Posted by Matt Jacobs on Monday, November 7th, 2016
Creating an open source management policy is a strategic imperative for organizations in the software industry. But what does a strategic policy include, and how can you implement one?
Let’s start by defining an open source management policy. It is a set of rules and guidelines for using and managing open source software (OSS) in your organization. To be effective, it must cover all the essential aspects of managing open source software, yet it must be succinct and easily understood, otherwise nobody will read it, much less follow it. My rule of thumb is that policies should be five pages or less, and reflect the way software is developed and delivered in your company specifically — general rules are not likely to apply directly to your requirements and processes, so the results are likely to be approximate and inefficient.
There are four key steps to developing an open source management policy:
Identifying and including important stakeholders should be first on your list. These functional responsibilities may include software architects, software developers and engineers, quality assurance and release management personnel, the legal team and product and business managers. In addition, organizations with sensitive data or which may be using open source in products that transact sensitive client or customer data should include someone from the CISO’s office or other security stakeholders responsible for software entering the organization and being released from the organization.
This is the most important success factor! Securing a commitment from stakeholders to contribute the time and effort to the policy and sharing an understanding of the policy’s importance can make or break your efforts. Experience shows that policy development teams are most effective when they work from a clearly articulated statement of the company’s OSS strategy, including statements of the benefits the company wishes to realize and the risks the company wishes to manage.
An effective way to solidify this commitment is collecting and disseminating information about your organization’s use and plans for OSS. Share documents that include:
Policies are typically developed in a series of meetings of the relevant stakeholders. This is where the trade-offs inherent in any policy must be discussed and resolved, and include:
To speed this process, you may wish to consider using a facilitator with extensive OSS policy development experience.
We recommend that open source policies include the following eight elements:
Determining responsibilities for the policy itself and overseeing the program’s management. Consider assigning tasks to individuals or creating an Open Source Management Board.
Efficiently finding and properly evaluating new software packages helps avoid future problems and risks. As such, OSS policies typically recommend certain sources of code (including the code already in-house) and establish evaluation criteria for use throughout the organization. Such policies should further evaluate the need for and deployment of automated OSS component tracking tools in order to fully identify all components that an organization is using. Simply relying on engineers to report what OSS they are using and where typically does not tell the full story, as OSS enters an organization via a number of avenues and hence much may go undetected and untracked.
This policy specifies how an OSS component evaluation is reviewed and who may approve it for specified use. Typically, policies establish an OSS Review Board consisting of key stakeholders who can inform decisions, although sometimes a simpler approval cycle can be established for already approved components and reuse needs.
Embedded OSS is subject to the same license compliance requirements, security risks and potential operational risks as downloaded OSS. OSS policies should require suppliers to report each OSS element embedded in their deliverables, any modifications and known security risks in addition to any license and compliance terms.
Policies should specify that original source code, build files, documentation and license declaration for each OSS component must be archived and all internal modifications must be tracked. Most organizations require that OSS archives are kept up-to-date with internal bug fixes and enhancements. In addition, you should also require tracking in order to generate reports identifying all uses of OSS components.
Identify a responsible party for continuously tracking security vulnerabilities and bugs, notifying users of updates and applying fixes as necessary.
Ensuring compliance with relevant OSS licenses is a critical element of OSS management. We recommend auditing each release to verify that no undocumented or misdocumented OSS is included and that all compliance requirements are met.
For OSS acquired from communities, often the source of support is through community participation. OSS policies should specify the kinds of community participation permitted (or required) and the standards and controls for these activities — whether your company mandates no community participation or active participation, or some level between, articulating these expectations is key.
Circulate the policy among stakeholders for review and approval. Most organizations are able to develop a final policy document after two or three revisions.
And remember: no policy remains unchanged — most companies will go through several rapid revisions as they gain experience during implementation, and after that, it’s useful to periodically review and fine-tune the policy.
(Revised from a 2012 post.)
Get the latest AppSec news and trends sent directly to you.