Presentation is loading. Please wait.

Presentation is loading. Please wait.

Is the Chicken Dance Worth the Risk?

Published byĐỗ Dương Modified over 6 years ago

Similar presentations

Presentation on theme: "Is the Chicken Dance Worth the Risk?"— Presentation transcript:

1

2 Is the Chicken Dance Worth the Risk?
Open Source Software: Is the Chicken Dance Worth the Risk? John Kelly & Torsten Feldmann EY

3 Introductions John Kelly Manager EY – Risk Advisory Torsten Feldmann
Senior Manager EY – Risk Advisory

4 More than 2400! Open Source software has become very popular in recent years. Questions to the crowd: Do you use OSS? Are you aware of how many OSS licenses exist? Answer 2400 Are you aware that not all of these licenses are compatible with each other?

5 Agenda What is Open Source Software The difference license types
The benefits of OSS The risks off OSS Incompliance & Security breaches Implementing and OSS Governance Program Q & A Benefits – Low cost, free to modify, low barriers to deploy, source code is open, not tied to license agreements with other firms. The Bad – License incompatibility, can be difficult to use with closed source software, incompliance issues and PR issues – cite examples such as BMW. The Ugly – Cite major examples of problems with OSS such as Equifax, Panama Papers

6 What is Open Source Software?
Origins: Richard Stallman “Software Should Be Free!” GNU Project Linus Torvalds created Linux Intellectual property & copyright OSS is free OSS requires a license OSS licenses need to be managed Origins: Believed to originate in US academic circles. GNU project was started in 1984 by Richard Stallman (Software should be free). Linux and GNU project combined to create the Linux Operating System. Intellectual property & copyright Protection of original creative works & software is protected. Issues arise when software is used without permission of original author. A license is how the copyright holder gives permission to use their works to others. License can include specific conditions of use (e.g. non-commercial use only).

7 What is Open Source Software?
Open Source: free accesses, use, modify, and re-distribute the source code. Closed Source: Vendor released compiled binaries and does not make source code available (e.g. Microsoft Office). There are around 2400 license types: GPL: General Public License 2.0 and 3.0 Apache license BSD license Other examples – Beerware license, Catware license. Open Source Vs. Closed Source Closed Source – code is not made available. Firm only releases compiled binaries. Users cannot make changes. Open Source – code must be made available to all. Users can made changes to code but must make any changes to source code available to all for free.

8 Permissive Vs. Protective
MIT BSD Apache Weakly Protective LGPL v2.1 LGPL v3 MPL 1.1 Strongly Protective GPL v2 GPL v3 The strength of a license has to do with the scope of the surrounding license that may be subject to copyleft requirements. The BSD license is a simple license that merely requires that all code be licensed under the BSD license if redistributed in source code format. BSD (unlike some other licenses) does not require that source code be distributed at all. LPGP license code can be used as libraries in commercial, proprietary software.

9 OSS in Commercial Products
Widley used OSS used to power 48% of all websites (Apache web server) For example: Apple OSS license use in iOS Apache License v2 MIT License BSD 2-Clause license Open Government License v1 GPL (libstdc++ exception) The BSD license is a simple license that merely requires that all code be licensed under the BSD license if redistributed in source code format. BSD (unlike some other licenses) does not require that source code be distributed at all.

10 Open Source Software - Benefits
Free to use & modify Large online communities of volunteers Backing of major online firms Free to use & modify Firms can use it for free Powers most major websites (via apache) OSS alternatives to most major commercial applications – Libre Office for MS Office Large online communities of volunteers Popular projects can have potentially thousands of developers providing their time and skills for free Identified issues are highlighted by the community Backing of major firms (e.g. Microsoft, Google, Facebook) Microsoft now owns Github (largest online repository of Open Source Software) Google & Facebook use OSS to power their websites and contribute resources to major OSS Projects Google developed Kubernetes Apache Web Server powers 45.1% of all web servers as of Nov 2018 Examples include: Paypal.com Apple.com Adobe.com Craigslist.org

11 Open Source Software - Risks
Compliance risks: High risk of incompliance. If code is provided by contractor – are they FOSS compliant? Modification – lack of notice, lack of source code, license modifications. Over 85% of the analysed applications contained components with licenses out of compliance. 53% of applications scanned had “unknown” licenses. Reputational risks: Open Source ideas, software and contributors are viewed positively by many. Commercial enterprises violating FOSS can be the targeted by the very active FOSS community possibly wider public controversy negative publicity. Compliance risks: Under copyright laws, the licensor can determine the conditions under which his/her work can be used. Open Source software code comes with a license and unique terms and conditions. Courts have upheld the copyright law for FOSS. If code is provided by contractor – are they FOSS compliant? Modification – lack of notice, lack of source code, license modifications. License conflicts are widespread. Over 85% of the analysed applications contained components with licenses out of compliance. 53% of applications scanned had “unknown” licenses, meaning no one has permission from the creator(s) of the software to use, modify, or share the software. Reputational risks: Open Source ideas, software and contributors are by many viewed positively. Commercial enterprises violating FOSS can be the target of the very active FOSS community and possibly wider public controversy and negative publicity.

12 Open Source Software – License Breaches
BMW Australia: Refuse to share source code Story was widely shared online (e.g. Reddit) Massive reputational damage Staff were not trained to understand license requirements Were eventually forced to comply BMW Australia: Refuse to share source code Story was widely shared online (e.g. Reddit) Massive reputational damage Staff were not trained to understand license requirements Were eventually forced to comply Remix OS: Based on Linux (GPL v2) Never made an offer to share source code Were forced to do so Panama Papers Mossak Fonseca The portal ran on Drupal CMS which was last updated August 2013 The version of Drupal used had at least 25 known vulnerabilities Equifax Breach Known Apache Struts vulnerability A patch for the vulnerability was released March 7, yet the company failed to apply the security updates before the attack occurred 2 months later. 65% of leading sites use Apache Struts Remix OS: Based on Linux (GPL v2) Never made an offer to share source code Were forced to do so

13 OSS Governance / Compliance Program
Organisations that have successful FOSS compliance have created their own compliance programs, which includes policies, processes, training and tools What are the key activities in a FOSS Compliance program? FOSS review – gather relevant info, analyse and understand license obligations, provide guidance compatible with company policy What info is needed? Main Considerations? Code transparency Organisations that have successful FOSS compliance have created their own compliance programs, which includes policies, processes, training and tools Contribute and participate in FOSS communities Respect developer/owner rights and comply with their terms Developer may use FOSS components in their own product Developer may modify – add new code, fix/optimise/delete Developer may translate – e.g. English to Chinese, C++ to Java, Compile to binary Development tools may inject code behind the scenes Distribution – what delivery format (source code or binary, preloaded on hardware) Who receives the software – customer, partner or community Key activities in a FOSS Compliance program: Initial baseline audit to identify licensing and security issues. Ongoing scans (as new security issues are identified and new code is released) Ongoing policies and procedures when code is being created or modified.

14 OSS Governance / Compliance Program
Take corrective action Report findings to stakeholders Assess identified vulnerabilities and compliance risks Assess what license types are in use within identified OSS components Assess what OSS components are in use within your code Conduct code scan

15 OSS Governance / Compliance Program
There are multiple tools to scan for and manage Free and Open Source software, such as: Flexnet CodeAware Code Insight by Flexera Black duck Fossology

16 The tool is run against the specific software code to scan.
It is then matching the code against a data base of known FOSS code, in order to…

17 … report back on security, licensing and operational risks.

18 All licensing components are listed and the full license text is shown.

19 The Chicken Dance License?
For every thousand (1,000) units distributed, at least half of the employees or persons affiliated with the product must listen to the "Der Ententanz" (AKA "The Chicken Dance") as composed by Werner Thomas for no less than two (2) minutes For every twenty-thousand (20,000) units distributed, two (2) or more persons affiliated with the entity must be recorded performing the full Chicken Dance, in an original video at the entity's own expense, and a video encoded in OGG Theora format, at least three (3) minutes in length, must be submitted to <OWNER>, provided <OWNER>'s contact information. The dance must be based upon the instructions on how to do the Chicken Dance that you should have received with this software. If you have not received instructions on how to do the Chicken Dance, then the dance must be chicken-like in nature. Any employee or person affiliated with the product must be prohibited from saying the word "plinth" in public at all times, as long as distribution of the product continues. A type of protest license. Other examples include beerware license (buy the creator a beer if they like the software) Bouncy castle license

20 Q & A 5 – 10 mins max

21

Download ppt "Is the Chicken Dance Worth the Risk?"

Similar presentations

Overview of Free/Open Source Software for Librarians Eric Goldhagen

Overview of Free/Open Source Software for Librarians Eric Goldhagen
The Web Wizards Guide to Freeware/Shareware Chapter Six Open Source Software.

The Web Wizards Guide to Freeware/Shareware Chapter Six Open Source Software.
Free Beer and Free Speech Thomas Krichel

Free Beer and Free Speech Thomas Krichel
Open Source Answer to Critical Infrastructure Security Challenges Vadim Shchepinov, Chief Executive Officer RED SOFT CORPORATION.

Open Source Answer to Critical Infrastructure Security Challenges Vadim Shchepinov, Chief Executive Officer RED SOFT CORPORATION.
Legal Issues Affecting the Use of Open Source IT Solutions in the Enterprise Julia Sitarz Student, University of Connecticut WIPO Conference May 2007.

Legal Issues Affecting the Use of Open Source IT Solutions in the Enterprise Julia Sitarz Student, University of Connecticut WIPO Conference May 2007.
Open Source Software Development & Commercialisation Developing Lifelong Learner Record Systems and ePortfolios in FE and HE: Planning for, and Coping.

Open Source Software Development & Commercialisation Developing Lifelong Learner Record Systems and ePortfolios in FE and HE: Planning for, and Coping.
The following 10 questions test your knowledge of desired configuration management in Configuration Manager 2007. Configuration Manager Desired Configuration.

The following 10 questions test your knowledge of desired configuration management in Configuration Manager Configuration Manager Desired Configuration.
Open Source & Research Brought to you by: Office of Technology Licensing Office of the General Counsel Stanford University Jim DeGraw Ray Zado Ropes &

Open Source & Research Brought to you by: Office of Technology Licensing Office of the General Counsel Stanford University Jim DeGraw Ray Zado Ropes &
Platinum Sponsors Gold Sponsors Navigating the Open Source Legal Waters Presenter: Jeff Strauss August 14, 2013.

Platinum Sponsors Gold Sponsors Navigating the Open Source Legal Waters Presenter: Jeff Strauss August 14, 2013.
The Importance of Open Source Software Networking 2002 Washington, D.C. April 18, 2002 Carol A. Kunze Napa, California.

The Importance of Open Source Software Networking 2002 Washington, D.C. April 18, 2002 Carol A. Kunze Napa, California.
IS 553 - Spring 20041 The Basics of Open Source Reinhardi A. Haqi Mohamed Umar Shakeel Advanced Topics for Systems Development.

IS Spring The Basics of Open Source Reinhardi A. Haqi Mohamed Umar Shakeel Advanced Topics for Systems Development.
A DAPT IST-2001-37126 Dissemination and Use Plan Revised version Ricardo Jiménez-Peris Universidad Politécnica de Madrid.

A DAPT IST Dissemination and Use Plan Revised version Ricardo Jiménez-Peris Universidad Politécnica de Madrid.
Provided by OSS Watch Licensed under the Creative Commons Attribution 2.0 England & Wales licence

Provided by OSS Watch Licensed under the Creative Commons Attribution 2.0 England & Wales licence
Computers in Society The Computer Industry: Open Source.

Computers in Society The Computer Industry: Open Source.
Open Source/Free Software Source code is available Extensible Can be changed, modified Freely distributed Copies Modified versions Alternatives to commercial/proprietary.

Open Source/Free Software Source code is available Extensible Can be changed, modified Freely distributed Copies Modified versions Alternatives to commercial/proprietary.
Open Source WGISS 39. Definition of Open Source Software (OSS)  Open source or open source software (OSS) is any computer software distributed under.

Open Source WGISS 39. Definition of Open Source Software (OSS)  Open source or open source software (OSS) is any computer software distributed under.
CWG2 on Tools, guidelines and procedures Licensing Adriana Telesca on behalf of the CWG2 December, 5 th 2014.

CWG2 on Tools, guidelines and procedures Licensing Adriana Telesca on behalf of the CWG2 December, 5 th 2014.
COMP 6005 An Introduction To Computing Session Two: Computer Software Acquiring Software.

COMP 6005 An Introduction To Computing Session Two: Computer Software Acquiring Software.
Linux Introduction. Overview What is Unix/Linux? History of Linux Features Supported Under Linux The future of Linux.

Linux Introduction. Overview What is Unix/Linux? History of Linux Features Supported Under Linux The future of Linux.
This slide is licensed under a Creative Commons Attribution-NoDerivs 2.5 License. Some rights reserved.Creative Commons Attribution-NoDerivs 2.5 License.

This slide is licensed under a Creative Commons Attribution-NoDerivs 2.5 License. Some rights reserved.Creative Commons Attribution-NoDerivs 2.5 License.

Similar presentations

Ads by Google