Featured Article from Software Licensing

Unmanaged Open Source Software Creates Risks

March 01, 2017

The technology world is rapidly moving away from proprietary, legacy software development toward the open source model, driven by the cloud, the services and subscription-based pricing trend and a need for interoperability. But open source does not equal free, and in fact the whole notion of open source software (OSS) and development is somewhat cloudy and confusing.

A prime example of this confusion is Oracle’s (News - Alert) recent move to enforce commercial terms for customers who were under the impression they were using free Java software. A recent blog post from Flexera Software, a company specializing in software licensing and monetization strategies for the digital age, discusses why the open source concept is so confusing and how the problem can be addressed. According to Jeff Luszcz, VP of product management at Flexera, many customers using Java believe the software is free, a misconception.

“The confusion lies with Java Standard Edition, available for download from Oracle’s website,” writes Luszcz. “If you only want to write a Java application, feel ‘free.’ The problem arises if you install that application on hundreds of desktops, requiring Microsoft (News - Alert) Windows Installer Enterprise JRE Installer – which is NOT free to use… And it does not stop there. There are additional parts and editions of Java that are not free either.”

The Oracle Java confusion is merely one example of open source murkiness, but points to the larger problem of unmanaged OSS. Very simply, when an open source component is built into a commercial software product but unmanaged, it runs the risk of violating the open source license at a minimum, and containing a security vulnerability or risk in the worst-case scenario. And the sheer amount of unmanaged OSS in use today is threatening the integrity of the entire software supply chain.

The solution is proper tracking, management and monitoring of OSS and third-party components. Since just about every open source component comes with a license or some sort of governance, businesses are obligated to ensure they are meeting usage requirements and need a software licensing management offering to stay on top of this. OSS license compliance management education must also be part of any IT and technology strategy, and senior managers need to be informed about license compliance requirements along with the need for security and other updates.

Some companies are forming Open Source (News - Alert) Review Boards (OSRBs) comprised of technical, legal, IT and management personnel, to address OSS compliance requirements and security. A Software Composition Analysis tool is also useful for discovering and managing OSS and third-party components in use. This type of solution can also automate and manage the process of vulnerability alerting.

OSS software is not always free, as the Oracle Java conundrum illustrates, and it is most definitely not free of obligation. Businesses using OSS and third-party components are responsible for staying on type of licensing compliance requirements in order for the software model to succeed. Failure to do so can lead to security vulnerabilities and fraud, putting businesses at risk and negating all the financial benefits of using OSS in the first place.

Edited by Maurice Nagle
Article comments powered by Disqus