Open-source software brings immense value to nearly every industry. However, many companies are unaware of their legal obligations associated with its use. Often this stems from a lack of awareness regarding the extent of open source that is used within an organization’s products and services. Identifying open-source software packages in use, sometimes in the dozens or even hundreds, can be a significant challenge.
Using software outside its licensing constraints and obligations can expose a company to legal ramifications, financial penalties, and reputational damage. While this short blog can’t delve into every detail, by following these fundamental steps you’ll be well on your way to ensuring basic software license compliance.
1. Understand Licensing
As you embark on your compliance journey, it’s important to understand the basics of the software license landscape. Some of the licenses you might encounter include GPL, BSD, LGPL, MIT, Apache, and Creative Commons. However there are many more and it’s worth noting that even licenses bearing the same name can vary significantly between versions.
While you don’t need to grasp the legalese of every license, it’s essential to understand the fundamentals that set them apart. These are the terms that pertain to how software can be legally used, distributed, modified, and shared. Other differences relate to areas such as potential patents, trademarks, and sublicensing. Don’t forget purchased software – proprietary licenses also have their own set of unique terms, which can often include use of open-source.
2. Assess Inventory
Begin by conducting a thorough software audit across your organization. This should include software used within your IT infrastructure as well as that integrated into your products and services. Your starting point should be documenting software titles, versions, licenses, and deployment locations. Software lifecycle information is often important for ongoing license compliance to determine how each software component was obtained, how it’s maintained or updated, and if it might be deprecated or decommissioned. Once you’ve built a reasonably complete software inventory, prioritize based on license type, utilization, and criticality to address key areas of concern first.
Lack the tools, or not sure where to start? Contact us to see if you are eligible for a free, high-level scan that can help you get started. Need more than that? We offer a full scanning and audit service that quickly scans your code base, manages inventory, determines license compliance needs, and generates a software bill of materials (SBOM).
3. Review Agreements
With your software inventory in hand, it’s time to carefully review the commercial license agreements associated with each software product. This process will identify any usage restrictions, installation limitations, or other specific requirements that could impact your business. Ensure your legal team is involved in this, as well as representatives from the engineering side. The aim is to ensure that you understand the terms and conditions of use, including any obligations related to updates, support, maintenance or distribution, and start tracking any obligations that must be met to achieve compliance.
4. Audit and Correct
Once you have a clear understanding of your commercial licensing obligations, the next step is to assess your compliance with open-source licensing. An audit will help you determine where you’re already compliant and, crucially, where gaps exist. Addressing any non-compliant open-source software use is priority one. This might sound straightforward, but in practice, can be quite challenging. However, once completed, you’ll have significantly mitigated your non-compliance exposure. Congratulations!
5. Establish Processes
Achieving compliance is a monumental task, but remember, the journey doesn’t end with step four. Just as software needs maintenance, software license compliance requires ongoing vigilance. The audit and related license corrections were just the beginning – now it’s time to develop robust software license management practices.
Begin by creating a centralized repository for compliance documentation. Introduce procedures for tracking use of open source in products, including license and compliance obligations. Regularly review and update this repository to ensure it remains accurate and up to date over time.
6. Consider Tools
Integrating Software Composition Analysis (SCA) tooling and process should be a key part of your software management and strategy. These tools can automatically examine your code base (or help to flag the open-source parts even those pulled in as a code snippets) during the analysis process and report on issues, missing attributions or the licenses found/required, allowing you to manage your compliance risk more easily. SCA tooling helps ensure you have an accurate view of your software inventory even as it evolves through updates and improvements. While no tool can automate the entire job, they can help remove some of the more tedious aspects of the work. The benefits are streamlined compliance efforts, a repeatable and regular process, and less hassle keeping your open-source license compliance up to date along with the issues discovered and addressed as part of the remediation activities.
7. Educate Employees
Sustained licensing compliance hinges on an educated team. Engineers need training on licensing policies, restrictions, and best practices. Don’t aim to make everyone an expert, but establishing a culture of compliance is important. Having a “compliance-positive” attitude can help employees spot problems in licensing misalignment and unintentional violations.
8. Monitor and Update
Maintaining software license compliance is an ongoing process. It demands regular monitoring of your software inventory and timely license information updates. Part of this includes a routine internal audit to validate your licensing process is working properly. But don’t forget to look externally. Keep up with changes in the licensing landscape by subscribing to relevant newsletters, attending industry software conferences, and reading resources like this blog. And ensure your software suppliers update you when they update or modify their use of open source and corresponding licensing terms.
Not sure if this is something your organization can take on? Our OSPO-as-a-Service provides an ousourced, ready-to-implement solution tailored to meet your organization’s open source compliance needs.
Closing Thoughts
In today’s digital age, businesses are completely reliant on software, and as a result, maintaining software license compliance is now a part of doing business. While following the steps outlined above can help you achieve compliance and keep it that way, the details underpinning each step can be daunting, leading many to seek guidance from licensing compliance experts. These specialists can intelligently assess your software compliance risks and quickly mitigate them while helping your organization to build enduring processes, tooling, and a culture rooted in compliance.