open source culture, standards, risks, and … 2018/ossf 2018 presentati… · •vendors do not...
TRANSCRIPT
![Page 2: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/2.jpg)
DisclaimerIANAL; //Iamnotalawyer;IANYL; //Iamnot_your_lawyer;
IANYP; //Iamnot_your_programmer;
Thepurposeoftoday’stalkistoprovideanintroductiontotheOpenSourceCompliance
Onlyyourlegalcounselcantellyouwhatyouneedtodo
![Page 4: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/4.jpg)
Topics
• Stateoftheindustry• ABriefHistoryofOpenSourceLicensing• OSSObligations• Whydoyouneedalicense?• OSSLicenseBasics• Distributionmodels• CommonMisunderstandings• BestPractices:HowareCompanies
HandlingToday?• Remediation• Q&A
![Page 5: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/5.jpg)
2018- EVERYINDUSTRYISSHIFTINGtowardOSS
5
A U T OM O B I L E H E A LT H C A R E I O T E D U C AT I O N
S A A S M E D I A C O N S UM E RG O O D S
T E L C O
![Page 6: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/6.jpg)
Thetechnologystackischangingquickly
6
PA C K A G E M A N A G E R S C O N TA I N E R S I O T L I N U X
![Page 7: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/7.jpg)
GNUBash• Potentiallyaffectshundredsof
millionsofcomputers,serversanddevices
• ShellshockcanbeusedtoremotelytakecontrolofalmostanysystemusingBash
• Typicalage:5yearsold(seen13years!)
LinuxGNUCLibrary(glibc)• Affectsalmostallmajor
Linuxdistributions
• MillionsofserversontheInternetcontainthisvulnerability
• Typicalage:3years
OpenSSL• 17%oftheInternet'ssecureweb
servers(500M)believedtobevulnerabletotheattack
• Allowedtheftoftheservers'privatekeys,users'sessioncookiesandpasswords
• Typicalage:3-4+yearsold
ApacheStruts2• RemoteCodeExecution(RCE)
vulnerabilityintheJakartaMultipartparser
• Allowsattackertoexecutemaliciouscommandsontheserverwhenuploadingfiles
• Exploitsarepubliclyavailable,simpletocarryout,andreliable
Heartbleed
CVE-2014-0160
Shellshock
CVE-2014-6271
Ghost
CVE-2015-0235 CVE-2017-5638
SoftwareVulnerabilitiesarebecomingwellknown
![Page 8: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/8.jpg)
THESOFTWARESUPPLYCHAINISBECOMINGMORECOMPLEX
8
PA R T N E R C O D E
O P E N S O U R C E
P R O J E C T S
YO U RC O D E
S U P P L I E R C O D E
S O F T W A R EP A C K A G E S C O N T A I N E R S
B U I L DD E P E N D E N C I E S
S O U R C EC O D E B I N A R I E S M U L T I M E D I A
F I L E S
C O P Y +P A S T E DS O U R C EC O D E
C O M M E R C I A LC O D E
![Page 9: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/9.jpg)
THESTATEOFCOMPLIANCEISPOOR
9
221236
252
454
560
2012 2013 2014 2015 2016
25 25 298
27
AVERAGEOSSDISCOVEREDBYFLEXERA’SAUDITTEAMS(FORTHESAMEPROJECTS)
AVERAGEOSSDISCLOSEDBYCUSTOMERS
Source:FlexeraProfessionalServicesAuditdata2012- 2017
PA C K A G E A N A LY S I S
D E P E N D E N C I E S
S U B C OM P O N E N T S
B I N A R I E S
M U LT I M E D I A F I L E S
C O P Y - PA S T E C O D E
IncreasingDep
thofA
nalysis
590
17
2017
![Page 10: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/10.jpg)
ABRIEFHISTORYOFOPENSOURCELICENSING
1940s-1980sCommercial,one-offandpublicdomaindominate1976USCopyrightActof1976198x“Freeware”andoneofflicenses1985X11/MITlicense1988firstGPLlicensesforEmacs/Bison/etc.1988BSDlicense1989GPLv11991GPLv2/LGPLv22002Affero GPLv12007GPLv3/LGPLv3/Affero GPLv3
![Page 11: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/11.jpg)
OPENSOURCE– OBLIGATIONSOpenSourceiscommonlyconfusedwith“Free”asinnocostsoftware
OpensourcemaybeFreeofCost,butisnotFreeofObligations
Commonreferredtoas“FreeasinSpeech,notFreeasinBeer”
OpenSourcelicenseshavealistofobligationsthatusersmustfollowinordertolegallyusetheopensourcelibraryunderthatlicense
TheactoffollowingtheseobligationsiscalledOSSComplianceorLicenseCompliance
YourComplianceactionsdependsonhowyouareusingtheseOSScomponents
MostlicenseshaveMultipleObligations
![Page 12: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/12.jpg)
COMMONLYSEENOBLIGATIONS
Obligation TypeofObligation Definition
ShareSource CopyleftakaViral Authorrequiresusertosharesourcecode
GiveCredit NoticeorAttribution NameofauthormustbereportedinAboutBox,Documentation,Website, etc…
SharePatents PatentClause Author requirespermissiontousepatentsorlicensepatentsinthisopensourceproject
Restrictuse Restrictwhocanusethiscode Restrictionon militaryuse,restrictiononnuclearfacilities,geography/countries,commercialuseetc..
Vanity/OneOffLicenses Givemefreebeer,sayaprayer,DoNoEvil
Requestsbytheauthortodosomesortofactionnottypicallyseenincontractsor licenses
Preserve Attribution Attribution Requires attribution/copyrightstobepreservedinthesourcecode
ProvideDisclaimer Disclaimer Explainthattheopensourceauthorisnotresponsiblefortheuseofthesoftware,evenifithasdefects
SupplyOriginal Licensetext
LicenseText Requirestextofentirelicensetobeprovidedtousers
CommercialTerms Payforuseofcode Classicsoftwarebusinessmodellicense
![Page 13: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/13.jpg)
OPENSOURCE– TWOCOMMONLICENSEPHILOSOPHIESCopyleft/Viral– Requiresreleaseofsourcecode(someorall)GeneralPublicLicense(GPL)– YoumustsupplyallsourceifyoulinkagainstGPLcodeanddistributetheproduct
LesserGeneralPublic(LGPL)– YoumustsupplysourcetolinkedlibraryifyoulinkagainstLGPLlicenselibrary
Affero GeneralPublicLicense(AGPL)– YoumustgivesourceawayifyouuseAGPLcodeandprovideNetworkAccesstotheproduct(specificsmaymurkydependingonwhoyoutalkto!)
Permissive– RequiresanoticeinAboutBox,documentation,sourcecode,NOTICEfile,etc..BSD
MIT
ApacheSoftwareLicense1.1ApacheSoftwareLicense2.0
![Page 14: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/14.jpg)
OPENSOURCE– OTHERLICENSETYPES
Vanity/OneOffLicenses
FreeBeerLicense
(e.g.Poul-HenningKampmalloc)
* "THE BEER-WARE LICENSE" (Revision 42): * <[email protected]> wrote this file. As long as you retain this notice you * can do whatever you want with this stuff. If we meet some day, and you think * this stuff is worth it, you can buy me a beer in return
Poul-Henning Kamp
GoodNotEvilterms
Theauthorrequiresyoutodo“Good”not“Evil”withtheirsoftware
(e.g.Json.org)
The Software shall be used for Good, not Evil.
![Page 15: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/15.jpg)
WHYDOYOUNEEDANOPENSOURCELICENSE?
Copyrightlaw(inmanyplaces)meansthatallsourceisexplicitlycopyrighttheoriginalauthorEVENifnotmarked
Youhavenorighttousesomeoneelse’scodewithoutpermission
OpenSource(andcommercial)licensesarethewayofgivingpermissiontousesourcecode
LackoflicenseshowslackofmaturityfortheOSSproject,oftenasignofotherproblems!
Itisnot OpenSourceifyoudon’thavealicense
![Page 16: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/16.jpg)
WHATDOESCOMPLIANCELOOKLIKE?
YouprovidecopyrightnoticesinyourAboutBox,Documentation,etc..YoupassalongLicensetexttoyourusersYouprovidethesourcecodeforGPL,LGPL,etc.modulesYoumarkchangesinsourcefilesYoupayrequiredPatentlicensingYoupayforcommerciallibrariesasneededYourespectwebserviceSLAsYoudothisforeveryrelease
![Page 17: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/17.jpg)
WHATDOESCOMPLIANCELOOKLIKE– LICENSENOTICES
![Page 18: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/18.jpg)
WHATDOESCOMPLIANCELOOKLIKE– SOURCEBUNDLES
![Page 19: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/19.jpg)
COMMONMISUNDERSTANDINGS
Justbecausecodeisavailable,thisdoesnotgiveyouanypermissiontouseit.
“FreelyAvailable”!=OpenSource
“PublicDomain”isdifferentthan“OpenSource”
YoustillhaveCompliancetasksevenifyoudon’tshipyourproduct(SaaSorinternaluse)
BeliefthatCommerciallylicensedcodehasnoOSSobligations
![Page 20: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/20.jpg)
MINIMIZATIONANDJAVASCRIPTMostorganizationsareminimizingtheirJavaScripttosavedownloadtime,speedupexecutionandobfuscatetheircode
Inmanycases,onlytheminifiedversionsofopensourceJavaScriptlibrariesarebeingcheckedintoSCM
Additionally,manyOSSpackageswillbeconcatenatedtogether.
Overminimizationishidingversioninfoandpreventshumansforidentifyingoldversions
Alwaysstoreoriginalsinun-minifiedform
![Page 21: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/21.jpg)
YOURDELIVERYMETHODAFFECTSOBLIGATIONSSaaSvsshippingproduct(e.g.adistribution)• MostOSSLicensesonlycomeintoeffectuponDistribution
EmbeddedLinuxvsApplicationrunningonLinux• AreyoushippingLinuxorareyourusersbringingtheirown?
Client/Serverpieces• Somepartshosted,somepartsdistributed
Mobileapplications• ClassicdistributionwithsomepossibleAppstore implications
Web/JavaScriptfrontends• TheJavascript,HTML,CSSsenttousersbrowsers
![Page 22: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/22.jpg)
YOURPRODUCTLIVESINADEEPSTACKOFOSSAND$
![Page 23: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/23.jpg)
FULLLINUXSTACKSHAVEMANYOWNERSThesoftwaredevelopmentteamisoftendifferentthanthereleaseteamtheputsaproductintoproductions.
Thingsoftenfallinthegapsbetweentheseteams.
Theyoftenhavedifferentmanagement,legalcontacts,understandingofOSSlicensing.
CompaniesmanyknowsomeOSSfromthereleaseteam(e.g.Linux,Apachehttpd,MySQL,etc..)orsomeOSSfromthesoftwareteam(zlib,openssl,etc..)butnotalwaysfromboth.
A“good”listforthereleaseteamisoftenconfusedfora“good”listfortheactualproduct.
LinuxdistributionsoftenleadtolonglistsofOSScomponentsbutnotalwaysaclearunderstandingofthecompany’sOSSchoicesintheproduct.
![Page 24: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/24.jpg)
LINUX:COMMONAREASOFCONCERN
•Linuxcanbecomplicatedandcontainmanymovingpieces
•ThebasefortheOSSoftencomesfromtheoutside
•WhileEverythingisrequiredtobedeclared,thisisoftenhard
•ComponentsthatMUSTbedeclared•LinuxKernel•Busybox•iptables /ipchains•U-boot•Multimedia&Codecs(e.g.ffmpeg,h264,etc..)
AdditionstoyourbaseOperatingSystem(e.g.RPMs,etc..)
ModificationstoDeviceDrivers
![Page 25: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/25.jpg)
COMMONAREASOFCONCERN
Whileitisbesttohavea“Full”accountingofallthirdpartysoftware,certaincomponentsmayhaveahigherprioritythanothers.
1) Linuxrelatedtechnologiesw/GPLlicensing2) Cryptographiccomponents– oftenhighlytargeted,andalso
havelegaltrackingrequirementsforexportanyway3) Compressioncomponents– similartocryptographyintermsof
usageandprogrammingtechniques.Oftenhighlytargeted.4) Multi-mediacomponents.Wildlyused,oftencontainscrypto
andcompressionroutinesthemselves.Patentconcerns5) ApplicationsPlatforms– widelyused,oftencontaincryptoand
compression,complex6) Databases– centraltoallsystems,complex
![Page 26: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/26.jpg)
QUESTIONSTOASKYOURDEVELOPMENTTEAMqDowehavealistoftheopensourceandcommerciallibrariesweareusing?
qHowdeephavewelooked?Howcompleteisthislist?
qWhatCryptography,Compression,MultimediaandApplicationServerlibrariesareweusing?
qDoesthislistsincludealllibrariesbroughtinthoughrepositorymanagerslikeMaven/RubyGems/npm,etc…?
qDowehavealistofallthewebserviceswedependon?(e.g.creditcardprocessors,stockpricelookup,etc…)
qWhatDatabasesareweusing?(includingsql,nosql,embedded,etc..)
qDoweshipVMsorApplicationstoourcustomers?WhatOS,OSScomponentsandsoftwarestackareweshipping?
qWhatisthe“FullStack”requiredtorunourproduct– includingtheOSS,DB,etc…?
qDowehavea“DisclosureList”fromourcommercialvendors
![Page 27: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/27.jpg)
CommercialComplianceIssues
![Page 28: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/28.jpg)
COMMERCIALCOMPONENTSCOMPLIANCEISSUES
Commercialcomponentsarenotoftenwellmarked,oftenmovearoundGetalistofknowncommercialcomponents/checknames/paths
CommercialcomponentsoftencontainlargeamountsofundeclaredOSScodeAllcommercialcomponentsshouldcomewithadisclosurelistofOSSthatitusesPushforsuchalistincontractsandviaemaildiscussionsw/avendorIt’susuallynotyourjobtoperformafullreview butyoumayhavetoFind1-5undeclaredOSScomponentsto“forcetheissue”asneeded•Zlib /libpng /openssl /glibc /ffmpeg areallgoodcandidatesforeasydiscoveredundisclosedOSScomponents
![Page 29: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/29.jpg)
SUPPLIERSCODEANDSDKSCOMPLIANCEISSUES
•YoumayalsoreceivesourcecodefromCommercialcompanies
•Vendorsdonotalwaysmarkcodeasclearlyastheyshould
•GPLcodewillberightnexttoCommercialorGPL/Commercialcode
•OftenopensourcecodeisNOTmarkedanditslicensingisunclear
•KnowyourcontactpersonandhaveaprocessforloggingIPbugsorQuestions
•DevelopersoftengetconfusedaboutwhetherthiscodeiscommerciallyorGPLlicensed
![Page 30: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/30.jpg)
DEALINGWITHCOMMERCIALCOMPONENTS• Binaryanalysisisoftenneeded
• Thesupplierscodemaybeinaspecialformat(encrypted,strippedofsymbols,compressed,etc…)seeifyoucangetanunmodifiedfilefrombeforethesemodificationswereperformed
• Pushforanindependentoutsidereviewasneeded
• Setacontractualstandardfordisclosurelevels
• UnderstandthatLinuxOSfullsystemcomplianceisdifficultandtheuseof“ALL”incontractlanguagemaybedifficulttoenforce
![Page 31: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/31.jpg)
SaaSComplianceIssues
![Page 32: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/32.jpg)
WHAT’SDIFFERENTABOUTSAAS?Traditionallysoftwareisdistributedtoendusersthroughphysicalmeans(viaCD,embeddeddevice,download,etc…)
Classicopensourceandcommerciallicenseswerewrittenwiththisinmind.
Manyopensourcelicensesonlycomeintoeffectwithaclassicdistribution(esp.manypeople’sconcerntheGPL)Thisissometimesknownasthe“ASPloophole”
SaaSprojectsarenotdistributedintheclassicwaybutinsteadrunonanetworkserver
Userscometothesoftwareinsteadofthesoftwarecomingtotheusers.
![Page 33: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/33.jpg)
WHAT’SDIFFERENTABOUTSAAS?(CONT.)
BecauseoftheperceivedreducedcomplianceneedsaroundtheGPLmanycompaniesstoppedorreducedurgencyintrackingOSSlicensingforSaaSprojects.
LittleornocreditwasbeinggivingtotheOSSbackbonesofpopularSaaSproductsandchangeswerenotbeingpassedbacktothecommunity.
ThisleadtoconcernintheOSScommunityabout“FreeRiders”
MembersoftheOSSCommunityrespondedwiththeAffero GeneralPublicLicense(AGPL)in2002andupdateditin2007.
![Page 34: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/34.jpg)
WHATISTHEAFFERO GPL/AGPL?
TheAGPLwasdesignedtoclosetheASPloopholebytreatingnetworkaccessassimilartoadistribution.
Thebasicintentistorequiresourcecodefortheentireapplicationtobeofferedtotheendusers.
![Page 35: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/35.jpg)
COMMONAGPL-STYLELIBRARIES
ThemostcommonAGPLstylelibrariesweseeare:• iText PDFgenerationlibrary(duallicensedAGPLorcommercial)
• MongoDB (DuallicenseAGPLw/exceptionorCommercial)• BerkeleyDB/Sleepycat (nowAGPLorCommercial)• Funambol (AGPLorCommercial)• Ghostscript (nowAGPLorCommercial)• Noe4J(GPLv3/AGPLorcommercial)• Magento (OSL– similartotheAGPL)
Manyoftheseareduallicensedwithcommercialoptions.
![Page 36: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/36.jpg)
SAAS COMPLIANCE– TOPCONCERNSUntrackedLibrarieswithVulnerabilities– oldversionsofOSSlibraries
TheAGPListheclassicOSSconcernforSaaSvendors
OtherAGPLlikelicensesinclude:• CommonPublicAttributionLicense
http://en.wikipedia.org/wiki/Common_Public_Attribution_License• OpenSoftwareLicense
http://en.wikipedia.org/wiki/Open_Software_License
Otherlicensesthatrequirereviewandcomplianceinclude:• Commerciallylicensedlibrariesandtools• Componentsmarked“NotForCommercialUse”• Componentswithrestrictionsontypesofuse(e.g.nomilitary
use)• Licensesbasedonuse,notjustdistribution• Webattributionlicenses(e.g.putalinkonyourhomepage)• ComponentswithUnknownlicenseterms
![Page 37: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/37.jpg)
OTHERSAAS COMPLIANCEISSUESImages,Icons,FontsandSounds
Peopleareverygoodatrecognizingthesetypesofresourcesandtheirhistoryoftengetsconfusedbythedevelopers
Javascript andCSSOftentreatedasadistributionwithalltheclassiccompliance
requirements
PatentLicensesCertaintechnologieslikeMPEGorothercodecsmayrequire
licensefeesevenifopensourcelibrariesareprovidingthefunctionality
PrivateInstallationsCertainlargecustomersmayrequireprivateinstalls.Theseareaclassicdistribution
![Page 38: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/38.jpg)
CONTAINER/PRIVATECLOUD/PUBLICCLOUDISSUES
Businessmodelschange,sometimesovernight.
“Everyone”isaSaaS-onlycompanyuntiltheygetatleastoneverylargecompanywhowantsaprivatelyhostedversion
SaaSprojectsoftenhavemanymoreGPLdependenciesthanaclassicapplicationandarehardtorefactororfixwhengoing“Private”andtryingtocomplywithDistribution-styleobligations
ThetimescalesforreviewingOSSdependencesisoftenveryshort,salesteamdriven,notdevelopmentteamdriven.
![Page 39: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/39.jpg)
Wefoundthingsweshouldn’tbeusing;Nowwhat?
![Page 40: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/40.jpg)
HOWARECOMPANIESHANDLINGTODAY?
Option1:Removeandrewrite/getnewOSS
Acompanymayremovetherejectedcodeandrewrite/re-implementthefeaturewithnewcode
VerycommonduringM&Aandforriskadverseorgs
Risks/Drawbacks:Timerequireforrewrite“Dirty-room”re-implementationsNewcode’slicensemaybenobetter
![Page 41: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/41.jpg)
HOWARECOMPANIESHANDLINGTODAY?
Option2:ContactAuthorandaskforlicense
Acompanymaytrytocontacttheauthorandask/suggestanacceptablelicense(commonlyMIT/BSD)Sometimesthroughanintermediary(outsidelegal)
Risks/Drawbacks:AuthorisnowawareofuseAuthormaydesirestrongerlicensethanyouAuthormayrequireCommerciallicenseThelicenseislongerthanthecode!
![Page 42: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/42.jpg)
HOWARECOMPANIESHANDLINGTODAY?
Option3:WaitandSee
Acompanymaydecidetodonothing,shipsoftwareandseeifproblemsoccur
Commonforoldcode&risktolerantorgs
Risks/Drawbacks:CopyrightinfringementLicenseproblemifforcedtocomplyCan’tproperlydiscloseOSSlicenses
![Page 43: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/43.jpg)
PICKINGALTERNATIVESTOREJECTEDOSSLIBRARIES•InmanycasesGPLv2orGPLv3librariesareappropriateandexpected(especiallylowerinthestack)
•IfyouexpecttokeepyoursourceclosedyouwillmorelikelyberequiredtoremoveGPLlicensedcodeiffoundintheseclosedareas
•PickinganappropriateAlternativelibraryhascertainconsiderations•Youdevelopmentteamislikelythebestteamtopickanalternative
•Legalshouldspecifyallowedlicenses(e.g.MIT/BSD/Apache/Commercial)
•Legalshouldspecifyforbiddenlicenses(e.g.GPL/Affero/CC-SA)
•IfanopensourceprojectcanNOTbefound,a“build”decisionismade
•Projectswillsometimes(rarely)providecommercialre-licensingofGPLcode
•Donotletyourteamtryto“relicense”theprojectwithoutpermission
![Page 44: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/44.jpg)
WHATISSOFTWARECOMPOSITIONANALYSIS?
Securityrisk- VulnerableOSSComponents
IPrisk- NoncompliancewithOSSobligations
Reputation
44
Today,developersareleveragingmorethan50%ofopensourcesoftware(OSS)intheirproprietaryapplicationstospeeduptimetomarketanddriveinnovation.
![Page 45: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/45.jpg)
BEGINBYESTABLISHINGAPROCESSFORSCA
©2018Flexera|CompanyConfidential
![Page 46: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/46.jpg)
CREATEAPROCESSTHATWORKSFORYOURCOMPANY
![Page 47: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/47.jpg)
HOWMATUREISYOURSCAPROCESS?
![Page 48: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/48.jpg)
87% 41% 49%
FLEXERAOSSAUDITTEAM
NoDisclosures M&AAudits BaselineAudits
Priority1Issueseg.GPL,APGL
16% 11%Priority2Issueseg.commercial,unknown
![Page 49: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/49.jpg)
FLEXERASURVEYSTHEINDUSTRY
49
IncreasingOpenSourceusageandlackofOpenSourcegovernance
![Page 50: OPEN SOURCE CULTURE, STANDARDS, RISKS, AND … 2018/OSSF 2018 Presentati… · •Vendors do not always mark code as clearly as they should •GPL code will be right next to Commercial](https://reader036.vdocuments.us/reader036/viewer/2022070808/5f0756fe7e708231d41c7f4d/html5/thumbnails/50.jpg)
SETTINGSTANDARDS
Questionstoaskyourteams
“AreweusingthelatestversionofApacheStruts2?”
Whatifacustomersaid“OurITdeptrefusestodeployanyapplicationswithOpenSSL”?
“ArewevulnerabletothatCVEinthenews?”