The freedoms of free and open-source software include the ability to run the program; the ability to read, study and modify the code; the ability to make and redistribute copies; and the ability to distribute copies of modified versions, according to the OSI.
But the freedoms and benefits that open source enables, such as a lower total cost of ownership, higher quality and faster innovation, can also pose a risk to your company.
“Open source can be a veritable candy store of resources for developers, and also provide time and resource-saving shortcuts for organizations integrating and developing code. But it’s not a panacea,” said Bill Weinberg, senior director of open-source strategy at Black Duck.
For instance, if an organization doesn’t comply with the license associated with a particular chunk of open-source code, it risks being sued. If it doesn’t check the code it is using, it could potentially damage its services and systems. And if the organization doesn’t don’t know where the code came from in the first place, then it may not be aware of any incompatibility issues or any obligations that the license requires.
These risks can cause organizations to shy away from using open-source software, but if they know what they are dealing with, open-source doesn’t have to be an intimidating space. According Rogue Wave’s McLoughlin, there are three areas that organizations sometime forget to consider: compliance, security and support.
Open-source software comes with licenses that users are expected to comply with. If an organization doesn’t comply, then it can open itself up to legal liability, according to McLoughlin. Also, there are certain types of licenses that may back users into a corner, such as the GNU license that in some instances requires users to release their modified work under it and provide the source code.
But the point of a license isn’t necessarily to threaten an organization into compliance, according to Black Duck’s Weinberg. Open-source licenses are meant to protect someone’s unique property rights, and also guarantee the free and unencumbered distribution of the source code. “The originators of free and open-source software were trying to ensure that their works would be available to other users and communities and downstream inheritors without the code being sucked up by a proprietary interest and never being made available,” he said.
Proprietary licenses, for example, can limit a user’s permission to use the software, and they can sometimes contractually take away the rights users would have under copyright law, according to the OSI’s board of directors.
As the open-source community saw with major events like Heartbleed, open-source code can open your software to security vulnerabilities. Being aware of the security aspects are essential, and organizations need to be aware of any known security issues, according to McLoughlin. “Hopefully you are doing some type of static code analysis, some type of analysis of your code so that you understand if it opens you up to any security vulnerabilities, and then you have to track that code on an ongoing basis as new vulnerabilities are found in the future,” he said.