800 companies have contributed over time; 200 active

as of 2012

• Red Hat, Intel, Novell, IBM, Texas Instruments,

Broadcom, Nokia, Samsung, Oracle and Google

• Jon Corbet’s 2012 annual report


Financial

Services

Automotive

Mobile

AerospacePolarsys

Healthcare

Community and Co-opetition

Mozilla

Eclipse

Openstack

The

Foundation

The Apache Foundation

Networking

http://www.mozilla.org/en-US/firefox/fx/

http://eclipse.org

http://www.openstack.org

http://www.linuxfoundation.org/

http://www.apache.org/


Automotive may boast the most logos

Ford contributes AppLink code to GENIVI Alliance

GENIVI

License Review

Team


And … I’m just sayin’


Closer to our hearts


So…

• The myth:

• Companies don’t comply

• And even if they do they don’t

participate

• The reality:

• Some don’t

• Many do

• The world’s best companies

invest heavily

• And, more and more they are

walking the walk


Looking forward and Conclusions


Conclusion

• The Companies/FOSS has evolved

• Corporate usage has crossed the chasm

• Companies have good business reasons to

manage/comply

• The best companies do comply

• And are finding good business reasons to give back


There may remain a philosophical schism, but...

Software is all

about

delivering

shareholder

value

Software is

all about

“free”


Check out where it’s going

• Key trend toward internal OSS methods – 80%

• Open source will make up >50% deployed code – 62%

• “Lower Cost” – drops to #7 in importance

• Attracting talent – #1 reason to engage

• Company’s co-epetition will increase – 57%

• New Study release April 17

• Black Duck webinars

• #FutureOSS

it’s no myth: compliance is good business•encourages contribution to the open source community...

Documents