oss - enterprise adoption strategy and governance

maximizing the Return of Your Output Technology Investment

Open Source Software – Strategy, Policies & Governance.


Prabir Sarkar v1.0


Content

Part I:- What’s OSS and what are the Benefits / Opportunities?

Part II:- The Risks and Challenges

Part III:- Strategy & Policies

Part IV:- Governance



PART - I

What’s OSS and what are the Benefits / Opportunities?



What is Open Source Software (OSS) anyway ?

Open source software is developed collaboratively and is owned by a community rather than a single vendor. The source code is freely available, and users are permitted and encouraged to change, improve, and redistribute the software—subject to the terms of the open source license.

The result is a paradigm that moves development teams away from being locked into a vendor and provides benefits from cost savings, access to source code and continued innovation.

Wikipedia (which itself is a free content encyclopedia under the Creative Commons Attribution-ShareAlike license) describes open source software as follows:

Open source is a development methodology, which offers practical accessibility to a product's source (goods and knowledge) … The open source model of operation and decision-making allows concurrent input of different agendas, approaches and priorities, and differs from the more closed, centralized models of development.

The 16 October 2009 memorandum from the US DoD CIO, defines OSS as "software for which the human-readable source code is available for use, study, re-use, modification, enhancement, and re-distribution by the users of that software".



Why use OSS?


• At this point in the evolution of the software industry, it has become difficult, if not impossible, to create any significant body of software without using at least some open source software (OSS).

• The best-in-class software in some areas is OSS.

• Lower cost alternatives to traditional commercial packages.

• Faster time-to-market by avoiding development and testing of new code.

• Lower development costs by using free, already debugged code.

• Customers favor, and sometimes even require OSS.

• Open source now represents an average of 29 percent of the code deployed by IT, and technology innovators are using 60 to 80 percent of open source code. - Source: Black Duck Report - Open Source Governance In Highly Regulated Companies.

• “Open source is a “silver bullet” that allows simultaneous improvement along all three dimensions of the software “iron triangle” of cost, schedule and features”. - Jeff Hammond, principal analyst at Forrester Research.

• OSS came with a corporate acquisition.


Why use OSS? … Cont


Mark Driver, Gartner’s lead analyst on open source, recently reflected on this development: “Open source is ubiquitous, it’s unavoidable…having a policy against open source is impractical and places you at a competitive disadvantage.” In fact, Gartner predicts that “by 2014, 50 percent of Global 2000 organizations will experience technology, cost and security challenges through a lack of open source governance.” The urgency is growing for management to catch up with the reality of how software is built today.


Why use OSS? … Cont



A slice of History.



A slice of History Cont …



Current state of OSS projects.



CII … Now and Forever ….



Primary Reasons why Organizations are using OSS – A Gartner Survey.



Factors influencing OSS adoption – A LSE study on Private and Public sector enterprises in Europe.


Source :- London School of Economics. “Total cost of ownership of open source software: a report for the UK Cabinet Office supported by OpenForum Europe.” (November 2011 )


Key Initiatives Supported by OSS – A Gartner Survey



Show Me the Money: The Cost Savings and Other Benefits of Open Source


Source: The Growth of Open Source Software in Organizations. – Optaros Publications and Thought Leadership.

Source :- http://www.computerworlduk.com/ Nov. 2012

Source :- http://www.informationweek.com/

Source :- http://www.govtech.com/ Aug. 2013

http://www.govtech.com/


Show Me the Money: Cost Heads & Savings of Open Source … Cont


Source: The Growth of Open Source Software in Organizations. – Optaros Publications and Thought Leadership.


Major reasons for supporting external OSS projects - A Gartner Survey.



… So, its not just about saving Money !



Average Defect Density of OSS better than Industry average. (Source https://scan.coverity.com/, Coverity Scan)



Quality of OSS code higher than proprietary code. (Source https://scan.coverity.com/, Coverity Scan : 2013 OSS Report. )



PART II

The Risks and Challenges



Clear and Present Danger



What are the Risks in using OSS ?Risks from the use of open source include:

• Technical and operational

Issues can arise in Code quality/integrity, Ability to obtain support, Viability of the community behind the open source project. When open source is used in mission critical operations, a clear plan and path from the code to where it’s used to how and where to obtain support and fixes are critical.

• Regulatory

Issues can arise in compliance of regulatory Sarbanes-Oxley, data privacy regulations (PCI) and export regulations (there are over 4,000 open source projects with encryption algorithms strong enough to require a filing with the U.S Bureau of Industry and Security(BIS).

The lack of visibility on what the code is doing and how it works can represent a major control oversight of the data and create regulatory exposure. In addition, the way developers integrate open source with proprietary code can affect IP ownership. For example, in March 2011, a former Goldman Sachs programmer received an eight-year jail term for theft of intellectual property in the form of software. [ http://cryptome.org/2014/04/goldman-sachs-code-thief.htm]



What are the Risks in using OSS ? … Cont 1

•Security

The lack of visibility on what the code is doing and how it works can represent a major control oversight of the data and create regulatory exposure. In addition, the way developers integrate open source with proprietary code can affect IP ownership. For example, in March 2011, a former Goldman Sachs programmer received an eight-year jail term for theft of intellectual property in the form of software. [http://cryptome.org/2014/04/goldman-sachs-code-thief.htm].

Development’s use of OSS can create blind spots that need to be addressed, and IT management needs to ensure security as new applications, products and services are created.

• Legal

Legal risk and exposure with OSS is fairly well known and widely reported. While open source is free, all open source comes with a license and obligations that must be met. Open source licenses range from simple/permissive licenses such as the MIT and BSD license, to the more restrictive, “copyleft” GPL family of licenses. Improper use of open source code, especially code under the GPL-family of licenses, can impact an organization’s IP and their brand.



What are the Risks in using OSS ? …Cont 2.

• Brand

A company’s brand is one of its most valuable assets, representing the company’s ultimate promise to all of its customers.

Microsoft, for example, has made a concerted effort over the last few years to develop a positive relationship with the open source community. But even one of the best run software companies in the world ran afoul of the open source community and damaged its brand with the release of Windows 7.

GPL licensed open source code was integrated with part of the release by a third-party and was not discovered as part of Microsoft’s release process. To its credit, Microsoft discovered the sproblem, reported and fixed it. However, when viewed in the context of Microsoft working to improve their relationship with the open source community, it was a significant setback to their development efforts and relationship with the community. This relationship is key to hiring open source talent; companies now strategically seek developers who are both skilled in software development and open source community savvy.

Microsoft admits its GPL violation; will reissue Windows 7 tool under open-source license (Source :- http://www.zdnet.com/blog/microsoft/microsoft-admits-its-gpl-violation-will-reissue-windows-7-tool-under-open-source-license/4547)

Microsoft pulled the Windows 7 USB/DVD Download Tool from the Microsoft Store on November 10 after a report by "Within Windows" blogger Rafael Rivera that he had found what looked to be open-source code in the tool. Inclusion of open-source code isn't a no-no, but Microsoft's decision to put a restrictive, non-open-source license on the tool incorporating that code was. (The USB tool, which Microsoft made available on October 22, is designed to help netbook users upgrade from XP to Windows 7 in a more streamlined way.)



The OSS License Regimes


GPL Preamble : - http://www.gnu.org/copyleft/gpl.html

Software Freedom Law Center Guide to GPL Compliance 2nd Edition :- http://www.softwarefreedom.org/resources/2014/SFLC-Guide_to_GPL_Compliance_2d_ed.html#gplv2


Lack of Controls on OSS components



Mixing Code is risky!



PART III

Strategy & Policies



OSS Management



Why do we need an OSS Policy ?


"While most software managers are aware of the legal risks (e.g., license compliance with commercial strategies and additional code used, monitoring the use of code, etc.) and the operational risks (e.g., compatibility requirements, maintenance and support, integration concerns, among others) of using open source, the benefits far outweigh these concerns. As such creating an open source software policy is a key strategic imperative for organizations in the software industry. “ - Greg Olson, Senior Director, Open Source Management Practice, Black Duck Software.

“Unaudited and unmanaged open source technology proliferates with an enterprise software portfolio and is hidden as a ticking time bomb that eventually results in technical failure that cannot be sufficiently addressed, security risks that can result in a significant loss of business value, and potential intellectual property (IP) risks that can result in legal action. – Gartner

“Companies must have a policy for procuring OSS (Open Source Software), deciding which applications will be supported by OSS, and identifying the intellectual property risk or supportability risk associated with using OSS. Once a policy is in place, then there must be a governance process to enforce it.” – Laurie Wurster, Research Director, Gartner


How did OSS policy evolve globally?



Why OSS policy trended the way it did?

Prior to 2001, there was almost no activity in policy related to open-source, which could be the result of a lack of maturity in open-source software development up until this point and/or difficulty in finding documentation of older open-source policies online. The first year in which we see a significant increase in open-source policies is 2002, followed by a sharp jump in 2003 (see Figure 2). Potential explanations for the marked surge in open-source policies in 2003 could include increased lobbying efforts by large multinational firms invested in open-source, the growth of anti-Americanism and the desire to be less reliant on American brands, and the development of strong viable open-source alternatives. Between 2006 and 2007, we see a second boost in open-source policies, which could be attributed to a reaction to the global release of a major closed-source software package, to avoid vendor lock-in. This reaction was likely driven in part by the desire of governments to avoid costly software renewal as well as unfavorable reception of the closed-source software package.

Source:- Center for Strategic and International Studies - Whitepaper on Government Open Source Policies - March 2010



OSS strategy statement & Steps for creating OSS Policy

OSS Strategy Statement –“Maximize the Return while Minimizing the Risks”


In order to align ourselves with the above strategy we need to evolve an OSS policy. The four steps for creating an effective OSS policy are:


The OSS Management action areas



Critical elements of an effective OSS policy


Who will Own the policy, conduct trainings, review, update policy etc … OpenSource Review Board?

What are the evaluation criteria ?

Who approves what ?

Should provide guidance to procurement of OSS / third party components with embedded OSS.

OSS inventory management, all modifications and uses tracked, all bug fixes shared. Archive all artifacts of OSS.

Identify owner of OSS components to track security bugs & all support issues.

License compliance for distributed S/W with OSS & for network delivered services using OSS components. Audit each release for total compliance.

What kind of OSS participation is permitted or required ?


The Discovery and Evaluation Step. (Further Details)



The Policy Builder Questionnaire.



Part IV

Governance



The Governance Gap

Gartner predicts that by 2014, "50% of Global 2000 organizations will experience technology, cost and security challenges due to a lack of open source governance," and through 2015, "less than 50% of IT organizations will have effective open source governance programs in place."



The Fallout


Free Software Foundation, Inc. v. Cisco Systems, Inc. – Dec, 2008

A GPLv2 quagmire

V Verizon. – GPL Compliance issues.


Enabling Open Source Governance


Effective governance of open source can empower developers, increase innovation and improve competitiveness. For mid to large organizations with hundreds of developers working on multiple projects across geographies better software can be delivered faster by automating, centrally managing and auditing their selection & use. Its important to integrate enterprise-scale governance of open source across the entire application lifecycle. An effective governance regime will deliver the following results -


Tight coupling of automated governance process with application Lifecycle



Automated governance & Compliance



Acknowledgements

During research and preparation of this document I have freely gathered information from various whitepapers, surveys, articles, blogs available on the internet. I have mentioned the sources as and when they came up across the slides. Here is a brief list of such & other sources but is not exhaustive.

• COVERITY SCAN: 2013 OPEN SOURCE REPORT (Coverity Scan)

• Blackduck Software.

• Gartner Surveys

• Opensource.org, Gnu.org

• OpenLogic.com

• Linuxfoundation.org

• Optaros.com

• CIO.com


oss - enterprise adoption strategy and governance

Internet