Is the Chicken Dance Worth the Risk? Open Source Software: Is the Chicken Dance Worth the Risk? John Kelly & Torsten Feldmann EY
Introductions John Kelly Manager EY – Risk Advisory Torsten Feldmann Senior Manager EY – Risk Advisory
More than 2400! Open Source software has become very popular in recent years. Questions to the crowd: Do you use OSS? Are you aware of how many OSS licenses exist? Answer 2400 Are you aware that not all of these licenses are compatible with each other?
Agenda What is Open Source Software The difference license types The benefits of OSS The risks off OSS Incompliance & Security breaches Implementing and OSS Governance Program Q & A Benefits – Low cost, free to modify, low barriers to deploy, source code is open, not tied to license agreements with other firms. The Bad – License incompatibility, can be difficult to use with closed source software, incompliance issues and PR issues – cite examples such as BMW. The Ugly – Cite major examples of problems with OSS such as Equifax, Panama Papers
What is Open Source Software? Origins: Richard Stallman “Software Should Be Free!” GNU Project Linus Torvalds created Linux Intellectual property & copyright OSS is free OSS requires a license OSS licenses need to be managed Origins: Believed to originate in US academic circles. GNU project was started in 1984 by Richard Stallman (Software should be free). Linux and GNU project combined to create the Linux Operating System. Intellectual property & copyright Protection of original creative works & software is protected. Issues arise when software is used without permission of original author. A license is how the copyright holder gives permission to use their works to others. License can include specific conditions of use (e.g. non-commercial use only).
What is Open Source Software? Open Source: free accesses, use, modify, and re-distribute the source code. Closed Source: Vendor released compiled binaries and does not make source code available (e.g. Microsoft Office). There are around 2400 license types: GPL: General Public License 2.0 and 3.0 Apache license BSD license Other examples – Beerware license, Catware license. Open Source Vs. Closed Source Closed Source – code is not made available. Firm only releases compiled binaries. Users cannot make changes. Open Source – code must be made available to all. Users can made changes to code but must make any changes to source code available to all for free.
Permissive Vs. Protective MIT BSD Apache Weakly Protective LGPL v2.1 LGPL v3 MPL 1.1 Strongly Protective GPL v2 GPL v3 The strength of a license has to do with the scope of the surrounding license that may be subject to copyleft requirements. The BSD license is a simple license that merely requires that all code be licensed under the BSD license if redistributed in source code format. BSD (unlike some other licenses) does not require that source code be distributed at all. LPGP license code can be used as libraries in commercial, proprietary software.
OSS in Commercial Products Widley used OSS used to power 48% of all websites (Apache web server) For example: Apple OSS license use in iOS Apache License v2 MIT License BSD 2-Clause license Open Government License v1 GPL (libstdc++ exception) The BSD license is a simple license that merely requires that all code be licensed under the BSD license if redistributed in source code format. BSD (unlike some other licenses) does not require that source code be distributed at all.
Open Source Software - Benefits Free to use & modify Large online communities of volunteers Backing of major online firms Free to use & modify Firms can use it for free Powers most major websites (via apache) OSS alternatives to most major commercial applications – Libre Office for MS Office Large online communities of volunteers Popular projects can have potentially thousands of developers providing their time and skills for free Identified issues are highlighted by the community Backing of major firms (e.g. Microsoft, Google, Facebook) Microsoft now owns Github (largest online repository of Open Source Software) Google & Facebook use OSS to power their websites and contribute resources to major OSS Projects Google developed Kubernetes Apache Web Server powers 45.1% of all web servers as of Nov 2018 Examples include: Paypal.com Apple.com Adobe.com Craigslist.org
Open Source Software - Risks Compliance risks: High risk of incompliance. If code is provided by contractor – are they FOSS compliant? Modification – lack of notice, lack of source code, license modifications. Over 85% of the analysed applications contained components with licenses out of compliance. 53% of applications scanned had “unknown” licenses. Reputational risks: Open Source ideas, software and contributors are viewed positively by many. Commercial enterprises violating FOSS can be the targeted by the very active FOSS community possibly wider public controversy negative publicity. Compliance risks: Under copyright laws, the licensor can determine the conditions under which his/her work can be used. Open Source software code comes with a license and unique terms and conditions. Courts have upheld the copyright law for FOSS. If code is provided by contractor – are they FOSS compliant? Modification – lack of notice, lack of source code, license modifications. License conflicts are widespread. Over 85% of the analysed applications contained components with licenses out of compliance. 53% of applications scanned had “unknown” licenses, meaning no one has permission from the creator(s) of the software to use, modify, or share the software. Reputational risks: Open Source ideas, software and contributors are by many viewed positively. Commercial enterprises violating FOSS can be the target of the very active FOSS community and possibly wider public controversy and negative publicity.
Open Source Software – License Breaches BMW Australia: Refuse to share source code Story was widely shared online (e.g. Reddit) Massive reputational damage Staff were not trained to understand license requirements Were eventually forced to comply BMW Australia: Refuse to share source code Story was widely shared online (e.g. Reddit) Massive reputational damage Staff were not trained to understand license requirements Were eventually forced to comply Remix OS: Based on Linux (GPL v2) Never made an offer to share source code Were forced to do so Panama Papers Mossak Fonseca The portal ran on Drupal CMS which was last updated August 2013 The version of Drupal used had at least 25 known vulnerabilities Equifax Breach Known Apache Struts vulnerability A patch for the vulnerability was released March 7, yet the company failed to apply the security updates before the attack occurred 2 months later. 65% of leading sites use Apache Struts Remix OS: Based on Linux (GPL v2) Never made an offer to share source code Were forced to do so
OSS Governance / Compliance Program Organisations that have successful FOSS compliance have created their own compliance programs, which includes policies, processes, training and tools What are the key activities in a FOSS Compliance program? FOSS review – gather relevant info, analyse and understand license obligations, provide guidance compatible with company policy What info is needed? Main Considerations? Code transparency Organisations that have successful FOSS compliance have created their own compliance programs, which includes policies, processes, training and tools Contribute and participate in FOSS communities Respect developer/owner rights and comply with their terms Developer may use FOSS components in their own product Developer may modify – add new code, fix/optimise/delete Developer may translate – e.g. English to Chinese, C++ to Java, Compile to binary Development tools may inject code behind the scenes Distribution – what delivery format (source code or binary, preloaded on hardware) Who receives the software – customer, partner or community Key activities in a FOSS Compliance program: Initial baseline audit to identify licensing and security issues. Ongoing scans (as new security issues are identified and new code is released) Ongoing policies and procedures when code is being created or modified.
OSS Governance / Compliance Program Take corrective action Report findings to stakeholders Assess identified vulnerabilities and compliance risks Assess what license types are in use within identified OSS components Assess what OSS components are in use within your code Conduct code scan
OSS Governance / Compliance Program There are multiple tools to scan for and manage Free and Open Source software, such as: Flexnet CodeAware Code Insight by Flexera Black duck Fossology
The tool is run against the specific software code to scan. It is then matching the code against a data base of known FOSS code, in order to…
… report back on security, licensing and operational risks.
All licensing components are listed and the full license text is shown.
The Chicken Dance License? For every thousand (1,000) units distributed, at least half of the employees or persons affiliated with the product must listen to the "Der Ententanz" (AKA "The Chicken Dance") as composed by Werner Thomas for no less than two (2) minutes For every twenty-thousand (20,000) units distributed, two (2) or more persons affiliated with the entity must be recorded performing the full Chicken Dance, in an original video at the entity's own expense, and a video encoded in OGG Theora format, at least three (3) minutes in length, must be submitted to <OWNER>, provided <OWNER>'s contact information. The dance must be based upon the instructions on how to do the Chicken Dance that you should have received with this software. If you have not received instructions on how to do the Chicken Dance, then the dance must be chicken-like in nature. Any employee or person affiliated with the product must be prohibited from saying the word "plinth" in public at all times, as long as distribution of the product continues. A type of protest license. Other examples include beerware license (buy the creator a beer if they like the software) Bouncy castle license
Q & A 5 – 10 mins max