Utilizing open source components in your software reduces your total cost of ownership (TCO) as it is free and enables your developers to focus on the differentiating features in your product. However, if you choose to use open source, you need to set up processes and policies to ensure you are using it in a legal and secure manner.
The 2015 open source survey states that although more than 85% of all commercial software projects rely on open source components, over 50% have not set any processes or policies to manage it properly. Are you aware of the hidden costs you might be paying due to not setting up a clear process for open source components selection, approval, and compliance processes?
Each time your developers decide to add an open source component, they are required to spend more than one hour on research. First they will search for all the relevant projects and choose the best one based on popularity (stars, forks, etc.), release date and some other parameters. The more careful developers will go a step further and check the license, and if it meets your company policy (if you have one). Once set, they move to the next step – integrating it and seeing if it works. If it doesn’t, the entire process has to be repeated.
Companies that don’t use automated tools for managing their open source components generally have their developers notifying a specific person in the team that they’re adding a certain open source component. This person is in charge of manually tracking and documenting used open source components and checking their licenses, but usually without the proper training or tools. This results in a lot of time getting wasted every time you add a component.
Remember you’re using open source to increase your developers’ productivity, and not to make them spend the time saved by using open source, to track and check open source components.
Manually tracking and managing open source components is an error prone job, like any other manual, complex tasks. As such, it is likely that you will not be able to create an accurate inventory list with all your components licenses and its dependencies.
It is next to impossible for your team to be able to check if there are known security vulnerabilities or other bugs in the open source projects that you decide to use because you cannot search for CVEs for a given project.
This means that by not properly managing the selection process and monitoring your project continuously (as 4,000 new CVEs are released every year), you might be surprised at a certain point to find out that you are using a component that has a known security vulnerability or that is non-complaint with your company policy.
You’ll be in a terrible position as you know you can’t ship a vulnerable product, nor can you invite legal hassles by violating license terms. Finding such issues in the worst possible time results in delayed deliveries and significant financial setbacks.
Real-time license, security and quality alerts could let you know of such issues as soon as you add a problematic component.
The Ponemon Institute concluded in a study that the lack of a secure development process can get really expensive. If vulnerabilities get detected in the early development process, they cost around $80 on an average. However, the same vulnerabilities can cost about $7600 to fix if detected during the production stage.
No matter how good and experienced your developers are, they will not be able to check if there are any known security vulnerabilities in specific libraries contained in your project due to the way CVEs are released. This can only be done by automated tools that match your inventory lists and information with the one that exists in the open source libraries in different databases.
By choosing not to use an automated tool, you are increasing your chances to find an issue later rather than sooner, which means the cost of fixing those issues will be significantly higher.
Let’s face it. While your developers may be excellent in coding, they aren’t trained or skilled in managing OSS libraries.
They are coders or algorithmic engineers, not managers (or DevOps personnel) — so you can’t entrust them with the responsibility of taking managerial level decisions; these should best stay with people who are qualified and have the understanding and motivation to do these managerial chores.
Essentially, the point is that setting up the license policies and other open source decisions are strategic to your company and should not be left to your developers to decide.
The best way would be to formulate them once and choose a tool that automatically enforces them each time your developers choose an open source component to add to your software.
WhiteSource is a SaaS solution that integrates with your build process to continuously and automatically monitor and alert you in real time about your open source components. It automatically identifies all your open source components, without scanning your code. It then pulls all the relevant information on each library from its databases and matches it with your company policy. This process is done every time you run your build (even if you ran in several times a day) and both alerts and full reports are sent within minutes.
This means your developers don’t have to spend time researching as WhiteSource will notify them immediately if there’s an issue. There’s no need to waste your team’s precious time on tracking and managing licenses as it is done automatically. In addition, you will have full visibility of what you are using and its implications and will not need to worry about unpleasant surprises down the line.
Reporting is another handy feature of WhiteSource. You can use it to create accurate and up-to-date inventory reports. So each time your management or legal teams or even prospective acquirers want to audit your open source usage, you can easily present it to them with a single click.
WhiteSource’s goal is to help you maximize open source benefits, so you can increase your team productivity and use open source without any concerns. See what WhiteSource can do for you — claim your free trial now.