The global and independent platform for the SAP community.

Best Practices for Business Success with Open Source Software

Open source software (OSS) is becoming increasingly important in the SAP ecosystem. Even at companies that think they do not use OSS themselves, dozens or hundreds of OSS components are often found during audits or scans.
Ralf Meyer, Synomic
January 16, 2020
Open Source
avatar
This text has been automatically translated from German to English.

For software providers and users, it is not only important to use the right software components, but also the appropriate strategies, business models, processes and tools.

The crucial point for commercial users is whether they are willing and able to correctly assess the licensing conditions of open source components used, so that licensing conditions do not conflict with their own business model and their compliance can also be ensured.

The development and distribution of OSS is now characterized by a variety of business and licensing models. In addition to classic community solutions, such as the Apache Foundation, there are also distributors and service providers, for example for Linux.

The right - even more the wrong - use of OSS can have an enormous impact on the business success of companies, as this is examined in detail by SAP (Resell/OEM/SolEx) at the latest during company sales (M&A), venture capital or private equity investments, but also during the resale of software solutions.

Errors in the use of OSS then often lead to high repair costs or to the abandonment of promising projects and business opportunities. However, the company's own customers are also at risk, because you can only pass on OSS to customers if you comply with the corresponding license conditions.

Non-licensed use of OSS by customers can lead to expensive consequences such as injunctions, damages, re-licensing or decommissioning.

This is another reason why each individual OSS component should be identified and reviewed before commercial deployment. It is important to implement suitable policies, processes and tools as an effective open source governance, which should cover the following points, among others:

on the one hand, the selection of the most suitable and mature open source code that meets the requirements of one's own company, and on the other hand, the most automatic possible detection and identification of open source software components and their licenses with audit and compliance functions.

In addition, open source governance should also include OSS code management, including inventory, documentation, and tracking.

For most mobile, but now also for many Windows & Mac applications, users are automatically notified about the availability of new versions, which usually not only extend functionality, but also fix known bugs and close security holes.

However, this is not the case with most open source components, especially since they are "only" installed as components in applications. Unfortunately, the trade press only reports acute security risks when hundreds of thousands of systems are already affected and/or major damage has occurred.

Software developers usually have to inform themselves about current and new versions in a laborious and time-consuming manner and become active. This becomes even more difficult when open source components are themselves built into other components, which is often the case.

Therefore, unlike press-reported cases like WannaCry and Petya, most critical threats are not even on the radar of developers and IT managers.

This is where OSS monitoring solutions for software developers such as Snyk come in, which not only automatically generate a complete inventory list, but also proactively warn of security vulnerabilities in the components used and help simplify their replacement.

This is made possible by a large database on OSS components and security risks, as well as close integration with new software technologies.

The use of new technologies such as containers in particular can give rise to new security risks that can only be minimized by effective monitoring.

avatar
Ralf Meyer, Synomic

Ralf Meyer is Managing Director of Synomic and co-founder of IA4SP.


Write a comment

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork.

Venue

More information will follow shortly.

Event date

Wednesday, May 21, and
Thursday, May 22, 2025

Early Bird Ticket

Available until Friday, January 24, 2025
EUR 390 excl. VAT

Regular ticket

EUR 590 excl. VAT

Venue

Hotel Hilton Heidelberg
Kurfürstenanlage 1
D-69115 Heidelberg

Event date

Wednesday, March 5, and
Thursday, March 6, 2025

Tickets

Regular ticket
EUR 590 excl. VAT
Early Bird Ticket

Available until December 24, 2024

EUR 390 excl. VAT
The event is organized by the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes attendance at all presentations of the Steampunk and BTP Summit 2025, a visit to the exhibition area, participation in the evening event and catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due course.