Most companies will use open source software when creating their own product. This is fine, except for when the company needs to take investment of be sold. Then these questions will get asked:
- What open source has been used?
- Where is it used?
- What license does it use?
- Is it secure?
The answer to these questions is often “We don’t know”. During development developers can find things from around the web that help them build a solution quickly and get the results they need fast. This often means using open source code which is fine. But it is rarely documented properly and can cause issues further down the line.
Issues can come about when a company needs to define it’s IP, what has been created and where the value in the company lays.
If open source code has been used, can it be used in a commercial sense?
This is the big one as if it can’t then new code will have to be found or written to replace the functionality, which can be costly and time consuming. There is a good chance that the developer didn’t spend as much time reading the open source license as they did trying to get their project to work.
What version has been used and is it secure?
Software is constantly being updated to not only add new features but to also keep it secure. Has the software been updated since it was implemented or is it an old version and are there security vulnerabilities in it?
Several policy management and open source management tools can be used for tracking and allowing management to reject requests to use some open source projects should the license not be applicable. This software can also be used to export a FOSS (Free and Open Source Software) register and a BOM (bill of materials). This won’t help though if a sale is imminent and everything is being done retrospectively.
The chances are the investors will then ask for a 3rd party open source software audit to be done. Which will incur costs and can be time consuming.
In summary, create a documentation process for your developers to follow when using open source software, this can be a simple spreadsheet or full FOSS management software. It’ll be worth it in the long run.
If you already have a software product which contains a lot of open source software and you don’t know where or what licences it uses, we can help with a FOSS audit to find and document it all for you.