Tooling for Open Source Software Compliance is necessary

How much overhead does your manual Open Source Compliance generate?

Open Source software is software that is made available to the general public by its authors in source code. Frequently, the software is not in the foreground for the authors as a product but as a means to an end, and in development projects the synergy effects of public cooperation can outweigh the costs. However, the cooperation is usually subject to conditions. Which ones these are, is up to the authors, who place their source code under Open Source license conditions.

Especially the Open Source Initiative and the Free Software Foundation contribute significantly to standardizing these conditions in the form of licenses. These licenses can, among other things, require the disclosure of the source code or a naming of the components and their authors. Creating a reliable, secure basis for the use of Open Source is the elementary challenge of Open Source license compliance.

Source: Bitkom Open Source Monitor, published Feb 2020

To be able to use the chances of Open Source Software means to use the source code according to the license conditions and to fulfil the obligations associated with the software. License declarations often differ from each other in form and content several times even within the same OSS project. In order to get these complex issues under control, initiatives such as the OpenChain Project are establishing organisational guidelines. Without technical aids, however, it is often not possible to maintain an overview and meet all requirements due to the thousands of components that are quickly involved.

Integrated Compliance Toolchains

The exchange of information between development teams, compliance offices and software recipients is another challenge of Open Source Compliance. Today, software is in many cases a changing product. For example, a contracted software development or a supplier may integrate new components at different points in time. In the short term, these new software components should be communicable to the recipients of the software and any licensing issues should be addressed before essential parts of the development are based on them.

The search for illegally used, incorrectly declared or copied code passages in your own or supplied software makes it clear how necessary technical aids are in the creation and evaluation of a reliable data basis.

‚Off the Shelf‘ or Open Source Compliance Tools?

One of the strengths of Open Source is the collaborative solution of challenges - this approach is increasingly being pursued with regard to the compliance of Open Source itself. Some Open Source projects deal with tool development and knowledge creation of OSS compliance, as well as the establishment of processes. These building blocks are the foundation of the ecosystem. In addition, service providers offer specialized tools with a wide range of functions and tailored services.

For the custom-fit establishment of Open Source Compliance in companies, a middle course between Open Source and proprietary services is often sensible. For example, work steps in the identifying phases - such as resolving software dependencies or detecting license declarations - are well supported by Open Source. They embed themselves seamlessly into development processes. Forensic work steps such as snippet and security vulnerability scanning of own or supplied artefacts dominate the proprietary market. Afterall, qualitative considerations such as the maturity level, scope, cost and available support of a solution, as well as strategic factors such as data ownership, confidentiality and scalability can also be included in the decision.

Thus, various criteria can be used to weigh up whether a proprietary service provider, an Open Source service provider or self-tailored OSS applications are the best solution for your company in economic, technical and legal terms.

PwC accompanies you from conception to certification

The team of OSS experts at PwC supports you from interdisciplinary planning to the implementation of your tailor-made Open Source Compliance process. We advise you on aspects of the legal framework, structural requirements and technical implementation, as well as on the individual selection of tools, solutions and possible service providers.

Finally, the PwC certification according to OpenChain, can be the seal of approval of a successful Open Source Compliance Management System for you and your products. In this way, you create trust among your customers in the proper use of Open Source software in your products and services.