Skip to main content

Shifting compliance left: Helping legal teams and developers cooperate around licensing issues

Written by:
Rachel Cheyfitz

Rachel Cheyfitz

wordpress-sync/Licenting-blog-feature-1

October 3, 2019

0 mins read

We are excited to share that we now support customized license instructions, helping the teams in your organization collaborate better together on licensing compliance: legal teams can better equip developers to shift compliance left by customizing license policies with clear instructions, and developers can then more easily integrate software license analysis as part of their routine workflow.

Open-source licensing tells a complicated story. We’d like to treat licenses like binary functions, crossing our fingers that the value is always True  — “you are allowed to use this package”. However, the reality, as always, is different.

Licenses are documents containing legally-binding text; as such — they might be in any format and they can state any terms they want. You can read more about licenses here. Bottom line though: in open source, the license can usually be used but under certain restrictions such as giving credit to the owners of the package you’re using, including by notice or in the form of commercial-use limitations. And at Snyk, we believe that all of this information -  when can this license by used, what to do when using it and of course why (always better to understand) should be brought to the developer as early as possible - Shift Left! This is exactly what our new “Legal License Instructions” feature enables you to do.

This exciting feature comes as a new addition to our expanding license compliance offering, on top of the already existing ability to manually configure license severities. Now, legal teams are even more empowered to recruit their teams’ developers in taking responsibility for compliance.

Customize license policies with clear explanations for your developers

Snyk helps you outline your license policies with customized instructions that explain to your developers how each issue should be handled, based on your organization’s unique decisions and policies. As for security, the developer - and not the legal team, is the one who chooses the packages, understands its usage and handles the licensing accordingly. This can only be done well, however, by collaborating with the legal team, who can empower developers to better understand the company’s policy as well as the specific licenses they need to use for their projects.

We suggest using this new option to convey clear actionable instructions, for example: “This license is suitable for every product our company has, so go ahead and use it. Please make sure to add the license information to our About page, as proper credit is required.”

Instructions1

More easily recruit your developers to collaborate on license management

Once you’ve added instructions, they are clearly displayed per license directly from our UI and from our CLI tool whenever a license issue is identified. With clear instructions per license, developers can bake license compliance into their regular workflows more easily and support the legal requirements for your organization.

Instruction3

Snyk empowers developers to take ownership of license compliance for their code

This is an important addition to Snyk’s license compliance features, enabling you to customize your license policies and more easily guide your developers to take the necessary steps in protecting your organization, with the relevant set of policies. Our license compliance features are embedded throughout the SDLC to enable developers to consume this data without changing their current workflow, and as early as possible. We will continue to improve this feature further as we go forward. Stay tuned for our coming updates!

Getting started

Add legal instructions now by visiting our Settings page for the specific organization, or read more about it in our docs.

Stay compliant!

Posted in:
wordpress-sync/Licenting-blog-feature-1

How to Build a Security Champions Program

Snyk interviewed 20+ security leaders who have successfully and unsuccessfully built security champions programs. Check out this playbook to learn how to run an effective developer-focused security champions program.