Software Integrity

Archive for the 'Legal' Category

 

SCA for DevOps, DHS security, securing open source for GDPR, CVE gap

It’s an acronym-filled issue of Open Source Insight, as we look at the question of SCA (software composition analysis) and how it fits into the DevOps environment. The DHS (Department of Homeland Security) has concerning security gaps, according to its OIG (Office of Inspector General). Can the CVE (Common Vulnerabilities and Exposures) gap be closed? […]

Continue Reading...

Posted in Blockchain Security, DevOps, Legal, Open Source Security

 

Enhanced legal tab in Black Duck On-Demand audit reports

If you have reviewed any Black Duck On-Demand audit reports recently, you may have noticed improvements in the legal tab and the way we report on findings. The new report format has received some very positive reviews, the theme being that it makes reported results more actionable.

Continue Reading...

Posted in Legal, Open Source Licenses

 

Tech due diligence: Helping PE firms invest with confidence

When the private equity industry was in its infancy in the 1980s, the tech sector was barely on its radar. Tech is now attracting all types of private equity firms, with the sector representing over 40 percent of US buyouts last year, a trend reflecting the global M&A market, in which tech is also the most […]

Continue Reading...

Posted in Legal, Open Source Licenses, Open Source Security

 

When software is the company, tech due diligence is critical

Best practices for a growing amount of firms involved in a merger/acquisition transaction (commonly known as an “M&A”) include a code audit whenever software is a significant part of the deal. And more and more firms are realizing that an open source code audit should be part of their overall tech due diligence process.

Continue Reading...

Posted in Legal, Open Source Licenses

 

Black Duck by Synopsys: Being part of our kind of company

In the wake of selling Black Duck to Synopsys, it’s really interesting work through all facets of integration. An energizing journey it is to learn a new company, something I have not experienced in nearly a decade. Soon after we announced, I explained to my dad some of my experiences interacting with the organization, and […]

Continue Reading...

Posted in Legal, Open Source Licenses, Open Source Security

 

Is breach of the GPL license breach of contract?

There have been interesting developments on the GPL enforcement front of late. Earlier this year, a court in the Northern District of California (in the case of Artifex Software, Inc. v. Hancom, Inc., which was recently settled out of court) found that breach of the GPL license was also a breach of contract. Later, in […]

Continue Reading...

Posted in Legal, Open Source Licenses

 

Facebook to open source community: Let’s make up

The cries for revolt rang loudly within the open source community, as discussed in my prior post on this subject, and there is apparently insufficient soundproofing at Facebook headquarters to shield its denizens from the cacophony. Facebook has announced that it will release its popular open source React, Jest, Flow and Immutable.js projects under the […]

Continue Reading...

Posted in Legal, Open Source Licenses, Security Standards and Compliance

 

Equifax reminds us: Open source audits are only a first step

The Equifax disaster underscores the importance of vigilance even after completing open source audits, particularly with respect to security vulnerabilities. Much has been written about the recent breach. Here’s a good overview. In a nutshell, germane to this discussion, the exploited vulnerability was in a popular open source component, Apache Struts, that was made public […]

Continue Reading...

Posted in Black Duck by Synopsys, Data Breach, Legal, Open Source Security

 

So Apache broke up with Facebook. How does that affect you?

Although the so-called Facebook BSD+Patents license has been in the wild for nearly three years, it recently became the subject of much commotion because the Apache Software Foundation tagged it as a Category X license, the group of licenses explicitly barred from inclusion in Apache projects. Apache’s decision affects only Apache projects, but the rationale […]

Continue Reading...

Posted in Legal, Open Source Licenses

 

The quietly accelerating adoption of the AGPL

The AGPL (Affero General Public License) has continued to gain in popularity and is showing up frequently in modern code bases. My blog Are SaaS Companies Immune to Open Source Risk? mentioned a key concern for SaaS or Cloud companies, a class of open source licenses that includes the Affero GPL designed to plug the SaaS loophole. […]

Continue Reading...

Posted in Legal, Open Source Licenses