Best Practices for Business Success with Open Source Software

For software providers and users, it is not only important to use the right software components, but also the appropriate strategies, business models, processes and tools.

The crucial point for commercial users is whether they are willing and able to correctly assess the licensing conditions of open source components used, so that licensing conditions do not conflict with their own business model and their compliance can also be ensured.

The development and distribution of OSS is now characterized by a variety of business and licensing models. In addition to classic community solutions, such as the Apache Foundation, there are also distributors and service providers, for example for Linux.

The right - even more the wrong - use of OSS can have an enormous impact on the business success of companies, as this is examined in detail by SAP (Resell/OEM/SolEx) at the latest during company sales (M&A), venture capital or private equity investments, but also during the resale of software solutions.

Errors in the use of OSS then often lead to high repair costs or to the abandonment of promising projects and business opportunities. However, the company's own customers are also at risk, because you can only pass on OSS to customers if you comply with the corresponding license conditions.

Non-licensed use of OSS by customers can lead to expensive consequences such as injunctions, damages, re-licensing or decommissioning.

This is another reason why each individual OSS component should be identified and reviewed before commercial deployment. It is important to implement suitable policies, processes and tools as an effective open source governance, which should cover the following points, among others:

on the one hand, the selection of the most suitable and mature open source code that meets the requirements of one's own company, and on the other hand, the most automatic possible detection and identification of open source software components and their licenses with audit and compliance functions.

In addition, open source governance should also include OSS code management, including inventory, documentation, and tracking.

For most mobile, but now also for many Windows & Mac applications, users are automatically notified about the availability of new versions, which usually not only extend functionality, but also fix known bugs and close security holes.

However, this is not the case with most open source components, especially since they are "only" installed as components in applications. Unfortunately, the trade press only reports acute security risks when hundreds of thousands of systems are already affected and/or major damage has occurred.

Software developers usually have to inform themselves about current and new versions in a laborious and time-consuming manner and become active. This becomes even more difficult when open source components are themselves built into other components, which is often the case.

Therefore, unlike press-reported cases like WannaCry and Petya, most critical threats are not even on the radar of developers and IT managers.

This is where OSS monitoring solutions for software developers such as Snyk come in, which not only automatically generate a complete inventory list, but also proactively warn of security vulnerabilities in the components used and help simplify their replacement.

This is made possible by a large database on OSS components and security risks, as well as close integration with new software technologies.

The use of new technologies such as containers in particular can give rise to new security risks that can only be minimized by effective monitoring.