There are more than 2500 known Open Source Software (OSS) licenses in existence. Licenses can be managed and complied with, only if the OSS packages/files governed by those licenses are identified in your products and services.
The consumption of OSS is so large, that most organizations can’t accurately identify how much of it is in their codebases. It is nearly impossible to manage OSS license compliance risk, if the OSS used in your organization isn’t identified.
License compliance (or non-compliance) will not impact how your software performs. That said, failure to comply with open source licenses can put your organization at significant risk of litigation, as well as compromise of IP.
A comprehensive OSS program can mitigate these risks by establishing a strategy that includes policies for use of open source. This will enable the company to leverage the benefits of open source, while restricting behaviors that expose the company to risk. Formal processes will enable developers to make informed decisions about OSS risk, empowering your organization to balance the business benefits with the right amount of risk management.
The precise solution for managing the levels of OSS risk will vary between organizations. At a high-level, you can manage risk from OSS usage in the following ways:
- Develop a formal OSS strategy, policy and process – this will empower your organization to balance the business benefits with the right amount of risk management
- Require third-party suppliers to disclose OSS usage
- Establish stakeholder training and education
OSS Engineering Consultants can help organizations of all sizes design, implement and manage OSS governance programs at scale. Contact us to learn more.