Software Development Compliance – Open Source Policy Compliance
Nik Teshima, IBM Rational software; Phil Odence, Black Duck Software
Last updated: February 08, 2013
Build basis: IBM Rational Collaborative Lifecycle Management (CLM) v3.0.1.x, v4.0.x (Rational Team Concert)
Overview
This is the seventh in a series of articles on how the Rational solution for Collaborative Lifecycle Management (CLM) support software development compliance. It is highly recommended you first read the overview article in the series before proceeding.
Software development today is multi-source. That is to say that developers no longer write all of their code from scratch; rather, they draw upon their own previous work, work that has done by others inside their organization and software from sources outside their organizations. Increasingly, development teams are drawing upon the more than half a million components freely available on the internet. Open source software has become a critical element in most software development today. This has been a grass roots initiative, largely under the radar initially, but gaining visibility over the last decade or so. Initially anxious about this trend, many companies are now seeing the use of open source building blocks as a strategic weapon, to help reduce their costs, and accelerate their time to market, and in many cases, as the only way to keep up with rapidly evolving customer needs.
Gartner’s Mark Driver says, “Open source is ubiquitous, it’s unavoidable…having a policy against open source is impractical and places you at a competitive disadvantage.” And, a study by Gartner in 2011 revealed their clients’ code bases contained on average 29% open source code. Some companies are leveraging as much as 80% open source. But, the Gartner study goes on to caution that while use of open source has ramped dramatically, controls have not kept pace and thus the study that “50% of companies will face challenges due to lack of Free and Open Source Software (FOSS) policy and management.”
The challenges of using open source stem from the availability and abundance of open source components. These attributes at the same time make open source valuable and tricky to manage. Whereas it was once the case that all third party code before entering an organization was vetted by a trained, knowledgeable procurement organization, today any developer with a browser has free access to download essentially whatever they want from the Internet. Any download potentially exposes a company to a range risks unless there are processes in place to assess the software’s licensing, security, quality, support and other attributes.
So to fully and safely reap open source benefits, development organizations need to manage the challenges and risks and this requires open source policies to guide developers and process to ensure compliance. Automated open source compliance minimizes the overhead of ensuring that developers are following policy. Multi-source development does not change the need for CLM tools; all code, whatever the source, needs to have its requirements and changes managed, its source code checked in and out of SCM systems, and to be built. However, managing open source compliance requires a new set of capabilities beyond those. The Black Duck Suite complements and is integrated into Rational’s CLM tools to provide these additional capabilities.
The attached pdf file provides a walk through with screen shots of how Rational Team Concert integrated with Black Duck ensures compliance with companies’ open source policies.
For more information
- Overview
- Work Authorization and Requirements Integrity
- Segregation of duties in Regulated Software Development
- Process change control
- Internal control audits
- Support for Capability Maturity Model Integration
About the author
Nik Teshima has a long history in software delivery, design, development for IBM. In his current role he is responsible for Rational’s IT Risk Management and Compliance solution, helping customers in regulated industry more easily and effectively plan for and deliver IT projects while meeting the increasing set of regulatory mandates and standards that are required. He can be contacted at teshiman@ca.ibm.com
Phil Odence is responsible for expanding Black Duck’s reach, image and product breadth by developing partnerships in the multi-source development ecosystem. He is in charge of building the company’s growing network of international resellers and launched Black Duck’s legal certification program. A frequent speaker at open source industry events, Phil chairs the Linux Foundation’s Software Package Data Exchange (SPDX) working group and is a blogger for NetworkWorld.
Copyright © 2013 IBM Corporation