5 steps to open source governance
Ponikiewicz, who holds both E.E. and J.D. degrees, is an advocate of not only open source but also IP protection and governance. She’s responsible for spearheading Nuance’s open source compliance program, with help from the company’s trusted open source partner, Synopsys. She recommends companies use a five-step approach to building a robust open source governance program.
Initially, make a business case for regulating OSS use in your company. “You need to really understand if you’re developing software as a product, or if you’re developing software to sit within a device, or if you’re doing both,” she observes. Another consideration is distribution: Some companies distribute media directly to customers, while others stream. Nuance, which does both, realizes that open source is important to the company’s success in a variety of contexts.
Also important to Nuance’s OSS compliance program is understanding how its customers interact with its products. “Our products are often integrated into end user systems, which makes open source compliance an important aspect of our development life cycle,” she says.
Ponikiewicz also advises companies using open source to consider typical development practices in the company. “Although most companies strive for a robust, secure software development process, in reality that doesn’t always happen,” she says. “At Nuance, we use open source compliance to push us towards having a robust secure software development process. We do that by having strict open source policies that, at a base level, make software engineers think twice before putting a piece of code into the codebase.” Nuance also scans its codebase for open source to alert software development team leaders to uses of open source that may or may not be on their radar, helping team leads understand what’s happening in their teams—and why.
Ponikiewicz also advises looking at industry best practices. “Many customers and companies do not allow certain open source licenses to be integrated into their larger proprietary codebases,” she notes. “By regulating open source use, you can comply with many customer and industry requests. Additionally, a lot of the customers, and generally the industry that you’re practicing within, have particular security requirements. An open source compliance program can help you comply with a lot of those requirements.”
She acknowledges it can be difficult to get initial buy-in for putting an open source compliance program in place, but notes, “The reward is making your customers happy, ensuring you’re complying with the various licenses, and ensuring you’re complying with secure software development processes.”
Benefits of an OSS compliance program
Among the benefits Nuance has realized from its compliance program is a more empowered and energized development organization—the company’s robust program enables developers to contribute back to projects—as well as putting customers at ease during the sales cycle. “Automating the search and selection of OSS with Black Duck gives us the tools we need to put customers at ease.”
Security is important to Nuance, which uses OSS as its development platform, but so is allowing its developers to contribute back to OSS projects. “Having a robust open source compliance program allows us to integrate with the Android operating system while maintaining the proprietary nature of our code,” she says. “Additionally, our compliance program allows developers to contribute back to open source programs. They often ask for the right to contribute code back to maintain their reputations in the community and to help improve projects. It becomes an onerous task to correct bugs and other functionalities within open source projects. Contributing bug fixes and compatibility changes back to the project eliminates the need for our developers to continue to fix the bug and reduces compatibility issues.”
A proponent of spreading the word about OSS, Ponikiewicz advocates educating employees about open source. “The more education you provide, the more secure your software is going to be, and the more compliant your software is going to be with the requirements of your customers and your internal software development policies.” She recommends training employees on the importance of OSS before embarking on a compliance program. “Often, engineering organizations and engineers have preconceived notions about open source. Developer organizations within the company will have their own homegrown ways of dealing with open source. It’s very important to address open source as a whole with the entire company and ensure everyone is on the same page about the use of open source and related policies.”