Software Integrity Blog

Author Archive

Phil Odence

phil-odence

Phil is General Manager, Black Duck On-Demand. He works closely with Black Duck’s law firm partners and the open source community. A frequent speaker at industry events, Phil chairs the Linux Foundation's Software Package Data Exchange (SPDX) working group. With over 20 years’ software industry experience, Phil came to Black Duck from Empirix where he served as Vice President of Business Development and in other senior management positions, and was a pioneer in VoIP testing and monitoring. Prior to Empirix, Phil was a partner and ran consulting at High Performance Systems, a startup computer simulation modeling firm. He began his career with Teradyne's electronic design and test automation (EDA) software group in product, sales and marketing management roles. Phil has an AB in Engineering Science and an MS in System Simulation from the Thayer School of Engineering at Dartmouth College.


Posts by Phil Odence:

 

Enhanced legal tab in Black Duck Audit reports

If you’ve reviewed any Black Duck Audit reports recently, you may have noticed improvements in the legal tab and the way we report on findings.

Continue Reading...

Posted in Mergers & Acquisitions, Open Source Security | Comments Off on Enhanced legal tab in Black Duck Audit reports

 

Black Duck Audits at Synopsys: Being part of our kind of company

The core values at Synopsys really tell the story of what a great home it is for Black Duck overall and the software audit business in particular.

Continue Reading...

Posted in Mergers & Acquisitions, News & Announcements, Open Source Security | Comments Off on Black Duck Audits at Synopsys: Being part of our kind of company

 

Equifax reminds us: Open source audits are only a first step

On-demand open source audits aren’t enough. The Equifax data breach highlights the need for post-audit vigilance, particularly for security vulnerabilities.

Continue Reading...

Posted in Data Breach Security, Mergers & Acquisitions, Open Source Security | Comments Off on Equifax reminds us: Open source audits are only a first step

 

Diving deep into wild and wacky open source licenses

Most open source components are licensed under common licenses, but dozens of interesting or just weird open source licenses remain on the lunatic fringe.

Continue Reading...

Posted in Mergers & Acquisitions, Open Source Security | Comments Off on Diving deep into wild and wacky open source licenses

 

The quietly accelerating adoption of the AGPL

The AGPL (Affero General Public License) continues to gain in popularity. How many modern codebases does it appear in, and how are companies using AGPL?

Continue Reading...

Posted in Mergers & Acquisitions, Open Source Security | Comments Off on The quietly accelerating adoption of the AGPL

 

Can blockchain and the BTC license fund health insurance?

The BTC license hit my radar screen recently. Billed as “sexy” by the author, the permissive BTC license employs blockchain and may signal a new trend going forward that could transform the way many developers work … and how they get their health insurance. Background I chair the Linux Foundation’s SPDX work group. Among other things, SPDX supports a standard license list. The following request to add a license hit the SPDX legal team’s mailing list recently: New license/exception request: BTC License (BTC)

Continue Reading...

Posted in Open Source Security, Webinars | Comments Off on Can blockchain and the BTC license fund health insurance?

 

3 permissive licenses and why they deserve a little respect

Software companies prioritize GPL on their license review lists. But permissive licenses aren’t risk-free and deserve a little respect from legal teams too.

Continue Reading...

Posted in Mergers & Acquisitions, Open Source Security | Comments Off on 3 permissive licenses and why they deserve a little respect

 

Encryption technology in your code impacts export requirements

US export laws require companies to declare what encryption technology is used in any software to be exported. The use of open source makes complying with these regulations a tricky process.

Continue Reading...

Posted in Mergers & Acquisitions, Open Source Security | Comments Off on Encryption technology in your code impacts export requirements

 

How an open source software audit works

Most of our readers understand that an open source software audit involves expert consultants analyzing a proprietary code base using Black Duck tools. The deliverable is a report that identifies open source in the code as well as associated risks. If you’d like to understand our process — what comes before, during and after, read on. Pre-audit Generally customers who come to us are either acquirers looking to have Black Duck perform an open source software audit on the code of their target, or companies wanting us to audit their own code in anticipation of being acquired (or for some other reason). Particularly if the context is an M&A transaction, there can be significant time pressure. So it’s critical, first thing, to scope the job, allowing all parties to quickly understand the time and costs involved. We regularly amaze customers with our responsiveness when we get called in at the last minute, but scoping early can save everyone time and money (and headaches).

Continue Reading...

Posted in Mergers & Acquisitions, Open Source Security | Comments Off on How an open source software audit works

 

The fly in the ointment of the JSON license

Use of some JSON projects is limited by the JSON License, which has a problematic, ambiguous clause. The Apache Foundation recently reexamined the issue.

Continue Reading...

Posted in Mergers & Acquisitions, Open Source Security | Comments Off on The fly in the ointment of the JSON license