Open Source Compliance & Governance
Use of open source software worldwide has increased dramatically in recent years because it reduces costs, increases agility, and drives competitive advantage. In a February 2015 Gartner survey, 99 percent of responding organizations reported using open source.
The growth in open source usage adds code complexity, making it more important than ever to ensure the use of approved and supported code. However, in the same February 2015 Gartner survey, only one third of respondents had a policy to govern use and purchase of open source.
Why Open Source Compliance and Governance Are Critical
The lack of effective open source compliance exposes organizations to legal, and business risks through code that contains known security vulnerabilities; is not properly licensed; includes bugs that are costly and time-consuming to fix or does not comply with corporate policies.
To avoid these risks, organizations must develop policies and procedures based on best practices, establish open source governance programs to enforce these policies, and then automate the management of open source component usage.
A Comprehensive Approach to Open Source Compliance and Governance
Leading organizations have effective open source management policies in place at each phase of the development lifecycle process:
Selecting the best, most secure open source code for your needs is essential, but with more than a million open source projects to choose from, that's not fast or easy.
Black Duck® Protex™ and Code Center™, built on the Black Duck KnowledgeBase™, can help.
The KnowledgeBase is the world's most comprehensive database of open source project information, continually gathering data from the vast open source ecosystem by tracking:
- Over one million projects
- From 7,500 sites
- And over 2,300 unique software licenses
In conjunction with the KnowledgeBase, Black Duck Open Hub provides insight into and analysis of more than 660,000 projects. As a resource for finding and evaluating open source code, the Open Hub provides a critical link between more than 500,000 open source developers and the millions of organizations who utilize open source each day.
Open Source Code Scanning
Identifying exactly what open source code is in your codebase is crucial for properly managing – and optimizing – open source use and reuse. It's also key to ensuring license compliance with code licenses and corporate policy requirements, an essential step in reducing business risk.
Whether you're focused on completing your software projects on time and on budget, evaluating potential acquisitions or divestitures, reviewing supply chain commitments, or meeting internal open source licensing compliance requirements, using an automated method for scanning your open source code is the best way to:
- Identify and understand code origin
- Identify licenses and ensure license compliance to reduce business risk
- Eliminate time-consuming and incomplete manual efforts
- Increase visibility into and control over the open source code in use and where it is located.
Black Duck® Protex™ integrates with existing development tools to automatically scan your open source and identify software origins to reduce business risks. The Express Scan feature provides developers with a high-level snapshot of your codebase in 80 percent less time than industry norms for open source code scanning.
Additionally, our Black Duck On Demand Audit services provide a quick, cost-effective way to identify open source, and assess open source code quality within your organization so you can make strategic business decisions. By scanning your open source, we can help you ensure appropriate open source compliance requirements are in place.
With an automated approval process, developers immediately know what code is approved for use and reuse, helping them produce high-quality software fast, and helping to avoid potential legal, operational, and security risks.
A streamlined approval process improves speed and accountability, while reducing road blocks and bottle necks. With Black Duck® Code Center™ you can:
- Eliminate uncertainty and promote reuse
- Speed identification of software components
- Mitigate risk without slowing development
- Collaborate seamlessly
Knowing what code is used and approved in your organization is important, but it's not enough. To enable your developers to write the most innovative, secure code, while also speeding time-to-market, you need an intelligent code catalog. One that is automatically updated, built, and integrated with the world's most comprehensive database of open source project information, and actually gets smarter as your developers use it.
Black Duck® Protex™ features Rapid ID™, which automates the discovery and identification of open source in your codebase. Using multiple analysis techniques, Rapid ID automatically finds open source code, and its "learned matching" capability quickly and easily captures your internal expertise to make your catalog smarter and your developers' jobs easier.
Black Duck® Code Center™ automates key governance processes, enabling you to search for and select open source code, catalog components for reuse and standardization, and gain unprecedented visibility into component availability and desirability. By automating these processes, your organization can seamlessly collaborate while managing software development policies.
The Black Duck approach helps you be confident in the products and code you deliver throughout the supply chain and to end users. How? We provide a license obligation report, including an easily consumable bill of materials (BOM) that you can deliver to your customers and/or internal stakeholders.
Document and Share
Black Duck’s support of the Software Package Data Exchange® (SPDX) standard facilitates the open exchange of license information and streamlines supply chain collaboration. The SPDX standard, which communicates open source content, licenses, and copyrights associated with software packages, is vitally important to enabling development organizations to comply more easily with software licensing obligations.