Defining a secure open source policy
Open source policy defined
an open source software policy defines acceptable use cases for using and distributing open source software within your business or project.
What is an open source policy?
Today’s organizations face intense pressure to be more efficient and agile at scale so they can remain viable in an increasingly competitive marketplace. To enhance productivity and maximize market growth, developers must share and leverage open source digital assets, information technology, and a massive amount of infrastructure software.
Having an open source software policy reduces developer guesswork and fuels an organization's digital transformation. Most importantly, an open source usage policy empowers developers to choose the right tools, and inspires them to embrace open source code.
Open source policies are important in organizations:
when they’re consuming open source software
when they’re using open source code in their products
when they’re contributing to open source projects
when they’re using open source code to build internal tools
The Importance of a well-defined open source policy
Open source policy management practices maximize the impact and benefit of open source code. This helps to ensure that legal and technical risks resulting from the deployment of open source software, and the open-sourcing of company intellectual property rights, are properly understood and mitigated in advance.
Why do you need an open source policy?
A well-defined open source policy should include policy examples for developers so they understand:
what constitutes acceptable practices when it comes to using open source
when it's permissable to release company code and tools as open source
Knowing what are, and what are not, acceptable use cases is paramount to successful open source policy management.
Minimizing risks and maximizing efficiency
Embracing the freedom, flexibility and communities associated with open source goes a long way to building a positive workplace experience for developers. However, these benefits might not be as important to an organization's legal team. Staff attorneys want an open source software policy that creates license compliance, prevents lawsuits, and helps the organization avoid bad press and community backlash over misuse or misappropriation of code and tools. Stakeholders should understand the types of open source license agreements – including the contributor license agreement – as they create an open source usage policy.
What should be included in an open source usage policy?
Open source policy management practices should document how open source software is reviewed and who can approve it before an organization uses it.
If your organization contributes to open source projects, it’s also crucial to include policies that protect the company’s intellectual property and minimize other risks. This improves developer productivity and morale by allowing them to get involved in the open source community.
Additionally, the open source usage policy should identify the team responsible for fixing issues and notifying relevant stakeholders. There should also be a designated owner and maintainer of the policy, so it can adapt as the company scales and builds business relationships and partners.
Steps to building your open source policy
Here are two key steps for building an open source policy:
Perhaps the biggest and most important step is to first obtain a commitment from the organization. Having backing from key stakeholders will go a long way toward adopting a plan, and sticking to the open source police management plan, even as it evolves.
Once this initial step is completed, then a draft policy can begin to be created with various tradeoffs that must be resolved. Create simple and broad rules instead of complex ones while remaining cognizant of the battle between controlling risk versus enhancing developer productivity.
Key stakeholders for building an open source policy
There should be important stakeholders contributing to open source policy management in an organization. Contributors to the formation and evolution of this open source software policy might include software engineers, developers, software architects, product and business managers, and quality assurance personnel. Let's not forget an organization's legal counsel, as well as security stakeholders who oversee the ins and outs of allowing software to enter and exit the organization.
License compliance as part of an open source policy
Just like any other license, it is critical that organizations adhere to the terms of open source licenses to reduce any exposure to risk. Again, this is a critical element of an organization's open source software policy. To do this, there must be frequent auditing to verify that no undocumented or misdocumented open source software is included in an organization's software releases.
Adopting a code scan policy
Software suppliers should be required to report each OSS element embedded in their deliverables, any modifications, and known security risks. An organization should also adopt a code scan policy, perhaps with Snyk Open Source, to verify software is secure and compliant with open source licenses. License compliance terms should also be included so the organization knows whether dual licenses are acceptable, as well as to weed out unacceptable licenses.
Scan your open source dependencies for vulnerabilities
Automatically find, prioritize and fix vulnerabilities for free with Snyk.
Reviewing open source package requests for your open source policy
Key elements of an open source software policy include an approved open source list. The policy should clearly state whether using open source code in proprietary software is an acceptable practice or not. Otherwise, this can become a license issue for the organization. A policy of quickly reviewing open source requests, and contributor license agreements, enables developers to choose the right tools to get the job done quickly. This also demonstrates that the organization is a strong believer in open source. Reviewers should be replaced if they lose interest or are too slow to approve new software or code requests, especially as an organization scales.
Why you should continuously refine your open source policy
New vulnerabilities and fixes are often a result of open source software continually being updated and refined. As more open software is brought into the mix, an ongoing process that monitors an organization's open source usage is paramount to success. This continuous process should run in sync with a host of vulnerability documentation boards maintained by the open source community. This can provide notice, in real time, of open source vulnerabilities.
Compliance as code: automate your open source policy
In today's rush to maintain and iterate software, compliance as code can be an alternative to manual auditing open source software. At a time when automation can free up developers to enhance internal and customer-facing services, it only makes sense to automate the method for checking that controls are being followed to match the open source usage policy. Compliance as code can help prevent bugs and security breaches, detect them, as well as remediate them.
Next in the series
6 tips for managing your open source components
Open source software (OSS) simplifies software development, which is one of the reasons why more than 90% of organizations utilize open source components in their applications.
Keep reading