Open source code is commonly used by small technology companies when developing new applications. The two main reasons for this is cost and speed. Small developers are able to quickly build the basis of their technology with open source code and focus their resources to developing unique functionality.
As attractive as the benefits are, developers must be cautious when using open source code in software development as they do contain inherent risks.
What is open source code?
In a nutshell, open source code is developed by software developers with the aim of that code being shared within a community. Repositories exist that hold the code and that code can be used freely by members of the community in developing new technology. The guiding principle is that any new technology developed using open source code should be made available to the community to view, use, modify and improve.
Using open source code may seem like a good idea but certain risks should be taken into account before embarking on a project.
- Many software developers work under the false impression that open source software is freely available so they can use it unrestricted. This is wrong. Any open source software is governed by their own licenses and restrictions. Technology developed using GPL, LGPL, AGPL, CDDL, MPL and Open SSL can cause the entire project to fall under the open source license. The software developer will still be recognised as the owner, however the developer will not be recognised as the exclusive owner. This piece of software would then become a “de-facto open source software”. This concept is known as “copyleft” licensing.
- If your company is in the fortunate position of being acquired, the discovery of an infection of open source code within your technology may adversely affect your company valuation or completely derail the transaction all together. The buyer will be concerned that if you are in breach of your open source licensing obligations, the code could eventually land up in the public domain and in the hands of your competitors.
- As the code is publically available, access is also open to hackers and malicious users creating a major security risk. Hackers use the transparency to seek out vulnerabilities within the code in order to exploit it. It’s like a thief having access to the blue prints of a bank vault and being able to identify the thickness of walls and where are the easiest access points.
Recommendations to protect your company from the risks of open source code.
- Conduct an intensive review of what open source code you have used within your technology. Identify and document the open source code and associated licenses.
- Understand the license terms of each open source code used and ensure that your organization is compliant.
- Develop a company policy related to the use of open source code.
- Educate employees within the company of the policy and the risks associated with using open source code in developing technology.
- If preparing a company for sale, it is a good idea to undertake an external open source code audit. An open source code audit will identify any open source code used within a code set. Such a report should provide a full listing of contaminated code and related licensing obligations and potential conflicts.
Escrow London provides a range of open source audit services for companies that are seeking compliance.
About the Author
Evan Lever has spent the past 16 years protecting the software code and data of the worlds’ biggest companies.
Evan was the CEO and co-founder of DataBank. The company provides data protection and cloud services to over 1,000 companies including many of the world’s largest banks, insurance companies and tech firms. Evan led the company to its acquisition in 2015 and took the opportunity to relocate to the UK.
Evan is now a partner in Escrow London which is one of the UK’s leading private software escrow provider protecting the source code of hundreds of companies in the UK, USA, UAE and Africa.
Outside of Escrow London, Evan is a mentor with Virgin Start-up and consults to companies on data security compliance.