Software Integrity Blog

Author Archive

Phil Odence

phil-odence

Phil is General Manager, Black Duck On-Demand. He works closely with Black Duck’s law firm partners and the open source community. A frequent speaker at industry events, Phil chairs the Linux Foundation's Software Package Data Exchange (SPDX) working group. With over 20 years’ software industry experience, Phil came to Black Duck from Empirix where he served as Vice President of Business Development and in other senior management positions, and was a pioneer in VoIP testing and monitoring. Prior to Empirix, Phil was a partner and ran consulting at High Performance Systems, a startup computer simulation modeling firm. He began his career with Teradyne's electronic design and test automation (EDA) software group in product, sales and marketing management roles. Phil has an AB in Engineering Science and an MS in System Simulation from the Thayer School of Engineering at Dartmouth College.


Posts by Phil Odence:

 

The quietly accelerating adoption of the AGPL

The AGPL (Affero General Public License) has continued to gain in popularity and is showing up frequently in modern codebases.

Continue Reading...

Posted in Open Source Security | Comments Off on The quietly accelerating adoption of the AGPL

 

Can blockchain and the BTC license fund health insurance?

The BTC license hit my radar screen recently. Billed as “sexy” by the author, the permissive BTC license employs blockchain and may signal a new trend going forward that could transform the way many developers work … and how they get their health insurance. Background I chair the Linux Foundation’s SPDX work group. Among other things, SPDX supports a standard license list. The following request to add a license hit the SPDX legal team’s mailing list recently: New license/exception request: BTC License (BTC)

Continue Reading...

Posted in Open Source Security, Webinars | Comments Off on Can blockchain and the BTC license fund health insurance?

 

3 examples of why permissive licenses deserve a little respect

To the extent that tech companies manage open source risks, their primary focus tends to be on reciprocal licenses and the GPL in particular. As I’ve discussed earlier, the potential risks of open source are broader than just license compliance. Additionally, there are other licenses to consider beyond the GPL. Even permissive licenses deserve a little respect.

Continue Reading...

Posted in General, Open Source Security | Comments Off on 3 examples of why permissive licenses deserve a little respect

 

Encryption technology in your code impacts export requirements

US export laws require companies to declare what encryption technology is used in any software to be exported. The use of open source makes complying with these regulations a tricky process.

Continue Reading...

Posted in General, Open Source Security | Comments Off on Encryption technology in your code impacts export requirements

 

How an open source software audit works

Most of our readers understand that an open source software audit involves expert consultants analyzing a proprietary code base using Black Duck tools. The deliverable is a report that identifies open source in the code as well as associated risks. If you’d like to understand our process — what comes before, during and after, read on. Pre-audit Generally customers who come to us are either acquirers looking to have Black Duck perform an open source software audit on the code of their target, or companies wanting us to audit their own code in anticipation of being acquired (or for some other reason). Particularly if the context is an M&A transaction, there can be significant time pressure. So it’s critical, first thing, to scope the job, allowing all parties to quickly understand the time and costs involved. We regularly amaze customers with our responsiveness when we get called in at the last minute, but scoping early can save everyone time and money (and headaches).

Continue Reading...

Posted in General, Open Source Security | Comments Off on How an open source software audit works

 

3 areas of open source risk: Legal, security…Do you know the third?

Looking back five or ten years, companies managing open source risk were squarely focused on license risk associated with complying with open source licenses. Beginning in 2014, when open source security vulnerabilities began to get names (like Heartbleed, Shellshock and Poodle), open source security rose in importance as companies addressed vulnerabilities in their code. Black Duck suddenly saw a much broader range of companies interested in controlling open source. Less attention has been paid to a third area: operational risk. Operational risk comprises three elements you need to know about.

Continue Reading...

Posted in General, Open Source Security, Security Standards and Compliance | Comments Off on 3 areas of open source risk: Legal, security…Do you know the third?

 

The fly in the ointment of the JSON license

JSON (JavaScript Object Notation) is an extremely flexible, lightweight format for exchanging data of all sorts. It lives up to JSON.org’s description as “an ideal data-interchange format.” But use of some JSON projects is limited by the JSON license. Concern with the license is not new, but the issue has recently been reexamined by the Apache Foundation, and the discussion is a good reminder of the importance of license selection and a caution against “rolling your own.”

Continue Reading...

Posted in Open Source Security | Comments Off on The fly in the ointment of the JSON license

 

Due diligence checklist: When do you need an open source audit?

I occasionally get the question about when a code base really really needs an audit. Biased though I am, I sincerely believe that in anticipation of an M&A transaction whenever software assets are a significant part of the valuation of a company, someone ought to perform a detailed audit. Here I have provided some preliminary questions to a software due diligence checklist for both buyers and sellers.

Continue Reading...

Posted in General, Open Source Security, Security Standards and Compliance | Comments Off on Due diligence checklist: When do you need an open source audit?

 

IT due diligence: How to enhance your approach

 

Continue Reading...

Posted in General, Open Source Security, Security Standards and Compliance | Comments Off on IT due diligence: How to enhance your approach

 

Are SaaS companies immune to open source risk?

The brief answer to the question in of whether SaaS companies are immune to open source risk is “no.” While there’s a grain of truth with respect to the use of the GPL licensed components, SaaS companies are not immune to legal risks. And there are other elements of open source risk to which SaaS companies are actually more exposed than non-SaaS vendors.

Continue Reading...

Posted in General, Open Source Security, Security Standards and Compliance | Comments Off on Are SaaS companies immune to open source risk?