Far more open source than you think
At the European Workshop on Software Ecosystems (EWSECO), researchers and practitioners also discuss the development and use of open source software in commercial products and in the SAP ecosystem.
The SAP Community Network (SCN) shows over 41,000 hits and the dedicated website "Open Source & SAP" (https://sap.github.io) lists interesting projects in this area of tension.
But not only SAP, but also many SAP partners and customers are increasingly using open source to implement their own solutions faster, more securely and more cost-effectively.
This trend creates great value for SAP and the entire SAP ecosystem, e.g. through faster development cycles, higher developer productivity and quality in the development of commercial solutions.
Other benefits include greater openness/interoperability with other systems and significant cost savings through the use of operating environments such as Linux and OpenStack, among others.
However, the greater use of open source in the enterprise environment inevitably leads to entirely new challenges, such as poor or lack of transparency in deployment, potential security vulnerabilities, and legal or financial risks in use and licensing.
Researchers and practitioners report in EWSECO, for example, that companies and organizations use far more open source than they themselves think or know.
For example, in almost all (99 percent) of the enterprise software audits, open source components were discovered, in 75 percent components previously unknown to management, and in more than 50 percent of the cases components with critical GPL licenses.
As a rule, more than one hundred different open source components are found in applications during checks, sometimes even several thousand or even more than ten thousand.
In general, it can be stated that today already about one third of the application code no longer consists of in-house developments, but of open source components. (The 2016 BlackDuck study even reports 35 percent).
The dark side of open source
Even though the use of open source is growing and becoming more and more important, the vast majority of companies do not (yet) have an overview of the open source components used at or by them.
Even among the larger IT organizations, less than 50 percent have implemented effective open source governance, according to Gartner, and those with "oversight" are also only aware of 50 percent of all the components they use.
This means that management is simply unaware of many open source components, even though they may contain unknown/unclear or even viral license types and/or pose potential security or operational risks.
Of course, it is also problematic that software audits and professional investigations of open source usage are usually only carried out during upcoming investment rounds, M&A due diligence, or shortly before OEM/reseller agreements, e.g. with SAP.
Operational, legal and also security risks are then frequently uncovered, which can be quite critical for the planned projects (e.g. company sale) and usually only have to be "repaired" at very high cost and in a short time.
Operationally, for example, it is important to know which components are used in which versions and how old they are. For a legal assessment, information on the licenses used is important, as is knowledge of whether the use of the components in one's own code fits in with this (keyword cloud).
Security assessment is aided by component vulnerability information, such as from the National Vulnerability Database (NVD), which currently lists over 80,000 open source vulnerabilities.
Critically, open source vulnerabilities discovered during audits have been known for an average of five years (and thus also known to potential attackers), and 90 percent of the discovered vulnerabilities are classified as medium- or even high-risk.
What is needed, therefore, is proactive and continuous open source monitoring that not only minimizes risks and prevents damage, but also helps reduce or avoid the effort and cost of audits and subsequent "repair work".
More than 10,000 customers worldwide and 30 years of experience in the SAP ecosystem make Seeburger a market leader for B2B integration solutions, some of which are also offered as SAP OEM solutions.
As with almost all successful enterprise software solutions, Seeburger has also been using open source components for a long time and to a considerable extent, and some of them are delivered to customers with or as part of the company's own software or made available in the cloud as new software-as-a-service (SaaS) offerings.
In order to safeguard the use of open source components at Seeburger, but also for customers and partners (such as SAP), Seeburger has implemented appropriate compliance processes from the very beginning.
By using a monitoring system integrated directly into the agile software development process, the manual process for open source components, but also for in-house developments (primarily in Java), has now been almost completely automated and taken to the next level.
At Seeburger, component and license directories are created at the push of a button, management specifications are automatically enforced, and costs are saved (a mid-three-digit number of software developer hours per year).
Active version monitoring ensures that open source components used (which, unlike mobile apps, generally do not have an update mechanism themselves) are always up-to-date.
Developers no longer have to check themselves whether components used are outdated and search for new versions in different sources, but are actively informed. This helps to proactively avoid or quickly eliminate problems.
Automatic license monitoring ensures that software developers at Seeburger only use "desirable" open source licenses that have been previously checked and approved by management.
This prevents legal risks when using delivered, but also the new software-as-a-service solutions and ensures important compliance requirements at Seeburger, but also at the company that uses the Seeburger software.
If a license not included in the Seeburger "whitelist" and thus not authorized is discovered, the build process on the Continuous Integration Server is interrupted, thus preventing major efforts and risks from arising later.
Security alerts for the open source components used help to detect potential security vulnerabilities more quickly and to eliminate them as quickly as possible. The knowledge of which open source components are used in exactly which version at Seeburger is used for this purpose, which makes fine-grained, active security alerts possible and eliminates unproductive actionism after otherwise frequent false alarms.
Seeburger uses the VersionEye solution for this purpose, which is offered by the company of the same name in the Mannheim business incubator Mafinex.
The VersionEye database contains meta information such as versions, licenses and security notes for over 1.2 million open source projects. The cloud variant on versioneye.com already has 40,000 registered users and records 400,000 visitors every month.
The software itself is open source and can be used completely free of charge. Corporate customers can obtain additional paid enterprise services such as consulting, support and database access via the public VersionEye API.