The global and independent platform for the SAP community.

Best practice for open source also for companies that use "none"?

Often, when I ask SAP ecosystem CEOs or executives to what extent open source is used in their company, I get the answer, "WE don't use any!"
Ralf Meyer, Synomic
September 28, 2017
Open Source
avatar
This text has been automatically translated from German to English.

That surprises me, because experts report that open source components are found in around 99 percent of software audits. Such audits are prompted, among other things, by negotiations with resellers such as SAP, company acquisitions, strategic financing rounds, or compliance and security checks.

As a rule, hundreds, sometimes thousands of different open source components are found here. Experts at analysts have been reporting for some time that today as a rule already one third of the application code consists of open source components.

This also applies to the SAP community, where Android, Apache, Git, Java, Linux, Maven, OpenStack, Spring and hundreds of other smaller or larger components are playing an increasingly important role in IT.

So I'm wondering how to interpret the statement in response to my opening question. Does my interlocutor not have an overview of in-house software development, is the company unaware of or indifferent to what their software developers are doing? Is open source really not being used and thus important potential for innovation and cost savings not being exploited?

Why is it important to know whether and to what extent open source is being used? The adage "What I don't know won't hurt me" protects neither companies nor management in the event of critical problems. As long as it is unknown whether, where and which open source is being used, there can be no effective protection.

Why is it necessary? Open source components can contain unclear or even viral license types, which have already led to expensive legal disputes with open source developers in some cases.

In the meantime, as with patents, there are also so-called trolls who target companies and "earn" millions by doing so. Since more than half of the audits uncover license types unknown to the management concerned or components with critical GPL licenses, the potential risk is very high.

Cases are also known in which company takeovers, investments or OEM agreements have "burst" or company values have fallen dramatically. In contrast to mobile apps, open source users are usually not automatically informed about new versions.

As a result, companies often use outdated versions that contain critical errors and security gaps that have been known for a long time. Developers have to become active themselves and laboriously find out about updates. Hackers also do this and use information from databases such as OWASP.org for targeted attacks via insecure components.

Avoiding risks with best practices

It is important to first determine the extent of use, even if open source is not "officially" used. Companies should define a process in which the use is regulated and, if possible, automatically monitored without hindering development.

Companies such as SAP, Seeburger and Xing prove that this is possible without any problems by securing the deployment through agile processes and monitoring software. This protects against commercial risks as well as in meeting legal requirements such as the IT Security Act.

In the meantime, there are some proprietary, commercial solutions, mostly from the USA and Israel, but this seems somewhat paradoxical for the monitoring of open source software.

Solutions such as VersionEye from Mannheim take a different approach here, are themselves 100 percent open source (Apache license) and can also be used free of charge for fully automated monitoring with regard to versions, licenses and potential security risks.

avatar
Ralf Meyer, Synomic

Ralf Meyer is Managing Director of Synomic and co-founder of IA4SP.


Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

More information will follow shortly.

Event date

Wednesday, May 21, and
Thursday, May 22, 2025

Early Bird Ticket

Available until Friday, January 24, 2025
EUR 390 excl. VAT

Regular ticket

EUR 590 excl. VAT

Venue

Hotel Hilton Heidelberg
Kurfürstenanlage 1
D-69115 Heidelberg

Event date

Wednesday, March 5, and
Thursday, March 6, 2025

Tickets

Regular ticket
EUR 590 excl. VAT
Early Bird Ticket

Available until December 24, 2024

EUR 390 excl. VAT
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2025, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.